1ae8c6e27Sflorian /* 2ae8c6e27Sflorian * validator/val_nsec3.h - validator NSEC3 denial of existence functions. 3ae8c6e27Sflorian * 4ae8c6e27Sflorian * Copyright (c) 2007, NLnet Labs. All rights reserved. 5ae8c6e27Sflorian * 6ae8c6e27Sflorian * This software is open source. 7ae8c6e27Sflorian * 8ae8c6e27Sflorian * Redistribution and use in source and binary forms, with or without 9ae8c6e27Sflorian * modification, are permitted provided that the following conditions 10ae8c6e27Sflorian * are met: 11ae8c6e27Sflorian * 12ae8c6e27Sflorian * Redistributions of source code must retain the above copyright notice, 13ae8c6e27Sflorian * this list of conditions and the following disclaimer. 14ae8c6e27Sflorian * 15ae8c6e27Sflorian * Redistributions in binary form must reproduce the above copyright notice, 16ae8c6e27Sflorian * this list of conditions and the following disclaimer in the documentation 17ae8c6e27Sflorian * and/or other materials provided with the distribution. 18ae8c6e27Sflorian * 19ae8c6e27Sflorian * Neither the name of the NLNET LABS nor the names of its contributors may 20ae8c6e27Sflorian * be used to endorse or promote products derived from this software without 21ae8c6e27Sflorian * specific prior written permission. 22ae8c6e27Sflorian * 23ae8c6e27Sflorian * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24ae8c6e27Sflorian * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25ae8c6e27Sflorian * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26ae8c6e27Sflorian * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27ae8c6e27Sflorian * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28ae8c6e27Sflorian * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29ae8c6e27Sflorian * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30ae8c6e27Sflorian * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31ae8c6e27Sflorian * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32ae8c6e27Sflorian * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33ae8c6e27Sflorian * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34ae8c6e27Sflorian */ 35ae8c6e27Sflorian 36ae8c6e27Sflorian /** 37ae8c6e27Sflorian * \file 38ae8c6e27Sflorian * 39ae8c6e27Sflorian * This file contains helper functions for the validator module. 40ae8c6e27Sflorian * The functions help with NSEC3 checking, the different NSEC3 proofs 41ae8c6e27Sflorian * for denial of existence, and proofs for presence of types. 42ae8c6e27Sflorian * 43ae8c6e27Sflorian * NSEC3 44ae8c6e27Sflorian * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 45ae8c6e27Sflorian * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 46ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 47ae8c6e27Sflorian * | Hash Alg. | Flags | Iterations | 48ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 49ae8c6e27Sflorian * | Salt Length | Salt / 50ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 51ae8c6e27Sflorian * | Hash Length | Next Hashed Owner Name / 52ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 53ae8c6e27Sflorian * / Type Bit Maps / 54ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 55ae8c6e27Sflorian * 56ae8c6e27Sflorian * NSEC3PARAM 57ae8c6e27Sflorian * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 58ae8c6e27Sflorian * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 59ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 60ae8c6e27Sflorian * | Hash Alg. | Flags | Iterations | 61ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 62ae8c6e27Sflorian * | Salt Length | Salt / 63ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 64ae8c6e27Sflorian * 65ae8c6e27Sflorian */ 66ae8c6e27Sflorian 67ae8c6e27Sflorian #ifndef VALIDATOR_VAL_NSEC3_H 68ae8c6e27Sflorian #define VALIDATOR_VAL_NSEC3_H 69ae8c6e27Sflorian #include "util/rbtree.h" 70ae8c6e27Sflorian #include "util/data/packed_rrset.h" 717a05b9dfSflorian #include "sldns/rrdef.h" 72ae8c6e27Sflorian struct val_env; 73ae8c6e27Sflorian struct regional; 74ae8c6e27Sflorian struct module_env; 75ae8c6e27Sflorian struct module_qstate; 76ae8c6e27Sflorian struct ub_packed_rrset_key; 77ae8c6e27Sflorian struct reply_info; 78ae8c6e27Sflorian struct query_info; 79ae8c6e27Sflorian struct key_entry_key; 80ae8c6e27Sflorian struct sldns_buffer; 81ae8c6e27Sflorian 82ae8c6e27Sflorian /** 83ae8c6e27Sflorian * 0 1 2 3 4 5 6 7 84ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+ 85ae8c6e27Sflorian * | |O| 86ae8c6e27Sflorian * +-+-+-+-+-+-+-+-+ 87ae8c6e27Sflorian * The OPT-OUT bit in the NSEC3 flags field. 88ae8c6e27Sflorian * If enabled, there can be zero or more unsigned delegations in the span. 89ae8c6e27Sflorian * If disabled, there are zero unsigned delegations in the span. 90ae8c6e27Sflorian */ 91ae8c6e27Sflorian #define NSEC3_OPTOUT 0x01 92ae8c6e27Sflorian /** 93ae8c6e27Sflorian * The unknown flags in the NSEC3 flags field. 94ae8c6e27Sflorian * They must be zero, or the NSEC3 is ignored. 95ae8c6e27Sflorian */ 96ae8c6e27Sflorian #define NSEC3_UNKNOWN_FLAGS 0xFE 97ae8c6e27Sflorian 98ae8c6e27Sflorian /** The SHA1 hash algorithm for NSEC3 */ 99ae8c6e27Sflorian #define NSEC3_HASH_SHA1 0x01 100ae8c6e27Sflorian 101ae8c6e27Sflorian /** 102*fed3efa7Sflorian * Cache table for NSEC3 hashes. 103*fed3efa7Sflorian * It keeps a *pointer* to the region its items are allocated. 104*fed3efa7Sflorian */ 105*fed3efa7Sflorian struct nsec3_cache_table { 106*fed3efa7Sflorian rbtree_type* ct; 107*fed3efa7Sflorian struct regional* region; 108*fed3efa7Sflorian }; 109*fed3efa7Sflorian 110*fed3efa7Sflorian /** 111ae8c6e27Sflorian * Determine if the set of NSEC3 records provided with a response prove NAME 112ae8c6e27Sflorian * ERROR. This means that the NSEC3s prove a) the closest encloser exists, 113ae8c6e27Sflorian * b) the direct child of the closest encloser towards qname doesn't exist, 114ae8c6e27Sflorian * and c) *.closest encloser does not exist. 115ae8c6e27Sflorian * 116ae8c6e27Sflorian * @param env: module environment with temporary region and buffer. 117ae8c6e27Sflorian * @param ve: validator environment, with iteration count settings. 118ae8c6e27Sflorian * @param list: array of RRsets, some of which are NSEC3s. 119ae8c6e27Sflorian * @param num: number of RRsets in the array to examine. 120ae8c6e27Sflorian * @param qinfo: query that is verified for. 121ae8c6e27Sflorian * @param kkey: key entry that signed the NSEC3s. 122*fed3efa7Sflorian * @param ct: cached hashes table. 123*fed3efa7Sflorian * @param calc: current hash calculations. 124ae8c6e27Sflorian * @return: 125ae8c6e27Sflorian * sec_status SECURE of the Name Error is proven by the NSEC3 RRs, 126*fed3efa7Sflorian * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored, 127*fed3efa7Sflorian * UNCHECKED if no more hash calculations are allowed at this point. 128ae8c6e27Sflorian */ 129ae8c6e27Sflorian enum sec_status 130ae8c6e27Sflorian nsec3_prove_nameerror(struct module_env* env, struct val_env* ve, 131ae8c6e27Sflorian struct ub_packed_rrset_key** list, size_t num, 132*fed3efa7Sflorian struct query_info* qinfo, struct key_entry_key* kkey, 133*fed3efa7Sflorian struct nsec3_cache_table* ct, int* calc); 134ae8c6e27Sflorian 135ae8c6e27Sflorian /** 136ae8c6e27Sflorian * Determine if the NSEC3s provided in a response prove the NOERROR/NODATA 137ae8c6e27Sflorian * status. There are a number of different variants to this: 138ae8c6e27Sflorian * 139ae8c6e27Sflorian * 1) Normal NODATA -- qname is matched to an NSEC3 record, type is not 140ae8c6e27Sflorian * present. 141ae8c6e27Sflorian * 142ae8c6e27Sflorian * 2) ENT NODATA -- because there must be NSEC3 record for 143ae8c6e27Sflorian * empty-non-terminals, this is the same as #1. 144ae8c6e27Sflorian * 145ae8c6e27Sflorian * 3) NSEC3 ownername NODATA -- qname matched an existing, lone NSEC3 146ae8c6e27Sflorian * ownername, but qtype was not NSEC3. NOTE: as of nsec-05, this case no 147ae8c6e27Sflorian * longer exists. 148ae8c6e27Sflorian * 149ae8c6e27Sflorian * 4) Wildcard NODATA -- A wildcard matched the name, but not the type. 150ae8c6e27Sflorian * 151ae8c6e27Sflorian * 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype == 152ae8c6e27Sflorian * DS. (or maybe some future record with the same parent-side-only property) 153ae8c6e27Sflorian * 154ae8c6e27Sflorian * @param env: module environment with temporary region and buffer. 155ae8c6e27Sflorian * @param ve: validator environment, with iteration count settings. 156ae8c6e27Sflorian * @param list: array of RRsets, some of which are NSEC3s. 157ae8c6e27Sflorian * @param num: number of RRsets in the array to examine. 158ae8c6e27Sflorian * @param qinfo: query that is verified for. 159ae8c6e27Sflorian * @param kkey: key entry that signed the NSEC3s. 160*fed3efa7Sflorian * @param ct: cached hashes table. 161*fed3efa7Sflorian * @param calc: current hash calculations. 162ae8c6e27Sflorian * @return: 163ae8c6e27Sflorian * sec_status SECURE of the proposition is proven by the NSEC3 RRs, 164*fed3efa7Sflorian * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored, 165*fed3efa7Sflorian * UNCHECKED if no more hash calculations are allowed at this point. 166ae8c6e27Sflorian */ 167ae8c6e27Sflorian enum sec_status 168ae8c6e27Sflorian nsec3_prove_nodata(struct module_env* env, struct val_env* ve, 169ae8c6e27Sflorian struct ub_packed_rrset_key** list, size_t num, 170*fed3efa7Sflorian struct query_info* qinfo, struct key_entry_key* kkey, 171*fed3efa7Sflorian struct nsec3_cache_table* ct, int* calc); 172ae8c6e27Sflorian 173ae8c6e27Sflorian /** 174ae8c6e27Sflorian * Prove that a positive wildcard match was appropriate (no direct match 175ae8c6e27Sflorian * RRset). 176ae8c6e27Sflorian * 177ae8c6e27Sflorian * @param env: module environment with temporary region and buffer. 178ae8c6e27Sflorian * @param ve: validator environment, with iteration count settings. 179ae8c6e27Sflorian * @param list: array of RRsets, some of which are NSEC3s. 180ae8c6e27Sflorian * @param num: number of RRsets in the array to examine. 181ae8c6e27Sflorian * @param qinfo: query that is verified for. 182ae8c6e27Sflorian * @param kkey: key entry that signed the NSEC3s. 183ae8c6e27Sflorian * @param wc: The purported wildcard that matched. This is the wildcard name 184ae8c6e27Sflorian * as *.wildcard.name., with the *. label already removed. 185*fed3efa7Sflorian * @param ct: cached hashes table. 186*fed3efa7Sflorian * @param calc: current hash calculations. 187ae8c6e27Sflorian * @return: 188ae8c6e27Sflorian * sec_status SECURE of the proposition is proven by the NSEC3 RRs, 189*fed3efa7Sflorian * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored, 190*fed3efa7Sflorian * UNCHECKED if no more hash calculations are allowed at this point. 191ae8c6e27Sflorian */ 192ae8c6e27Sflorian enum sec_status 193ae8c6e27Sflorian nsec3_prove_wildcard(struct module_env* env, struct val_env* ve, 194ae8c6e27Sflorian struct ub_packed_rrset_key** list, size_t num, 195*fed3efa7Sflorian struct query_info* qinfo, struct key_entry_key* kkey, uint8_t* wc, 196*fed3efa7Sflorian struct nsec3_cache_table* ct, int* calc); 197ae8c6e27Sflorian 198ae8c6e27Sflorian /** 199ae8c6e27Sflorian * Prove that a DS response either had no DS, or wasn't a delegation point. 200ae8c6e27Sflorian * 201ae8c6e27Sflorian * Fundamentally there are two cases here: normal NODATA and Opt-In NODATA. 202ae8c6e27Sflorian * 203ae8c6e27Sflorian * @param env: module environment with temporary region and buffer. 204ae8c6e27Sflorian * @param ve: validator environment, with iteration count settings. 205ae8c6e27Sflorian * @param list: array of RRsets, some of which are NSEC3s. 206ae8c6e27Sflorian * @param num: number of RRsets in the array to examine. 207ae8c6e27Sflorian * @param qinfo: query that is verified for. 208ae8c6e27Sflorian * @param kkey: key entry that signed the NSEC3s. 209ae8c6e27Sflorian * @param reason: string for bogus result. 2107a05b9dfSflorian * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 211ae8c6e27Sflorian * @param qstate: qstate with region. 212*fed3efa7Sflorian * @param ct: cached hashes table. 213ae8c6e27Sflorian * @return: 214ae8c6e27Sflorian * sec_status SECURE of the proposition is proven by the NSEC3 RRs, 215ae8c6e27Sflorian * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored. 216ae8c6e27Sflorian * or if there was no DS in an insecure (i.e., opt-in) way, 217*fed3efa7Sflorian * INDETERMINATE if it was clear that this wasn't a delegation point, 218*fed3efa7Sflorian * UNCHECKED if no more hash calculations are allowed at this point. 219ae8c6e27Sflorian */ 220ae8c6e27Sflorian enum sec_status 221ae8c6e27Sflorian nsec3_prove_nods(struct module_env* env, struct val_env* ve, 222ae8c6e27Sflorian struct ub_packed_rrset_key** list, size_t num, 223ae8c6e27Sflorian struct query_info* qinfo, struct key_entry_key* kkey, char** reason, 224*fed3efa7Sflorian sldns_ede_code* reason_bogus, struct module_qstate* qstate, 225*fed3efa7Sflorian struct nsec3_cache_table* ct); 226ae8c6e27Sflorian 227ae8c6e27Sflorian /** 228ae8c6e27Sflorian * Prove NXDOMAIN or NODATA. 229ae8c6e27Sflorian * 230ae8c6e27Sflorian * @param env: module environment with temporary region and buffer. 231ae8c6e27Sflorian * @param ve: validator environment, with iteration count settings. 232ae8c6e27Sflorian * @param list: array of RRsets, some of which are NSEC3s. 233ae8c6e27Sflorian * @param num: number of RRsets in the array to examine. 234ae8c6e27Sflorian * @param qinfo: query that is verified for. 235ae8c6e27Sflorian * @param kkey: key entry that signed the NSEC3s. 236ae8c6e27Sflorian * @param nodata: if return value is secure, this indicates if nodata or 237ae8c6e27Sflorian * nxdomain was proven. 238*fed3efa7Sflorian * @param ct: cached hashes table. 239*fed3efa7Sflorian * @param calc: current hash calculations. 240ae8c6e27Sflorian * @return: 241ae8c6e27Sflorian * sec_status SECURE of the proposition is proven by the NSEC3 RRs, 242*fed3efa7Sflorian * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored, 243*fed3efa7Sflorian * UNCHECKED if no more hash calculations are allowed at this point. 244ae8c6e27Sflorian */ 245ae8c6e27Sflorian enum sec_status 246ae8c6e27Sflorian nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve, 247ae8c6e27Sflorian struct ub_packed_rrset_key** list, size_t num, 248*fed3efa7Sflorian struct query_info* qinfo, struct key_entry_key* kkey, int* nodata, 249*fed3efa7Sflorian struct nsec3_cache_table* ct, int* calc); 250ae8c6e27Sflorian 251ae8c6e27Sflorian /** 252ae8c6e27Sflorian * The NSEC3 hash result storage. 253ae8c6e27Sflorian * Consists of an rbtree, with these nodes in it. 254ae8c6e27Sflorian * The nodes detail how a set of parameters (from nsec3 rr) plus 255ae8c6e27Sflorian * a dname result in a hash. 256ae8c6e27Sflorian */ 257ae8c6e27Sflorian struct nsec3_cached_hash { 258ae8c6e27Sflorian /** rbtree node, key is this structure */ 259ae8c6e27Sflorian rbnode_type node; 260ae8c6e27Sflorian /** where are the parameters for conversion, in this rrset data */ 261ae8c6e27Sflorian struct ub_packed_rrset_key* nsec3; 262ae8c6e27Sflorian /** where are the parameters for conversion, this RR number in data */ 263ae8c6e27Sflorian int rr; 264ae8c6e27Sflorian /** the name to convert */ 265ae8c6e27Sflorian uint8_t* dname; 266ae8c6e27Sflorian /** length of the dname */ 267ae8c6e27Sflorian size_t dname_len; 268ae8c6e27Sflorian /** the hash result (not base32 encoded) */ 269ae8c6e27Sflorian uint8_t* hash; 270ae8c6e27Sflorian /** length of hash in bytes */ 271ae8c6e27Sflorian size_t hash_len; 272ae8c6e27Sflorian /** the hash result in base32 encoding */ 273ae8c6e27Sflorian uint8_t* b32; 274ae8c6e27Sflorian /** length of base32 encoding (as a label) */ 275ae8c6e27Sflorian size_t b32_len; 276ae8c6e27Sflorian }; 277ae8c6e27Sflorian 278ae8c6e27Sflorian /** 279ae8c6e27Sflorian * Rbtree for hash cache comparison function. 280ae8c6e27Sflorian * @param c1: key 1. 281ae8c6e27Sflorian * @param c2: key 2. 282ae8c6e27Sflorian * @return: comparison code, -1, 0, 1, of the keys. 283ae8c6e27Sflorian */ 284ae8c6e27Sflorian int nsec3_hash_cmp(const void* c1, const void* c2); 285ae8c6e27Sflorian 286ae8c6e27Sflorian /** 287*fed3efa7Sflorian * Initialise the NSEC3 cache table. 288*fed3efa7Sflorian * @param ct: the nsec3 cache table. 289*fed3efa7Sflorian * @param region: the region where allocations for the table will happen. 290*fed3efa7Sflorian * @return true on success, false on malloc error. 291*fed3efa7Sflorian */ 292*fed3efa7Sflorian int nsec3_cache_table_init(struct nsec3_cache_table* ct, struct regional* region); 293*fed3efa7Sflorian 294*fed3efa7Sflorian /** 295ae8c6e27Sflorian * Obtain the hash of an owner name. 296ae8c6e27Sflorian * Used internally by the nsec3 proof functions in this file. 297ae8c6e27Sflorian * published to enable unit testing of hash algorithms and cache. 298ae8c6e27Sflorian * 299ae8c6e27Sflorian * @param table: the cache table. Must be initialised at start. 300ae8c6e27Sflorian * @param region: scratch region to use for allocation. 301ae8c6e27Sflorian * This region holds the tree, if you wipe the region, reinit the tree. 302ae8c6e27Sflorian * @param buf: temporary buffer. 303ae8c6e27Sflorian * @param nsec3: the rrset with parameters 304ae8c6e27Sflorian * @param rr: rr number from d that has the NSEC3 parameters to hash to. 305ae8c6e27Sflorian * @param dname: name to hash 306ae8c6e27Sflorian * This pointer is used inside the tree, assumed region-alloced. 307ae8c6e27Sflorian * @param dname_len: the length of the name. 308ae8c6e27Sflorian * @param hash: the hash node is returned on success. 309ae8c6e27Sflorian * @return: 310*fed3efa7Sflorian * 2 on success, hash from cache is returned. 311*fed3efa7Sflorian * 1 on success, newly computed hash is returned. 312ae8c6e27Sflorian * 0 on a malloc failure. 313ae8c6e27Sflorian * -1 if the NSEC3 rr was badly formatted (i.e. formerr). 314ae8c6e27Sflorian */ 315ae8c6e27Sflorian int nsec3_hash_name(rbtree_type* table, struct regional* region, 316ae8c6e27Sflorian struct sldns_buffer* buf, struct ub_packed_rrset_key* nsec3, int rr, 317ae8c6e27Sflorian uint8_t* dname, size_t dname_len, struct nsec3_cached_hash** hash); 318ae8c6e27Sflorian 319ae8c6e27Sflorian /** 320ae8c6e27Sflorian * Get next owner name, converted to base32 encoding and with the 321ae8c6e27Sflorian * zone name (taken from the nsec3 owner name) appended. 322ae8c6e27Sflorian * @param rrset: the NSEC3 rrset. 323ae8c6e27Sflorian * @param r: the rr num of the nsec3 in the rrset. 324ae8c6e27Sflorian * @param buf: buffer to store name in 325ae8c6e27Sflorian * @param max: size of buffer. 326ae8c6e27Sflorian * @return length of name on success. 0 on failure (buffer too short or 327ae8c6e27Sflorian * bad format nsec3 record). 328ae8c6e27Sflorian */ 329ae8c6e27Sflorian size_t nsec3_get_nextowner_b32(struct ub_packed_rrset_key* rrset, int r, 330ae8c6e27Sflorian uint8_t* buf, size_t max); 331ae8c6e27Sflorian 332ae8c6e27Sflorian /** 333ae8c6e27Sflorian * Convert hash into base32 encoding and with the 334ae8c6e27Sflorian * zone name appended. 335ae8c6e27Sflorian * @param hash: hashed buffer 336ae8c6e27Sflorian * @param hashlen: length of hash 337ae8c6e27Sflorian * @param zone: name of zone 338ae8c6e27Sflorian * @param zonelen: length of zonename. 339ae8c6e27Sflorian * @param buf: buffer to store name in 340ae8c6e27Sflorian * @param max: size of buffer. 341ae8c6e27Sflorian * @return length of name on success. 0 on failure (buffer too short or 342ae8c6e27Sflorian * bad format nsec3 record). 343ae8c6e27Sflorian */ 344ae8c6e27Sflorian size_t nsec3_hash_to_b32(uint8_t* hash, size_t hashlen, uint8_t* zone, 345ae8c6e27Sflorian size_t zonelen, uint8_t* buf, size_t max); 346ae8c6e27Sflorian 347ae8c6e27Sflorian /** 348ae8c6e27Sflorian * Get NSEC3 parameters out of rr. 349ae8c6e27Sflorian * @param rrset: the NSEC3 rrset. 350ae8c6e27Sflorian * @param r: the rr num of the nsec3 in the rrset. 351ae8c6e27Sflorian * @param algo: nsec3 hash algo. 352ae8c6e27Sflorian * @param iter: iteration count. 353ae8c6e27Sflorian * @param salt: ptr to salt inside rdata. 354ae8c6e27Sflorian * @param saltlen: length of salt. 355ae8c6e27Sflorian * @return 0 if bad formatted, unknown nsec3 hash algo, or unknown flags set. 356ae8c6e27Sflorian */ 357ae8c6e27Sflorian int nsec3_get_params(struct ub_packed_rrset_key* rrset, int r, 358ae8c6e27Sflorian int* algo, size_t* iter, uint8_t** salt, size_t* saltlen); 359ae8c6e27Sflorian 360ae8c6e27Sflorian /** 361ae8c6e27Sflorian * Get NSEC3 hashed in a buffer 362ae8c6e27Sflorian * @param buf: buffer for temp use. 363ae8c6e27Sflorian * @param nm: name to hash 364ae8c6e27Sflorian * @param nmlen: length of nm. 365ae8c6e27Sflorian * @param algo: algo to use, must be known. 366ae8c6e27Sflorian * @param iter: iterations 367ae8c6e27Sflorian * @param salt: salt for nsec3 368ae8c6e27Sflorian * @param saltlen: length of salt. 369ae8c6e27Sflorian * @param res: result of hash stored here. 370ae8c6e27Sflorian * @param max: maximum space for result. 371ae8c6e27Sflorian * @return 0 on failure, otherwise bytelength stored. 372ae8c6e27Sflorian */ 373ae8c6e27Sflorian size_t nsec3_get_hashed(struct sldns_buffer* buf, uint8_t* nm, size_t nmlen, 374ae8c6e27Sflorian int algo, size_t iter, uint8_t* salt, size_t saltlen, uint8_t* res, 375ae8c6e27Sflorian size_t max); 376ae8c6e27Sflorian 377ae8c6e27Sflorian /** 378ae8c6e27Sflorian * see if NSEC3 RR contains given type 379ae8c6e27Sflorian * @param rrset: NSEC3 rrset 380ae8c6e27Sflorian * @param r: RR in rrset 381ae8c6e27Sflorian * @param type: in host order to check bit for. 382ae8c6e27Sflorian * @return true if bit set, false if not or error. 383ae8c6e27Sflorian */ 384ae8c6e27Sflorian int nsec3_has_type(struct ub_packed_rrset_key* rrset, int r, uint16_t type); 385ae8c6e27Sflorian 386ae8c6e27Sflorian /** 387ae8c6e27Sflorian * return if nsec3 RR has the optout flag 388ae8c6e27Sflorian * @param rrset: NSEC3 rrset 389ae8c6e27Sflorian * @param r: RR in rrset 390ae8c6e27Sflorian * @return true if optout, false on error or not optout 391ae8c6e27Sflorian */ 392ae8c6e27Sflorian int nsec3_has_optout(struct ub_packed_rrset_key* rrset, int r); 393ae8c6e27Sflorian 394ae8c6e27Sflorian /** 395ae8c6e27Sflorian * Return nsec3 RR next hashed owner name 396ae8c6e27Sflorian * @param rrset: NSEC3 rrset 397ae8c6e27Sflorian * @param r: RR in rrset 398ae8c6e27Sflorian * @param next: ptr into rdata to next owner hash 399ae8c6e27Sflorian * @param nextlen: length of hash. 400ae8c6e27Sflorian * @return false on malformed 401ae8c6e27Sflorian */ 402ae8c6e27Sflorian int nsec3_get_nextowner(struct ub_packed_rrset_key* rrset, int r, 403ae8c6e27Sflorian uint8_t** next, size_t* nextlen); 404ae8c6e27Sflorian 405ae8c6e27Sflorian /** 406ae8c6e27Sflorian * nsec3Covers 407ae8c6e27Sflorian * Given a hash and a candidate NSEC3Record, determine if that NSEC3Record 408ae8c6e27Sflorian * covers the hash. Covers specifically means that the hash is in between 409ae8c6e27Sflorian * the owner and next hashes and does not equal either. 410ae8c6e27Sflorian * 411ae8c6e27Sflorian * @param zone: the zone name. 412ae8c6e27Sflorian * @param hash: the hash of the name 413ae8c6e27Sflorian * @param rrset: the rrset of the NSEC3. 414ae8c6e27Sflorian * @param rr: which rr in the rrset. 415ae8c6e27Sflorian * @param buf: temporary buffer. 416ae8c6e27Sflorian * @return true if covers, false if not. 417ae8c6e27Sflorian */ 418ae8c6e27Sflorian int nsec3_covers(uint8_t* zone, struct nsec3_cached_hash* hash, 419ae8c6e27Sflorian struct ub_packed_rrset_key* rrset, int rr, struct sldns_buffer* buf); 420ae8c6e27Sflorian 421ae8c6e27Sflorian #endif /* VALIDATOR_VAL_NSEC3_H */ 422