xref: /freebsd/contrib/unbound/validator/val_nsec3.c (revision 43a5ec4eb41567cc92586503212743d89686d78f)
1 /*
2  * validator/val_nsec3.c - validator NSEC3 denial of existence functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * The functions help with NSEC3 checking, the different NSEC3 proofs
41  * for denial of existence, and proofs for presence of types.
42  */
43 #include "config.h"
44 #include <ctype.h>
45 #include "validator/val_nsec3.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/validator.h"
48 #include "validator/val_kentry.h"
49 #include "services/cache/rrset.h"
50 #include "util/regional.h"
51 #include "util/rbtree.h"
52 #include "util/module.h"
53 #include "util/net_help.h"
54 #include "util/data/packed_rrset.h"
55 #include "util/data/dname.h"
56 #include "util/data/msgreply.h"
57 /* we include nsec.h for the bitmap_has_type function */
58 #include "validator/val_nsec.h"
59 #include "sldns/sbuffer.h"
60 
61 /**
62  * This function we get from ldns-compat or from base system
63  * it returns the number of data bytes stored at the target, or <0 on error.
64  */
65 int sldns_b32_ntop_extended_hex(uint8_t const *src, size_t srclength,
66 	char *target, size_t targsize);
67 /**
68  * This function we get from ldns-compat or from base system
69  * it returns the number of data bytes stored at the target, or <0 on error.
70  */
71 int sldns_b32_pton_extended_hex(char const *src, size_t hashed_owner_str_len,
72 	uint8_t *target, size_t targsize);
73 
74 /**
75  * Closest encloser (ce) proof results
76  * Contains the ce and the next-closer (nc) proof.
77  */
78 struct ce_response {
79 	/** the closest encloser name */
80 	uint8_t* ce;
81 	/** length of ce */
82 	size_t ce_len;
83 	/** NSEC3 record that proved ce. rrset */
84 	struct ub_packed_rrset_key* ce_rrset;
85 	/** NSEC3 record that proved ce. rr number */
86 	int ce_rr;
87 	/** NSEC3 record that proved nc. rrset */
88 	struct ub_packed_rrset_key* nc_rrset;
89 	/** NSEC3 record that proved nc. rr*/
90 	int nc_rr;
91 };
92 
93 /**
94  * Filter conditions for NSEC3 proof
95  * Used to iterate over the applicable NSEC3 RRs.
96  */
97 struct nsec3_filter {
98 	/** Zone name, only NSEC3 records for this zone are considered */
99 	uint8_t* zone;
100 	/** length of the zonename */
101 	size_t zone_len;
102 	/** the list of NSEC3s to filter; array */
103 	struct ub_packed_rrset_key** list;
104 	/** number of rrsets in list */
105 	size_t num;
106 	/** class of records for the NSEC3, only this class applies */
107 	uint16_t fclass;
108 };
109 
110 /** return number of rrs in an rrset */
111 static size_t
112 rrset_get_count(struct ub_packed_rrset_key* rrset)
113 {
114         struct packed_rrset_data* d = (struct packed_rrset_data*)
115 	        rrset->entry.data;
116         if(!d) return 0;
117         return d->count;
118 }
119 
120 /** return if nsec3 RR has unknown flags */
121 static int
122 nsec3_unknown_flags(struct ub_packed_rrset_key* rrset, int r)
123 {
124         struct packed_rrset_data* d = (struct packed_rrset_data*)
125 	        rrset->entry.data;
126 	log_assert(d && r < (int)d->count);
127 	if(d->rr_len[r] < 2+2)
128 		return 0; /* malformed */
129 	return (int)(d->rr_data[r][2+1] & NSEC3_UNKNOWN_FLAGS);
130 }
131 
132 int
133 nsec3_has_optout(struct ub_packed_rrset_key* rrset, int r)
134 {
135         struct packed_rrset_data* d = (struct packed_rrset_data*)
136 	        rrset->entry.data;
137 	log_assert(d && r < (int)d->count);
138 	if(d->rr_len[r] < 2+2)
139 		return 0; /* malformed */
140 	return (int)(d->rr_data[r][2+1] & NSEC3_OPTOUT);
141 }
142 
143 /** return nsec3 RR algorithm */
144 static int
145 nsec3_get_algo(struct ub_packed_rrset_key* rrset, int r)
146 {
147         struct packed_rrset_data* d = (struct packed_rrset_data*)
148 	        rrset->entry.data;
149 	log_assert(d && r < (int)d->count);
150 	if(d->rr_len[r] < 2+1)
151 		return 0; /* malformed */
152 	return (int)(d->rr_data[r][2+0]);
153 }
154 
155 /** return if nsec3 RR has known algorithm */
156 static int
157 nsec3_known_algo(struct ub_packed_rrset_key* rrset, int r)
158 {
159         struct packed_rrset_data* d = (struct packed_rrset_data*)
160 	        rrset->entry.data;
161 	log_assert(d && r < (int)d->count);
162 	if(d->rr_len[r] < 2+1)
163 		return 0; /* malformed */
164 	switch(d->rr_data[r][2+0]) {
165 		case NSEC3_HASH_SHA1:
166 			return 1;
167 	}
168 	return 0;
169 }
170 
171 /** return nsec3 RR iteration count */
172 static size_t
173 nsec3_get_iter(struct ub_packed_rrset_key* rrset, int r)
174 {
175 	uint16_t i;
176         struct packed_rrset_data* d = (struct packed_rrset_data*)
177 	        rrset->entry.data;
178 	log_assert(d && r < (int)d->count);
179 	if(d->rr_len[r] < 2+4)
180 		return 0; /* malformed */
181 	memmove(&i, d->rr_data[r]+2+2, sizeof(i));
182 	i = ntohs(i);
183 	return (size_t)i;
184 }
185 
186 /** return nsec3 RR salt */
187 static int
188 nsec3_get_salt(struct ub_packed_rrset_key* rrset, int r,
189 	uint8_t** salt, size_t* saltlen)
190 {
191         struct packed_rrset_data* d = (struct packed_rrset_data*)
192 	        rrset->entry.data;
193 	log_assert(d && r < (int)d->count);
194 	if(d->rr_len[r] < 2+5) {
195 		*salt = 0;
196 		*saltlen = 0;
197 		return 0; /* malformed */
198 	}
199 	*saltlen = (size_t)d->rr_data[r][2+4];
200 	if(d->rr_len[r] < 2+5+(size_t)*saltlen) {
201 		*salt = 0;
202 		*saltlen = 0;
203 		return 0; /* malformed */
204 	}
205 	*salt = d->rr_data[r]+2+5;
206 	return 1;
207 }
208 
209 int nsec3_get_params(struct ub_packed_rrset_key* rrset, int r,
210 	int* algo, size_t* iter, uint8_t** salt, size_t* saltlen)
211 {
212 	if(!nsec3_known_algo(rrset, r) || nsec3_unknown_flags(rrset, r))
213 		return 0;
214 	if(!nsec3_get_salt(rrset, r, salt, saltlen))
215 		return 0;
216 	*algo = nsec3_get_algo(rrset, r);
217 	*iter = nsec3_get_iter(rrset, r);
218 	return 1;
219 }
220 
221 int
222 nsec3_get_nextowner(struct ub_packed_rrset_key* rrset, int r,
223 	uint8_t** next, size_t* nextlen)
224 {
225 	size_t saltlen;
226         struct packed_rrset_data* d = (struct packed_rrset_data*)
227 	        rrset->entry.data;
228 	log_assert(d && r < (int)d->count);
229 	if(d->rr_len[r] < 2+5) {
230 		*next = 0;
231 		*nextlen = 0;
232 		return 0; /* malformed */
233 	}
234 	saltlen = (size_t)d->rr_data[r][2+4];
235 	if(d->rr_len[r] < 2+5+saltlen+1) {
236 		*next = 0;
237 		*nextlen = 0;
238 		return 0; /* malformed */
239 	}
240 	*nextlen = (size_t)d->rr_data[r][2+5+saltlen];
241 	if(d->rr_len[r] < 2+5+saltlen+1+*nextlen) {
242 		*next = 0;
243 		*nextlen = 0;
244 		return 0; /* malformed */
245 	}
246 	*next = d->rr_data[r]+2+5+saltlen+1;
247 	return 1;
248 }
249 
250 size_t nsec3_hash_to_b32(uint8_t* hash, size_t hashlen, uint8_t* zone,
251 	size_t zonelen, uint8_t* buf, size_t max)
252 {
253 	/* write b32 of name, leave one for length */
254 	int ret;
255 	if(max < hashlen*2+1) /* quick approx of b32, as if hexb16 */
256 		return 0;
257 	ret = sldns_b32_ntop_extended_hex(hash, hashlen, (char*)buf+1, max-1);
258 	if(ret < 1)
259 		return 0;
260 	buf[0] = (uint8_t)ret; /* length of b32 label */
261 	ret++;
262 	if(max - ret < zonelen)
263 		return 0;
264 	memmove(buf+ret, zone, zonelen);
265 	return zonelen+(size_t)ret;
266 }
267 
268 size_t nsec3_get_nextowner_b32(struct ub_packed_rrset_key* rrset, int r,
269 	uint8_t* buf, size_t max)
270 {
271 	uint8_t* nm, *zone;
272 	size_t nmlen, zonelen;
273 	if(!nsec3_get_nextowner(rrset, r, &nm, &nmlen))
274 		return 0;
275 	/* append zone name; the owner name must be <b32>.zone */
276 	zone = rrset->rk.dname;
277 	zonelen = rrset->rk.dname_len;
278 	dname_remove_label(&zone, &zonelen);
279 	return nsec3_hash_to_b32(nm, nmlen, zone, zonelen, buf, max);
280 }
281 
282 int
283 nsec3_has_type(struct ub_packed_rrset_key* rrset, int r, uint16_t type)
284 {
285 	uint8_t* bitmap;
286 	size_t bitlen, skiplen;
287         struct packed_rrset_data* d = (struct packed_rrset_data*)
288 	        rrset->entry.data;
289 	log_assert(d && r < (int)d->count);
290 	skiplen = 2+4;
291 	/* skip salt */
292 	if(d->rr_len[r] < skiplen+1)
293 		return 0; /* malformed, too short */
294 	skiplen += 1+(size_t)d->rr_data[r][skiplen];
295 	/* skip next hashed owner */
296 	if(d->rr_len[r] < skiplen+1)
297 		return 0; /* malformed, too short */
298 	skiplen += 1+(size_t)d->rr_data[r][skiplen];
299 	if(d->rr_len[r] < skiplen)
300 		return 0; /* malformed, too short */
301 	bitlen = d->rr_len[r] - skiplen;
302 	bitmap = d->rr_data[r]+skiplen;
303 	return nsecbitmap_has_type_rdata(bitmap, bitlen, type);
304 }
305 
306 /**
307  * Iterate through NSEC3 list, per RR
308  * This routine gives the next RR in the list (or sets rrset null).
309  * Usage:
310  *
311  * size_t rrsetnum;
312  * int rrnum;
313  * struct ub_packed_rrset_key* rrset;
314  * for(rrset=filter_first(filter, &rrsetnum, &rrnum); rrset;
315  *	rrset=filter_next(filter, &rrsetnum, &rrnum))
316  *		do_stuff;
317  *
318  * Also filters out
319  * 	o unknown flag NSEC3s
320  * 	o unknown algorithm NSEC3s.
321  * @param filter: nsec3 filter structure.
322  * @param rrsetnum: in/out rrset number to look at.
323  * @param rrnum: in/out rr number in rrset to look at.
324  * @returns ptr to the next rrset (or NULL at end).
325  */
326 static struct ub_packed_rrset_key*
327 filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
328 {
329 	size_t i;
330 	int r;
331 	uint8_t* nm;
332 	size_t nmlen;
333 	if(!filter->zone) /* empty list */
334 		return NULL;
335 	for(i=*rrsetnum; i<filter->num; i++) {
336 		/* see if RRset qualifies */
337 		if(ntohs(filter->list[i]->rk.type) != LDNS_RR_TYPE_NSEC3 ||
338 			ntohs(filter->list[i]->rk.rrset_class) !=
339 			filter->fclass)
340 			continue;
341 		/* check RRset zone */
342 		nm = filter->list[i]->rk.dname;
343 		nmlen = filter->list[i]->rk.dname_len;
344 		dname_remove_label(&nm, &nmlen);
345 		if(query_dname_compare(nm, filter->zone) != 0)
346 			continue;
347 		if(i == *rrsetnum)
348 			r = (*rrnum) + 1; /* continue at next RR */
349 		else	r = 0;		/* new RRset start at first RR */
350 		for(; r < (int)rrset_get_count(filter->list[i]); r++) {
351 			/* skip unknown flags, algo */
352 			if(nsec3_unknown_flags(filter->list[i], r) ||
353 				!nsec3_known_algo(filter->list[i], r))
354 				continue;
355 			/* this one is a good target */
356 			*rrsetnum = i;
357 			*rrnum = r;
358 			return filter->list[i];
359 		}
360 	}
361 	return NULL;
362 }
363 
364 /**
365  * Start iterating over NSEC3 records.
366  * @param filter: the filter structure, must have been filter_init-ed.
367  * @param rrsetnum: can be undefined on call, initialised.
368  * @param rrnum: can be undefined on call, initialised.
369  * @return first rrset of an NSEC3, together with rrnum this points to
370  *	the first RR to examine. Is NULL on empty list.
371  */
372 static struct ub_packed_rrset_key*
373 filter_first(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
374 {
375 	*rrsetnum = 0;
376 	*rrnum = -1;
377 	return filter_next(filter, rrsetnum, rrnum);
378 }
379 
380 /** see if at least one RR is known (flags, algo) */
381 static int
382 nsec3_rrset_has_known(struct ub_packed_rrset_key* s)
383 {
384 	int r;
385 	for(r=0; r < (int)rrset_get_count(s); r++) {
386 		if(!nsec3_unknown_flags(s, r) && nsec3_known_algo(s, r))
387 			return 1;
388 	}
389 	return 0;
390 }
391 
392 /**
393  * Initialize the filter structure.
394  * Finds the zone by looking at available NSEC3 records and best match.
395  * 	(skips the unknown flag and unknown algo NSEC3s).
396  *
397  * @param filter: nsec3 filter structure.
398  * @param list: list of rrsets, an array of them.
399  * @param num: number of rrsets in list.
400  * @param qinfo:
401  *	query name to match a zone for.
402  *	query type (if DS a higher zone must be chosen)
403  *	qclass, to filter NSEC3s with.
404  */
405 static void
406 filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list,
407 	size_t num, struct query_info* qinfo)
408 {
409 	size_t i;
410 	uint8_t* nm;
411 	size_t nmlen;
412 	filter->zone = NULL;
413 	filter->zone_len = 0;
414 	filter->list = list;
415 	filter->num = num;
416 	filter->fclass = qinfo->qclass;
417 	for(i=0; i<num; i++) {
418 		/* ignore other stuff in the list */
419 		if(ntohs(list[i]->rk.type) != LDNS_RR_TYPE_NSEC3 ||
420 			ntohs(list[i]->rk.rrset_class) != qinfo->qclass)
421 			continue;
422 		/* skip unknown flags, algo */
423 		if(!nsec3_rrset_has_known(list[i]))
424 			continue;
425 
426 		/* since NSEC3s are base32.zonename, we can find the zone
427 		 * name by stripping off the first label of the record */
428 		nm = list[i]->rk.dname;
429 		nmlen = list[i]->rk.dname_len;
430 		dname_remove_label(&nm, &nmlen);
431 		/* if we find a domain that can prove about the qname,
432 		 * and if this domain is closer to the qname */
433 		if(dname_subdomain_c(qinfo->qname, nm) && (!filter->zone ||
434 			dname_subdomain_c(nm, filter->zone))) {
435 			/* for a type DS do not accept a zone equal to qname*/
436 			if(qinfo->qtype == LDNS_RR_TYPE_DS &&
437 				query_dname_compare(qinfo->qname, nm) == 0 &&
438 				!dname_is_root(qinfo->qname))
439 				continue;
440 			filter->zone = nm;
441 			filter->zone_len = nmlen;
442 		}
443 	}
444 }
445 
446 /**
447  * Find max iteration count using config settings and key size
448  * @param ve: validator environment with iteration count config settings.
449  * @param bits: key size
450  * @return max iteration count
451  */
452 static size_t
453 get_max_iter(struct val_env* ve, size_t bits)
454 {
455 	int i;
456 	log_assert(ve->nsec3_keyiter_count > 0);
457 	/* round up to nearest config keysize, linear search, keep it small */
458 	for(i=0; i<ve->nsec3_keyiter_count; i++) {
459 		if(bits <= ve->nsec3_keysize[i])
460 			return ve->nsec3_maxiter[i];
461 	}
462 	/* else, use value for biggest key */
463 	return ve->nsec3_maxiter[ve->nsec3_keyiter_count-1];
464 }
465 
466 /**
467  * Determine if any of the NSEC3 rrs iteration count is too high, from key.
468  * @param ve: validator environment with iteration count config settings.
469  * @param filter: what NSEC3s to loop over.
470  * @param kkey: key entry used for verification; used for iteration counts.
471  * @return 1 if some nsec3s are above the max iteration count.
472  */
473 static int
474 nsec3_iteration_count_high(struct val_env* ve, struct nsec3_filter* filter,
475 	struct key_entry_key* kkey)
476 {
477 	size_t rrsetnum;
478 	int rrnum;
479 	struct ub_packed_rrset_key* rrset;
480 	/* first determine the max number of iterations */
481 	size_t bits = key_entry_keysize(kkey);
482 	size_t max_iter = get_max_iter(ve, bits);
483 	verbose(VERB_ALGO, "nsec3: keysize %d bits, max iterations %d",
484 		(int)bits, (int)max_iter);
485 
486 	for(rrset=filter_first(filter, &rrsetnum, &rrnum); rrset;
487 		rrset=filter_next(filter, &rrsetnum, &rrnum)) {
488 		if(nsec3_get_iter(rrset, rrnum) > max_iter)
489 			return 1;
490 	}
491 	return 0;
492 }
493 
494 /* nsec3_cache_compare for rbtree */
495 int
496 nsec3_hash_cmp(const void* c1, const void* c2)
497 {
498 	struct nsec3_cached_hash* h1 = (struct nsec3_cached_hash*)c1;
499 	struct nsec3_cached_hash* h2 = (struct nsec3_cached_hash*)c2;
500 	uint8_t* s1, *s2;
501 	size_t s1len, s2len;
502 	int c = query_dname_compare(h1->dname, h2->dname);
503 	if(c != 0)
504 		return c;
505 	/* compare parameters */
506 	/* if both malformed, its equal, robustness */
507 	if(nsec3_get_algo(h1->nsec3, h1->rr) !=
508 		nsec3_get_algo(h2->nsec3, h2->rr)) {
509 		if(nsec3_get_algo(h1->nsec3, h1->rr) <
510 			nsec3_get_algo(h2->nsec3, h2->rr))
511 			return -1;
512 		return 1;
513 	}
514 	if(nsec3_get_iter(h1->nsec3, h1->rr) !=
515 		nsec3_get_iter(h2->nsec3, h2->rr)) {
516 		if(nsec3_get_iter(h1->nsec3, h1->rr) <
517 			nsec3_get_iter(h2->nsec3, h2->rr))
518 			return -1;
519 		return 1;
520 	}
521 	(void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len);
522 	(void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len);
523 	if(s1len == 0 && s2len == 0)
524 		return 0;
525 	if(!s1) return -1;
526 	if(!s2) return 1;
527 	if(s1len != s2len) {
528 		if(s1len < s2len)
529 			return -1;
530 		return 1;
531 	}
532 	return memcmp(s1, s2, s1len);
533 }
534 
535 size_t
536 nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
537 	size_t iter, uint8_t* salt, size_t saltlen, uint8_t* res, size_t max)
538 {
539 	size_t i, hash_len;
540 	/* prepare buffer for first iteration */
541 	sldns_buffer_clear(buf);
542 	sldns_buffer_write(buf, nm, nmlen);
543 	query_dname_tolower(sldns_buffer_begin(buf));
544 	sldns_buffer_write(buf, salt, saltlen);
545 	sldns_buffer_flip(buf);
546 	hash_len = nsec3_hash_algo_size_supported(algo);
547 	if(hash_len == 0) {
548 		log_err("nsec3 hash of unknown algo %d", algo);
549 		return 0;
550 	}
551 	if(hash_len > max)
552 		return 0;
553 	if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
554 		sldns_buffer_limit(buf), (unsigned char*)res))
555 		return 0;
556 	for(i=0; i<iter; i++) {
557 		sldns_buffer_clear(buf);
558 		sldns_buffer_write(buf, res, hash_len);
559 		sldns_buffer_write(buf, salt, saltlen);
560 		sldns_buffer_flip(buf);
561 		if(!secalgo_nsec3_hash(algo,
562 			(unsigned char*)sldns_buffer_begin(buf),
563 			sldns_buffer_limit(buf), (unsigned char*)res))
564 			return 0;
565 	}
566 	return hash_len;
567 }
568 
569 /** perform hash of name */
570 static int
571 nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
572 	struct nsec3_cached_hash* c)
573 {
574 	int algo = nsec3_get_algo(c->nsec3, c->rr);
575 	size_t iter = nsec3_get_iter(c->nsec3, c->rr);
576 	uint8_t* salt;
577 	size_t saltlen, i;
578 	if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen))
579 		return -1;
580 	/* prepare buffer for first iteration */
581 	sldns_buffer_clear(buf);
582 	sldns_buffer_write(buf, c->dname, c->dname_len);
583 	query_dname_tolower(sldns_buffer_begin(buf));
584 	sldns_buffer_write(buf, salt, saltlen);
585 	sldns_buffer_flip(buf);
586 	c->hash_len = nsec3_hash_algo_size_supported(algo);
587 	if(c->hash_len == 0) {
588 		log_err("nsec3 hash of unknown algo %d", algo);
589 		return -1;
590 	}
591 	c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
592 	if(!c->hash)
593 		return 0;
594 	(void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
595 		sldns_buffer_limit(buf), (unsigned char*)c->hash);
596 	for(i=0; i<iter; i++) {
597 		sldns_buffer_clear(buf);
598 		sldns_buffer_write(buf, c->hash, c->hash_len);
599 		sldns_buffer_write(buf, salt, saltlen);
600 		sldns_buffer_flip(buf);
601 		(void)secalgo_nsec3_hash(algo,
602 			(unsigned char*)sldns_buffer_begin(buf),
603 			sldns_buffer_limit(buf), (unsigned char*)c->hash);
604 	}
605 	return 1;
606 }
607 
608 /** perform b32 encoding of hash */
609 static int
610 nsec3_calc_b32(struct regional* region, sldns_buffer* buf,
611 	struct nsec3_cached_hash* c)
612 {
613 	int r;
614 	sldns_buffer_clear(buf);
615 	r = sldns_b32_ntop_extended_hex(c->hash, c->hash_len,
616 		(char*)sldns_buffer_begin(buf), sldns_buffer_limit(buf));
617 	if(r < 1) {
618 		log_err("b32_ntop_extended_hex: error in encoding: %d", r);
619 		return 0;
620 	}
621 	c->b32_len = (size_t)r;
622 	c->b32 = regional_alloc_init(region, sldns_buffer_begin(buf),
623 		c->b32_len);
624 	if(!c->b32)
625 		return 0;
626 	return 1;
627 }
628 
629 int
630 nsec3_hash_name(rbtree_type* table, struct regional* region, sldns_buffer* buf,
631 	struct ub_packed_rrset_key* nsec3, int rr, uint8_t* dname,
632 	size_t dname_len, struct nsec3_cached_hash** hash)
633 {
634 	struct nsec3_cached_hash* c;
635 	struct nsec3_cached_hash looki;
636 #ifdef UNBOUND_DEBUG
637 	rbnode_type* n;
638 #endif
639 	int r;
640 	looki.node.key = &looki;
641 	looki.nsec3 = nsec3;
642 	looki.rr = rr;
643 	looki.dname = dname;
644 	looki.dname_len = dname_len;
645 	/* lookup first in cache */
646 	c = (struct nsec3_cached_hash*)rbtree_search(table, &looki);
647 	if(c) {
648 		*hash = c;
649 		return 1;
650 	}
651 	/* create a new entry */
652 	c = (struct nsec3_cached_hash*)regional_alloc(region, sizeof(*c));
653 	if(!c) return 0;
654 	c->node.key = c;
655 	c->nsec3 = nsec3;
656 	c->rr = rr;
657 	c->dname = dname;
658 	c->dname_len = dname_len;
659 	r = nsec3_calc_hash(region, buf, c);
660 	if(r != 1)
661 		return r;
662 	r = nsec3_calc_b32(region, buf, c);
663 	if(r != 1)
664 		return r;
665 #ifdef UNBOUND_DEBUG
666 	n =
667 #else
668 	(void)
669 #endif
670 	rbtree_insert(table, &c->node);
671 	log_assert(n); /* cannot be duplicate, just did lookup */
672 	*hash = c;
673 	return 1;
674 }
675 
676 /**
677  * compare a label lowercased
678  */
679 static int
680 label_compare_lower(uint8_t* lab1, uint8_t* lab2, size_t lablen)
681 {
682 	size_t i;
683 	for(i=0; i<lablen; i++) {
684 		if(tolower((unsigned char)*lab1) != tolower((unsigned char)*lab2)) {
685 			if(tolower((unsigned char)*lab1) < tolower((unsigned char)*lab2))
686 				return -1;
687 			return 1;
688 		}
689 		lab1++;
690 		lab2++;
691 	}
692 	return 0;
693 }
694 
695 /**
696  * Compare a hashed name with the owner name of an NSEC3 RRset.
697  * @param flt: filter with zone name.
698  * @param hash: the hashed name.
699  * @param s: rrset with owner name.
700  * @return true if matches exactly, false if not.
701  */
702 static int
703 nsec3_hash_matches_owner(struct nsec3_filter* flt,
704 	struct nsec3_cached_hash* hash, struct ub_packed_rrset_key* s)
705 {
706 	uint8_t* nm = s->rk.dname;
707 	/* compare, does hash of name based on params in this NSEC3
708 	 * match the owner name of this NSEC3?
709 	 * name must be: <hashlength>base32 . zone name
710 	 * so; first label must not be root label (not zero length),
711 	 * and match the b32 encoded hash length,
712 	 * and the label content match the b32 encoded hash
713 	 * and the rest must be the zone name.
714 	 */
715 	if(hash->b32_len != 0 && (size_t)nm[0] == hash->b32_len &&
716 		label_compare_lower(nm+1, hash->b32, hash->b32_len) == 0 &&
717 		query_dname_compare(nm+(size_t)nm[0]+1, flt->zone) == 0) {
718 		return 1;
719 	}
720 	return 0;
721 }
722 
723 /**
724  * Find matching NSEC3
725  * Find the NSEC3Record that matches a hash of a name.
726  * @param env: module environment with temporary region and buffer.
727  * @param flt: the NSEC3 RR filter, contains zone name and RRs.
728  * @param ct: cached hashes table.
729  * @param nm: name to look for.
730  * @param nmlen: length of name.
731  * @param rrset: nsec3 that matches is returned here.
732  * @param rr: rr number in nsec3 rrset that matches.
733  * @return true if a matching NSEC3 is found, false if not.
734  */
735 static int
736 find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt,
737 	rbtree_type* ct, uint8_t* nm, size_t nmlen,
738 	struct ub_packed_rrset_key** rrset, int* rr)
739 {
740 	size_t i_rs;
741 	int i_rr;
742 	struct ub_packed_rrset_key* s;
743 	struct nsec3_cached_hash* hash = NULL;
744 	int r;
745 
746 	/* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */
747 	for(s=filter_first(flt, &i_rs, &i_rr); s;
748 		s=filter_next(flt, &i_rs, &i_rr)) {
749 		/* get name hashed for this NSEC3 RR */
750 		r = nsec3_hash_name(ct, env->scratch, env->scratch_buffer,
751 			s, i_rr, nm, nmlen, &hash);
752 		if(r == 0) {
753 			log_err("nsec3: malloc failure");
754 			break; /* alloc failure */
755 		} else if(r != 1)
756 			continue; /* malformed NSEC3 */
757 		else if(nsec3_hash_matches_owner(flt, hash, s)) {
758 			*rrset = s; /* rrset with this name */
759 			*rr = i_rr; /* matches hash with these parameters */
760 			return 1;
761 		}
762 	}
763 	*rrset = NULL;
764 	*rr = 0;
765 	return 0;
766 }
767 
768 int
769 nsec3_covers(uint8_t* zone, struct nsec3_cached_hash* hash,
770 	struct ub_packed_rrset_key* rrset, int rr, sldns_buffer* buf)
771 {
772 	uint8_t* next, *owner;
773 	size_t nextlen;
774 	int len;
775 	if(!nsec3_get_nextowner(rrset, rr, &next, &nextlen))
776 		return 0; /* malformed RR proves nothing */
777 
778 	/* check the owner name is a hashed value . apex
779 	 * base32 encoded values must have equal length.
780 	 * hash_value and next hash value must have equal length. */
781 	if(nextlen != hash->hash_len || hash->hash_len==0||hash->b32_len==0||
782 		(size_t)*rrset->rk.dname != hash->b32_len ||
783 		query_dname_compare(rrset->rk.dname+1+
784 			(size_t)*rrset->rk.dname, zone) != 0)
785 		return 0; /* bad lengths or owner name */
786 
787 	/* This is the "normal case: owner < next and owner < hash < next */
788 	if(label_compare_lower(rrset->rk.dname+1, hash->b32,
789 		hash->b32_len) < 0 &&
790 		memcmp(hash->hash, next, nextlen) < 0)
791 		return 1;
792 
793 	/* convert owner name from text to binary */
794 	sldns_buffer_clear(buf);
795 	owner = sldns_buffer_begin(buf);
796 	len = sldns_b32_pton_extended_hex((char*)rrset->rk.dname+1,
797 		hash->b32_len, owner, sldns_buffer_limit(buf));
798 	if(len<1)
799 		return 0; /* bad owner name in some way */
800 	if((size_t)len != hash->hash_len || (size_t)len != nextlen)
801 		return 0; /* wrong length */
802 
803 	/* this is the end of zone case: next <= owner &&
804 	 * 	(hash > owner || hash < next)
805 	 * this also covers the only-apex case of next==owner.
806 	 */
807 	if(memcmp(next, owner, nextlen) <= 0 &&
808 		( memcmp(hash->hash, owner, nextlen) > 0 ||
809 		  memcmp(hash->hash, next, nextlen) < 0)) {
810 		return 1;
811 	}
812 	return 0;
813 }
814 
815 /**
816  * findCoveringNSEC3
817  * Given a name, find a covering NSEC3 from among a list of NSEC3s.
818  *
819  * @param env: module environment with temporary region and buffer.
820  * @param flt: the NSEC3 RR filter, contains zone name and RRs.
821  * @param ct: cached hashes table.
822  * @param nm: name to check if covered.
823  * @param nmlen: length of name.
824  * @param rrset: covering NSEC3 rrset is returned here.
825  * @param rr: rr of cover is returned here.
826  * @return true if a covering NSEC3 is found, false if not.
827  */
828 static int
829 find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt,
830         rbtree_type* ct, uint8_t* nm, size_t nmlen,
831 	struct ub_packed_rrset_key** rrset, int* rr)
832 {
833 	size_t i_rs;
834 	int i_rr;
835 	struct ub_packed_rrset_key* s;
836 	struct nsec3_cached_hash* hash = NULL;
837 	int r;
838 
839 	/* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */
840 	for(s=filter_first(flt, &i_rs, &i_rr); s;
841 		s=filter_next(flt, &i_rs, &i_rr)) {
842 		/* get name hashed for this NSEC3 RR */
843 		r = nsec3_hash_name(ct, env->scratch, env->scratch_buffer,
844 			s, i_rr, nm, nmlen, &hash);
845 		if(r == 0) {
846 			log_err("nsec3: malloc failure");
847 			break; /* alloc failure */
848 		} else if(r != 1)
849 			continue; /* malformed NSEC3 */
850 		else if(nsec3_covers(flt->zone, hash, s, i_rr,
851 			env->scratch_buffer)) {
852 			*rrset = s; /* rrset with this name */
853 			*rr = i_rr; /* covers hash with these parameters */
854 			return 1;
855 		}
856 	}
857 	*rrset = NULL;
858 	*rr = 0;
859 	return 0;
860 }
861 
862 /**
863  * findClosestEncloser
864  * Given a name and a list of NSEC3s, find the candidate closest encloser.
865  * This will be the first ancestor of 'name' (including itself) to have a
866  * matching NSEC3 RR.
867  * @param env: module environment with temporary region and buffer.
868  * @param flt: the NSEC3 RR filter, contains zone name and RRs.
869  * @param ct: cached hashes table.
870  * @param qinfo: query that is verified for.
871  * @param ce: closest encloser information is returned in here.
872  * @return true if a closest encloser candidate is found, false if not.
873  */
874 static int
875 nsec3_find_closest_encloser(struct module_env* env, struct nsec3_filter* flt,
876 	rbtree_type* ct, struct query_info* qinfo, struct ce_response* ce)
877 {
878 	uint8_t* nm = qinfo->qname;
879 	size_t nmlen = qinfo->qname_len;
880 
881 	/* This scans from longest name to shortest, so the first match
882 	 * we find is the only viable candidate. */
883 
884 	/* (David:) FIXME: modify so that the NSEC3 matching the zone apex need
885 	 * not be present. (Mark Andrews idea).
886 	 * (Wouter:) But make sure you check for DNAME bit in zone apex,
887 	 * if the NSEC3 you find is the only NSEC3 in the zone, then this
888 	 * may be the case. */
889 
890 	while(dname_subdomain_c(nm, flt->zone)) {
891 		if(find_matching_nsec3(env, flt, ct, nm, nmlen,
892 			&ce->ce_rrset, &ce->ce_rr)) {
893 			ce->ce = nm;
894 			ce->ce_len = nmlen;
895 			return 1;
896 		}
897 		dname_remove_label(&nm, &nmlen);
898 	}
899 	return 0;
900 }
901 
902 /**
903  * Given a qname and its proven closest encloser, calculate the "next
904  * closest" name. Basically, this is the name that is one label longer than
905  * the closest encloser that is still a subdomain of qname.
906  *
907  * @param qname: query name.
908  * @param qnamelen: length of qname.
909  * @param ce: closest encloser
910  * @param nm: result name.
911  * @param nmlen: length of nm.
912  */
913 static void
914 next_closer(uint8_t* qname, size_t qnamelen, uint8_t* ce,
915 	uint8_t** nm, size_t* nmlen)
916 {
917 	int strip = dname_count_labels(qname) - dname_count_labels(ce) -1;
918 	*nm = qname;
919 	*nmlen = qnamelen;
920 	if(strip>0)
921 		dname_remove_labels(nm, nmlen, strip);
922 }
923 
924 /**
925  * proveClosestEncloser
926  * Given a List of nsec3 RRs, find and prove the closest encloser to qname.
927  * @param env: module environment with temporary region and buffer.
928  * @param flt: the NSEC3 RR filter, contains zone name and RRs.
929  * @param ct: cached hashes table.
930  * @param qinfo: query that is verified for.
931  * @param prove_does_not_exist: If true, then if the closest encloser
932  * 	turns out to be qname, then null is returned.
933  * 	If set true, and the return value is true, then you can be
934  * 	certain that the ce.nc_rrset and ce.nc_rr are set properly.
935  * @param ce: closest encloser information is returned in here.
936  * @return bogus if no closest encloser could be proven.
937  * 	secure if a closest encloser could be proven, ce is set.
938  * 	insecure if the closest-encloser candidate turns out to prove
939  * 		that an insecure delegation exists above the qname.
940  */
941 static enum sec_status
942 nsec3_prove_closest_encloser(struct module_env* env, struct nsec3_filter* flt,
943 	rbtree_type* ct, struct query_info* qinfo, int prove_does_not_exist,
944 	struct ce_response* ce)
945 {
946 	uint8_t* nc;
947 	size_t nc_len;
948 	/* robust: clean out ce, in case it gets abused later */
949 	memset(ce, 0, sizeof(*ce));
950 
951 	if(!nsec3_find_closest_encloser(env, flt, ct, qinfo, ce)) {
952 		verbose(VERB_ALGO, "nsec3 proveClosestEncloser: could "
953 			"not find a candidate for the closest encloser.");
954 		return sec_status_bogus;
955 	}
956 	log_nametypeclass(VERB_ALGO, "ce candidate", ce->ce, 0, 0);
957 
958 	if(query_dname_compare(ce->ce, qinfo->qname) == 0) {
959 		if(prove_does_not_exist) {
960 			verbose(VERB_ALGO, "nsec3 proveClosestEncloser: "
961 				"proved that qname existed, bad");
962 			return sec_status_bogus;
963 		}
964 		/* otherwise, we need to nothing else to prove that qname
965 		 * is its own closest encloser. */
966 		return sec_status_secure;
967 	}
968 
969 	/* If the closest encloser is actually a delegation, then the
970 	 * response should have been a referral. If it is a DNAME, then
971 	 * it should have been a DNAME response. */
972 	if(nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_NS) &&
973 		!nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_SOA)) {
974 		if(!nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_DS)) {
975 			verbose(VERB_ALGO, "nsec3 proveClosestEncloser: "
976 				"closest encloser is insecure delegation");
977 			return sec_status_insecure;
978 		}
979 		verbose(VERB_ALGO, "nsec3 proveClosestEncloser: closest "
980 			"encloser was a delegation, bad");
981 		return sec_status_bogus;
982 	}
983 	if(nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_DNAME)) {
984 		verbose(VERB_ALGO, "nsec3 proveClosestEncloser: closest "
985 			"encloser was a DNAME, bad");
986 		return sec_status_bogus;
987 	}
988 
989 	/* Otherwise, we need to show that the next closer name is covered. */
990 	next_closer(qinfo->qname, qinfo->qname_len, ce->ce, &nc, &nc_len);
991 	if(!find_covering_nsec3(env, flt, ct, nc, nc_len,
992 		&ce->nc_rrset, &ce->nc_rr)) {
993 		verbose(VERB_ALGO, "nsec3: Could not find proof that the "
994 		          "candidate encloser was the closest encloser");
995 		return sec_status_bogus;
996 	}
997 	return sec_status_secure;
998 }
999 
1000 /** allocate a wildcard for the closest encloser */
1001 static uint8_t*
1002 nsec3_ce_wildcard(struct regional* region, uint8_t* ce, size_t celen,
1003 	size_t* len)
1004 {
1005 	uint8_t* nm;
1006 	if(celen > LDNS_MAX_DOMAINLEN - 2)
1007 		return 0; /* too long */
1008 	nm = (uint8_t*)regional_alloc(region, celen+2);
1009 	if(!nm) {
1010 		log_err("nsec3 wildcard: out of memory");
1011 		return 0; /* alloc failure */
1012 	}
1013 	nm[0] = 1;
1014 	nm[1] = (uint8_t)'*'; /* wildcard label */
1015 	memmove(nm+2, ce, celen);
1016 	*len = celen+2;
1017 	return nm;
1018 }
1019 
1020 /** Do the name error proof */
1021 static enum sec_status
1022 nsec3_do_prove_nameerror(struct module_env* env, struct nsec3_filter* flt,
1023 	rbtree_type* ct, struct query_info* qinfo)
1024 {
1025 	struct ce_response ce;
1026 	uint8_t* wc;
1027 	size_t wclen;
1028 	struct ub_packed_rrset_key* wc_rrset;
1029 	int wc_rr;
1030 	enum sec_status sec;
1031 
1032 	/* First locate and prove the closest encloser to qname. We will
1033 	 * use the variant that fails if the closest encloser turns out
1034 	 * to be qname. */
1035 	sec = nsec3_prove_closest_encloser(env, flt, ct, qinfo, 1, &ce);
1036 	if(sec != sec_status_secure) {
1037 		if(sec == sec_status_bogus)
1038 			verbose(VERB_ALGO, "nsec3 nameerror proof: failed "
1039 				"to prove a closest encloser");
1040 		else 	verbose(VERB_ALGO, "nsec3 nameerror proof: closest "
1041 				"nsec3 is an insecure delegation");
1042 		return sec;
1043 	}
1044 	log_nametypeclass(VERB_ALGO, "nsec3 nameerror: proven ce=", ce.ce,0,0);
1045 
1046 	/* At this point, we know that qname does not exist. Now we need
1047 	 * to prove that the wildcard does not exist. */
1048 	log_assert(ce.ce);
1049 	wc = nsec3_ce_wildcard(env->scratch, ce.ce, ce.ce_len, &wclen);
1050 	if(!wc || !find_covering_nsec3(env, flt, ct, wc, wclen,
1051 		&wc_rrset, &wc_rr)) {
1052 		verbose(VERB_ALGO, "nsec3 nameerror proof: could not prove "
1053 			"that the applicable wildcard did not exist.");
1054 		return sec_status_bogus;
1055 	}
1056 
1057 	if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
1058 		verbose(VERB_ALGO, "nsec3 nameerror proof: nc has optout");
1059 		return sec_status_insecure;
1060 	}
1061 	return sec_status_secure;
1062 }
1063 
1064 enum sec_status
1065 nsec3_prove_nameerror(struct module_env* env, struct val_env* ve,
1066 	struct ub_packed_rrset_key** list, size_t num,
1067 	struct query_info* qinfo, struct key_entry_key* kkey)
1068 {
1069 	rbtree_type ct;
1070 	struct nsec3_filter flt;
1071 
1072 	if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
1073 		return sec_status_bogus; /* no valid NSEC3s, bogus */
1074 	rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
1075 	filter_init(&flt, list, num, qinfo); /* init RR iterator */
1076 	if(!flt.zone)
1077 		return sec_status_bogus; /* no RRs */
1078 	if(nsec3_iteration_count_high(ve, &flt, kkey))
1079 		return sec_status_insecure; /* iteration count too high */
1080 	log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone",
1081 		flt.zone, 0, 0);
1082 	return nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
1083 }
1084 
1085 /*
1086  * No code to handle qtype=NSEC3 specially.
1087  * This existed in early drafts, but was later (-05) removed.
1088  */
1089 
1090 /** Do the nodata proof */
1091 static enum sec_status
1092 nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
1093 	rbtree_type* ct, struct query_info* qinfo)
1094 {
1095 	struct ce_response ce;
1096 	uint8_t* wc;
1097 	size_t wclen;
1098 	struct ub_packed_rrset_key* rrset;
1099 	int rr;
1100 	enum sec_status sec;
1101 
1102 	if(find_matching_nsec3(env, flt, ct, qinfo->qname, qinfo->qname_len,
1103 		&rrset, &rr)) {
1104 		/* cases 1 and 2 */
1105 		if(nsec3_has_type(rrset, rr, qinfo->qtype)) {
1106 			verbose(VERB_ALGO, "proveNodata: Matching NSEC3 "
1107 				"proved that type existed, bogus");
1108 			return sec_status_bogus;
1109 		} else if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_CNAME)) {
1110 			verbose(VERB_ALGO, "proveNodata: Matching NSEC3 "
1111 				"proved that a CNAME existed, bogus");
1112 			return sec_status_bogus;
1113 		}
1114 
1115 		/*
1116 		 * If type DS: filter_init zone find already found a parent
1117 		 *   zone, so this nsec3 is from a parent zone.
1118 		 *   o can be not a delegation (unusual query for normal name,
1119 		 *   	no DS anyway, but we can verify that).
1120 		 *   o can be a delegation (which is the usual DS check).
1121 		 *   o may not have the SOA bit set (only the top of the
1122 		 *   	zone, which must have been above the name, has that).
1123 		 *   	Except for the root; which is checked by itself.
1124 		 *
1125 		 * If not type DS: matching nsec3 must not be a delegation.
1126 		 */
1127 		if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1
1128 			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA) &&
1129 			!dname_is_root(qinfo->qname)) {
1130 			verbose(VERB_ALGO, "proveNodata: apex NSEC3 "
1131 				"abused for no DS proof, bogus");
1132 			return sec_status_bogus;
1133 		} else if(qinfo->qtype != LDNS_RR_TYPE_DS &&
1134 			nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS) &&
1135 			!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
1136 			if(!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_DS)) {
1137 				verbose(VERB_ALGO, "proveNodata: matching "
1138 					"NSEC3 is insecure delegation");
1139 				return sec_status_insecure;
1140 			}
1141 			verbose(VERB_ALGO, "proveNodata: matching "
1142 				"NSEC3 is a delegation, bogus");
1143 			return sec_status_bogus;
1144 		}
1145 		return sec_status_secure;
1146 	}
1147 
1148 	/* For cases 3 - 5, we need the proven closest encloser, and it
1149 	 * can't match qname. Although, at this point, we know that it
1150 	 * won't since we just checked that. */
1151 	sec = nsec3_prove_closest_encloser(env, flt, ct, qinfo, 1, &ce);
1152 	if(sec == sec_status_bogus) {
1153 		verbose(VERB_ALGO, "proveNodata: did not match qname, "
1154 		          "nor found a proven closest encloser.");
1155 		return sec_status_bogus;
1156 	} else if(sec==sec_status_insecure && qinfo->qtype!=LDNS_RR_TYPE_DS){
1157 		verbose(VERB_ALGO, "proveNodata: closest nsec3 is insecure "
1158 		          "delegation.");
1159 		return sec_status_insecure;
1160 	}
1161 
1162 	/* Case 3: removed */
1163 
1164 	/* Case 4: */
1165 	log_assert(ce.ce);
1166 	wc = nsec3_ce_wildcard(env->scratch, ce.ce, ce.ce_len, &wclen);
1167 	if(wc && find_matching_nsec3(env, flt, ct, wc, wclen, &rrset, &rr)) {
1168 		/* found wildcard */
1169 		if(nsec3_has_type(rrset, rr, qinfo->qtype)) {
1170 			verbose(VERB_ALGO, "nsec3 nodata proof: matching "
1171 				"wildcard had qtype, bogus");
1172 			return sec_status_bogus;
1173 		} else if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_CNAME)) {
1174 			verbose(VERB_ALGO, "nsec3 nodata proof: matching "
1175 				"wildcard had a CNAME, bogus");
1176 			return sec_status_bogus;
1177 		}
1178 		if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1
1179 			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
1180 			verbose(VERB_ALGO, "nsec3 nodata proof: matching "
1181 				"wildcard for no DS proof has a SOA, bogus");
1182 			return sec_status_bogus;
1183 		} else if(qinfo->qtype != LDNS_RR_TYPE_DS &&
1184 			nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS) &&
1185 			!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
1186 			verbose(VERB_ALGO, "nsec3 nodata proof: matching "
1187 				"wildcard is a delegation, bogus");
1188 			return sec_status_bogus;
1189 		}
1190 		/* everything is peachy keen, except for optout spans */
1191 		if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
1192 			verbose(VERB_ALGO, "nsec3 nodata proof: matching "
1193 				"wildcard is in optout range, insecure");
1194 			return sec_status_insecure;
1195 		}
1196 		return sec_status_secure;
1197 	}
1198 
1199 	/* Case 5: */
1200 	/* Due to forwarders, cnames, and other collating effects, we
1201 	 * can see the ordinary unsigned data from a zone beneath an
1202 	 * insecure delegation under an optout here */
1203 	if(!ce.nc_rrset) {
1204 		verbose(VERB_ALGO, "nsec3 nodata proof: no next closer nsec3");
1205 		return sec_status_bogus;
1206 	}
1207 
1208 	/* We need to make sure that the covering NSEC3 is opt-out. */
1209 	log_assert(ce.nc_rrset);
1210 	if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
1211 		if(qinfo->qtype == LDNS_RR_TYPE_DS)
1212 		  verbose(VERB_ALGO, "proveNodata: covering NSEC3 was not "
1213 			"opt-out in an opt-out DS NOERROR/NODATA case.");
1214 		else verbose(VERB_ALGO, "proveNodata: could not find matching "
1215 			"NSEC3, nor matching wildcard, nor optout NSEC3 "
1216 			"-- no more options, bogus.");
1217 		return sec_status_bogus;
1218 	}
1219 	/* RFC5155 section 9.2: if nc has optout then no AD flag set */
1220 	return sec_status_insecure;
1221 }
1222 
1223 enum sec_status
1224 nsec3_prove_nodata(struct module_env* env, struct val_env* ve,
1225 	struct ub_packed_rrset_key** list, size_t num,
1226 	struct query_info* qinfo, struct key_entry_key* kkey)
1227 {
1228 	rbtree_type ct;
1229 	struct nsec3_filter flt;
1230 
1231 	if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
1232 		return sec_status_bogus; /* no valid NSEC3s, bogus */
1233 	rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
1234 	filter_init(&flt, list, num, qinfo); /* init RR iterator */
1235 	if(!flt.zone)
1236 		return sec_status_bogus; /* no RRs */
1237 	if(nsec3_iteration_count_high(ve, &flt, kkey))
1238 		return sec_status_insecure; /* iteration count too high */
1239 	return nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
1240 }
1241 
1242 enum sec_status
1243 nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
1244         struct ub_packed_rrset_key** list, size_t num,
1245 	struct query_info* qinfo, struct key_entry_key* kkey, uint8_t* wc)
1246 {
1247 	rbtree_type ct;
1248 	struct nsec3_filter flt;
1249 	struct ce_response ce;
1250 	uint8_t* nc;
1251 	size_t nc_len;
1252 	size_t wclen;
1253 	(void)dname_count_size_labels(wc, &wclen);
1254 
1255 	if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
1256 		return sec_status_bogus; /* no valid NSEC3s, bogus */
1257 	rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
1258 	filter_init(&flt, list, num, qinfo); /* init RR iterator */
1259 	if(!flt.zone)
1260 		return sec_status_bogus; /* no RRs */
1261 	if(nsec3_iteration_count_high(ve, &flt, kkey))
1262 		return sec_status_insecure; /* iteration count too high */
1263 
1264 	/* We know what the (purported) closest encloser is by just
1265 	 * looking at the supposed generating wildcard.
1266 	 * The *. has already been removed from the wc name.
1267 	 */
1268 	memset(&ce, 0, sizeof(ce));
1269 	ce.ce = wc;
1270 	ce.ce_len = wclen;
1271 
1272 	/* Now we still need to prove that the original data did not exist.
1273 	 * Otherwise, we need to show that the next closer name is covered. */
1274 	next_closer(qinfo->qname, qinfo->qname_len, ce.ce, &nc, &nc_len);
1275 	if(!find_covering_nsec3(env, &flt, &ct, nc, nc_len,
1276 		&ce.nc_rrset, &ce.nc_rr)) {
1277 		verbose(VERB_ALGO, "proveWildcard: did not find a covering "
1278 			"NSEC3 that covered the next closer name.");
1279 		return sec_status_bogus;
1280 	}
1281 	if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
1282 		verbose(VERB_ALGO, "proveWildcard: NSEC3 optout");
1283 		return sec_status_insecure;
1284 	}
1285 	return sec_status_secure;
1286 }
1287 
1288 /** test if list is all secure */
1289 static int
1290 list_is_secure(struct module_env* env, struct val_env* ve,
1291 	struct ub_packed_rrset_key** list, size_t num,
1292 	struct key_entry_key* kkey, char** reason, struct module_qstate* qstate)
1293 {
1294 	struct packed_rrset_data* d;
1295 	size_t i;
1296 	for(i=0; i<num; i++) {
1297 		d = (struct packed_rrset_data*)list[i]->entry.data;
1298 		if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3))
1299 			continue;
1300 		if(d->security == sec_status_secure)
1301 			continue;
1302 		rrset_check_sec_status(env->rrset_cache, list[i], *env->now);
1303 		if(d->security == sec_status_secure)
1304 			continue;
1305 		d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
1306 			reason, LDNS_SECTION_AUTHORITY, qstate);
1307 		if(d->security != sec_status_secure) {
1308 			verbose(VERB_ALGO, "NSEC3 did not verify");
1309 			return 0;
1310 		}
1311 		rrset_update_sec_status(env->rrset_cache, list[i], *env->now);
1312 	}
1313 	return 1;
1314 }
1315 
1316 enum sec_status
1317 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
1318 	struct ub_packed_rrset_key** list, size_t num,
1319 	struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
1320 	struct module_qstate* qstate)
1321 {
1322 	rbtree_type ct;
1323 	struct nsec3_filter flt;
1324 	struct ce_response ce;
1325 	struct ub_packed_rrset_key* rrset;
1326 	int rr;
1327 	log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
1328 
1329 	if(!list || num == 0 || !kkey || !key_entry_isgood(kkey)) {
1330 		*reason = "no valid NSEC3s";
1331 		return sec_status_bogus; /* no valid NSEC3s, bogus */
1332 	}
1333 	if(!list_is_secure(env, ve, list, num, kkey, reason, qstate))
1334 		return sec_status_bogus; /* not all NSEC3 records secure */
1335 	rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
1336 	filter_init(&flt, list, num, qinfo); /* init RR iterator */
1337 	if(!flt.zone) {
1338 		*reason = "no NSEC3 records";
1339 		return sec_status_bogus; /* no RRs */
1340 	}
1341 	if(nsec3_iteration_count_high(ve, &flt, kkey))
1342 		return sec_status_insecure; /* iteration count too high */
1343 
1344 	/* Look for a matching NSEC3 to qname -- this is the normal
1345 	 * NODATA case. */
1346 	if(find_matching_nsec3(env, &flt, &ct, qinfo->qname, qinfo->qname_len,
1347 		&rrset, &rr)) {
1348 		/* If the matching NSEC3 has the SOA bit set, it is from
1349 		 * the wrong zone (the child instead of the parent). If
1350 		 * it has the DS bit set, then we were lied to. */
1351 		if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA) &&
1352 			qinfo->qname_len != 1) {
1353 			verbose(VERB_ALGO, "nsec3 provenods: NSEC3 is from"
1354 				" child zone, bogus");
1355 			*reason = "NSEC3 from child zone";
1356 			return sec_status_bogus;
1357 		} else if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_DS)) {
1358 			verbose(VERB_ALGO, "nsec3 provenods: NSEC3 has qtype"
1359 				" DS, bogus");
1360 			*reason = "NSEC3 has DS in bitmap";
1361 			return sec_status_bogus;
1362 		}
1363 		/* If the NSEC3 RR doesn't have the NS bit set, then
1364 		 * this wasn't a delegation point. */
1365 		if(!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS))
1366 			return sec_status_indeterminate;
1367 		/* Otherwise, this proves no DS. */
1368 		return sec_status_secure;
1369 	}
1370 
1371 	/* Otherwise, we are probably in the opt-out case. */
1372 	if(nsec3_prove_closest_encloser(env, &flt, &ct, qinfo, 1, &ce)
1373 		!= sec_status_secure) {
1374 		/* an insecure delegation *above* the qname does not prove
1375 		 * anything about this qname exactly, and bogus is bogus */
1376 		verbose(VERB_ALGO, "nsec3 provenods: did not match qname, "
1377 		          "nor found a proven closest encloser.");
1378 		*reason = "no NSEC3 closest encloser";
1379 		return sec_status_bogus;
1380 	}
1381 
1382 	/* robust extra check */
1383 	if(!ce.nc_rrset) {
1384 		verbose(VERB_ALGO, "nsec3 nods proof: no next closer nsec3");
1385 		*reason = "no NSEC3 next closer";
1386 		return sec_status_bogus;
1387 	}
1388 
1389 	/* we had the closest encloser proof, then we need to check that the
1390 	 * covering NSEC3 was opt-out -- the proveClosestEncloser step already
1391 	 * checked to see if the closest encloser was a delegation or DNAME.
1392 	 */
1393 	log_assert(ce.nc_rrset);
1394 	if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
1395 		verbose(VERB_ALGO, "nsec3 provenods: covering NSEC3 was not "
1396 			"opt-out in an opt-out DS NOERROR/NODATA case.");
1397 		*reason = "covering NSEC3 was not opt-out in an opt-out "
1398 			"DS NOERROR/NODATA case";
1399 		return sec_status_bogus;
1400 	}
1401 	/* RFC5155 section 9.2: if nc has optout then no AD flag set */
1402 	return sec_status_insecure;
1403 }
1404 
1405 enum sec_status
1406 nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
1407 	struct ub_packed_rrset_key** list, size_t num,
1408 	struct query_info* qinfo, struct key_entry_key* kkey, int* nodata)
1409 {
1410 	enum sec_status sec, secnx;
1411 	rbtree_type ct;
1412 	struct nsec3_filter flt;
1413 	*nodata = 0;
1414 
1415 	if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
1416 		return sec_status_bogus; /* no valid NSEC3s, bogus */
1417 	rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
1418 	filter_init(&flt, list, num, qinfo); /* init RR iterator */
1419 	if(!flt.zone)
1420 		return sec_status_bogus; /* no RRs */
1421 	if(nsec3_iteration_count_high(ve, &flt, kkey))
1422 		return sec_status_insecure; /* iteration count too high */
1423 
1424 	/* try nxdomain and nodata after another, while keeping the
1425 	 * hash cache intact */
1426 
1427 	secnx = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
1428 	if(secnx==sec_status_secure)
1429 		return sec_status_secure;
1430 	sec = nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
1431 	if(sec==sec_status_secure) {
1432 		*nodata = 1;
1433 	} else if(sec == sec_status_insecure) {
1434 		*nodata = 1;
1435 	} else if(secnx == sec_status_insecure) {
1436 		sec = sec_status_insecure;
1437 	}
1438 	return sec;
1439 }
1440