xref: /freebsd/contrib/unbound/validator/val_nsec3.h (revision 34b867ca30479cec104fd069178df294f8ea35f1)
1 /*
2  * validator/val_nsec3.h - validator NSEC3 denial of existence functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * The functions help with NSEC3 checking, the different NSEC3 proofs
41  * for denial of existence, and proofs for presence of types.
42  *
43  * NSEC3
44  *                      1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
45  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
46  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
47  * |   Hash Alg.   |     Flags     |          Iterations           |
48  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
49  * |  Salt Length  |                     Salt                      /
50  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
51  * |  Hash Length  |             Next Hashed Owner Name            /
52  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
53  * /                         Type Bit Maps                         /
54  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
55  *
56  * NSEC3PARAM
57  *                      1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
58  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
59  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
60  * |   Hash Alg.   |     Flags     |          Iterations           |
61  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
62  * |  Salt Length  |                     Salt                      /
63  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
64  *
65  */
66 
67 #ifndef VALIDATOR_VAL_NSEC3_H
68 #define VALIDATOR_VAL_NSEC3_H
69 #include "util/rbtree.h"
70 #include "util/data/packed_rrset.h"
71 #include "sldns/rrdef.h"
72 struct val_env;
73 struct regional;
74 struct module_env;
75 struct module_qstate;
76 struct ub_packed_rrset_key;
77 struct reply_info;
78 struct query_info;
79 struct key_entry_key;
80 struct sldns_buffer;
81 
82 /**
83  *     0 1 2 3 4 5 6 7
84  *    +-+-+-+-+-+-+-+-+
85  *    |             |O|
86  *    +-+-+-+-+-+-+-+-+
87  * The OPT-OUT bit in the NSEC3 flags field.
88  * If enabled, there can be zero or more unsigned delegations in the span.
89  * If disabled, there are zero unsigned delegations in the span.
90  */
91 #define NSEC3_OPTOUT	0x01
92 /**
93  * The unknown flags in the NSEC3 flags field.
94  * They must be zero, or the NSEC3 is ignored.
95  */
96 #define NSEC3_UNKNOWN_FLAGS 0xFE
97 
98 /** The SHA1 hash algorithm for NSEC3 */
99 #define NSEC3_HASH_SHA1	0x01
100 
101 /**
102  * Determine if the set of NSEC3 records provided with a response prove NAME
103  * ERROR. This means that the NSEC3s prove a) the closest encloser exists,
104  * b) the direct child of the closest encloser towards qname doesn't exist,
105  * and c) *.closest encloser does not exist.
106  *
107  * @param env: module environment with temporary region and buffer.
108  * @param ve: validator environment, with iteration count settings.
109  * @param list: array of RRsets, some of which are NSEC3s.
110  * @param num: number of RRsets in the array to examine.
111  * @param qinfo: query that is verified for.
112  * @param kkey: key entry that signed the NSEC3s.
113  * @return:
114  * 	sec_status SECURE of the Name Error is proven by the NSEC3 RRs,
115  * 	BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
116  */
117 enum sec_status
118 nsec3_prove_nameerror(struct module_env* env, struct val_env* ve,
119 	struct ub_packed_rrset_key** list, size_t num,
120 	struct query_info* qinfo, struct key_entry_key* kkey);
121 
122 /**
123  * Determine if the NSEC3s provided in a response prove the NOERROR/NODATA
124  * status. There are a number of different variants to this:
125  *
126  * 1) Normal NODATA -- qname is matched to an NSEC3 record, type is not
127  * present.
128  *
129  * 2) ENT NODATA -- because there must be NSEC3 record for
130  * empty-non-terminals, this is the same as #1.
131  *
132  * 3) NSEC3 ownername NODATA -- qname matched an existing, lone NSEC3
133  * ownername, but qtype was not NSEC3. NOTE: as of nsec-05, this case no
134  * longer exists.
135  *
136  * 4) Wildcard NODATA -- A wildcard matched the name, but not the type.
137  *
138  * 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype ==
139  * DS. (or maybe some future record with the same parent-side-only property)
140  *
141  * @param env: module environment with temporary region and buffer.
142  * @param ve: validator environment, with iteration count settings.
143  * @param list: array of RRsets, some of which are NSEC3s.
144  * @param num: number of RRsets in the array to examine.
145  * @param qinfo: query that is verified for.
146  * @param kkey: key entry that signed the NSEC3s.
147  * @return:
148  * 	sec_status SECURE of the proposition is proven by the NSEC3 RRs,
149  * 	BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
150  */
151 enum sec_status
152 nsec3_prove_nodata(struct module_env* env, struct val_env* ve,
153 	struct ub_packed_rrset_key** list, size_t num,
154 	struct query_info* qinfo, struct key_entry_key* kkey);
155 
156 
157 /**
158  * Prove that a positive wildcard match was appropriate (no direct match
159  * RRset).
160  *
161  * @param env: module environment with temporary region and buffer.
162  * @param ve: validator environment, with iteration count settings.
163  * @param list: array of RRsets, some of which are NSEC3s.
164  * @param num: number of RRsets in the array to examine.
165  * @param qinfo: query that is verified for.
166  * @param kkey: key entry that signed the NSEC3s.
167  * @param wc: The purported wildcard that matched. This is the wildcard name
168  * 	as *.wildcard.name., with the *. label already removed.
169  * @return:
170  * 	sec_status SECURE of the proposition is proven by the NSEC3 RRs,
171  * 	BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
172  */
173 enum sec_status
174 nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
175 	struct ub_packed_rrset_key** list, size_t num,
176 	struct query_info* qinfo, struct key_entry_key* kkey, uint8_t* wc);
177 
178 /**
179  * Prove that a DS response either had no DS, or wasn't a delegation point.
180  *
181  * Fundamentally there are two cases here: normal NODATA and Opt-In NODATA.
182  *
183  * @param env: module environment with temporary region and buffer.
184  * @param ve: validator environment, with iteration count settings.
185  * @param list: array of RRsets, some of which are NSEC3s.
186  * @param num: number of RRsets in the array to examine.
187  * @param qinfo: query that is verified for.
188  * @param kkey: key entry that signed the NSEC3s.
189  * @param reason: string for bogus result.
190  * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
191  * @param qstate: qstate with region.
192  * @return:
193  * 	sec_status SECURE of the proposition is proven by the NSEC3 RRs,
194  * 	BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
195  * 	or if there was no DS in an insecure (i.e., opt-in) way,
196  * 	INDETERMINATE if it was clear that this wasn't a delegation point.
197  */
198 enum sec_status
199 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
200 	struct ub_packed_rrset_key** list, size_t num,
201 	struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
202 	sldns_ede_code* reason_bogus, struct module_qstate* qstate);
203 
204 /**
205  * Prove NXDOMAIN or NODATA.
206  *
207  * @param env: module environment with temporary region and buffer.
208  * @param ve: validator environment, with iteration count settings.
209  * @param list: array of RRsets, some of which are NSEC3s.
210  * @param num: number of RRsets in the array to examine.
211  * @param qinfo: query that is verified for.
212  * @param kkey: key entry that signed the NSEC3s.
213  * @param nodata: if return value is secure, this indicates if nodata or
214  * 	nxdomain was proven.
215  * @return:
216  * 	sec_status SECURE of the proposition is proven by the NSEC3 RRs,
217  * 	BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
218  */
219 enum sec_status
220 nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
221 	struct ub_packed_rrset_key** list, size_t num,
222 	struct query_info* qinfo, struct key_entry_key* kkey, int* nodata);
223 
224 /**
225  * The NSEC3 hash result storage.
226  * Consists of an rbtree, with these nodes in it.
227  * The nodes detail how a set of parameters (from nsec3 rr) plus
228  * a dname result in a hash.
229  */
230 struct nsec3_cached_hash {
231 	/** rbtree node, key is this structure */
232 	rbnode_type node;
233 	/** where are the parameters for conversion, in this rrset data */
234 	struct ub_packed_rrset_key* nsec3;
235 	/** where are the parameters for conversion, this RR number in data */
236 	int rr;
237 	/** the name to convert */
238 	uint8_t* dname;
239 	/** length of the dname */
240 	size_t dname_len;
241 	/** the hash result (not base32 encoded) */
242 	uint8_t* hash;
243 	/** length of hash in bytes */
244 	size_t hash_len;
245 	/** the hash result in base32 encoding */
246 	uint8_t* b32;
247 	/** length of base32 encoding (as a label) */
248 	size_t b32_len;
249 };
250 
251 /**
252  * Rbtree for hash cache comparison function.
253  * @param c1: key 1.
254  * @param c2: key 2.
255  * @return: comparison code, -1, 0, 1, of the keys.
256  */
257 int nsec3_hash_cmp(const void* c1, const void* c2);
258 
259 /**
260  * Obtain the hash of an owner name.
261  * Used internally by the nsec3 proof functions in this file.
262  * published to enable unit testing of hash algorithms and cache.
263  *
264  * @param table: the cache table. Must be initialised at start.
265  * @param region: scratch region to use for allocation.
266  * 	This region holds the tree, if you wipe the region, reinit the tree.
267  * @param buf: temporary buffer.
268  * @param nsec3: the rrset with parameters
269  * @param rr: rr number from d that has the NSEC3 parameters to hash to.
270  * @param dname: name to hash
271  * 	This pointer is used inside the tree, assumed region-alloced.
272  * @param dname_len: the length of the name.
273  * @param hash: the hash node is returned on success.
274  * @return:
275  * 	1 on success, either from cache or newly hashed hash is returned.
276  * 	0 on a malloc failure.
277  * 	-1 if the NSEC3 rr was badly formatted (i.e. formerr).
278  */
279 int nsec3_hash_name(rbtree_type* table, struct regional* region,
280 	struct sldns_buffer* buf, struct ub_packed_rrset_key* nsec3, int rr,
281 	uint8_t* dname, size_t dname_len, struct nsec3_cached_hash** hash);
282 
283 /**
284  * Get next owner name, converted to base32 encoding and with the
285  * zone name (taken from the nsec3 owner name) appended.
286  * @param rrset: the NSEC3 rrset.
287  * @param r: the rr num of the nsec3 in the rrset.
288  * @param buf: buffer to store name in
289  * @param max: size of buffer.
290  * @return length of name on success. 0 on failure (buffer too short or
291  *	bad format nsec3 record).
292  */
293 size_t nsec3_get_nextowner_b32(struct ub_packed_rrset_key* rrset, int r,
294 	uint8_t* buf, size_t max);
295 
296 /**
297  * Convert hash into base32 encoding and with the
298  * zone name appended.
299  * @param hash: hashed buffer
300  * @param hashlen: length of hash
301  * @param zone: name of zone
302  * @param zonelen: length of zonename.
303  * @param buf: buffer to store name in
304  * @param max: size of buffer.
305  * @return length of name on success. 0 on failure (buffer too short or
306  *	bad format nsec3 record).
307  */
308 size_t nsec3_hash_to_b32(uint8_t* hash, size_t hashlen, uint8_t* zone,
309 	size_t zonelen, uint8_t* buf, size_t max);
310 
311 /**
312  * Get NSEC3 parameters out of rr.
313  * @param rrset: the NSEC3 rrset.
314  * @param r: the rr num of the nsec3 in the rrset.
315  * @param algo: nsec3 hash algo.
316  * @param iter: iteration count.
317  * @param salt: ptr to salt inside rdata.
318  * @param saltlen: length of salt.
319  * @return 0 if bad formatted, unknown nsec3 hash algo, or unknown flags set.
320  */
321 int nsec3_get_params(struct ub_packed_rrset_key* rrset, int r,
322 	int* algo, size_t* iter, uint8_t** salt, size_t* saltlen);
323 
324 /**
325  * Get NSEC3 hashed in a buffer
326  * @param buf: buffer for temp use.
327  * @param nm: name to hash
328  * @param nmlen: length of nm.
329  * @param algo: algo to use, must be known.
330  * @param iter: iterations
331  * @param salt: salt for nsec3
332  * @param saltlen: length of salt.
333  * @param res: result of hash stored here.
334  * @param max: maximum space for result.
335  * @return 0 on failure, otherwise bytelength stored.
336  */
337 size_t nsec3_get_hashed(struct sldns_buffer* buf, uint8_t* nm, size_t nmlen,
338 	int algo, size_t iter, uint8_t* salt, size_t saltlen, uint8_t* res,
339 	size_t max);
340 
341 /**
342  * see if NSEC3 RR contains given type
343  * @param rrset: NSEC3 rrset
344  * @param r: RR in rrset
345  * @param type: in host order to check bit for.
346  * @return true if bit set, false if not or error.
347  */
348 int nsec3_has_type(struct ub_packed_rrset_key* rrset, int r, uint16_t type);
349 
350 /**
351  * return if nsec3 RR has the optout flag
352  * @param rrset: NSEC3 rrset
353  * @param r: RR in rrset
354  * @return true if optout, false on error or not optout
355  */
356 int nsec3_has_optout(struct ub_packed_rrset_key* rrset, int r);
357 
358 /**
359  * Return nsec3 RR next hashed owner name
360  * @param rrset: NSEC3 rrset
361  * @param r: RR in rrset
362  * @param next: ptr into rdata to next owner hash
363  * @param nextlen: length of hash.
364  * @return false on malformed
365  */
366 int nsec3_get_nextowner(struct ub_packed_rrset_key* rrset, int r,
367 	uint8_t** next, size_t* nextlen);
368 
369 /**
370  * nsec3Covers
371  * Given a hash and a candidate NSEC3Record, determine if that NSEC3Record
372  * covers the hash. Covers specifically means that the hash is in between
373  * the owner and next hashes and does not equal either.
374  *
375  * @param zone: the zone name.
376  * @param hash: the hash of the name
377  * @param rrset: the rrset of the NSEC3.
378  * @param rr: which rr in the rrset.
379  * @param buf: temporary buffer.
380  * @return true if covers, false if not.
381  */
382 int nsec3_covers(uint8_t* zone, struct nsec3_cached_hash* hash,
383 	struct ub_packed_rrset_key* rrset, int rr, struct sldns_buffer* buf);
384 
385 #endif /* VALIDATOR_VAL_NSEC3_H */
386