unbound/validator/val_nsec3.c

/*
 * validator/val_nsec3.c - validator NSEC3 denial of existance functions.
 *
 * Copyright (c) 2007, NLnet Labs. All rights reserved.
 *
 * This software is open source.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 
 * Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer.
 * 
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 * 
 * Neither the name of the NLNET LABS nor the names of its contributors may
 * be used to endorse or promote products derived from this software without
 * specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/**
 * \file
 *
 * This file contains helper functions for the validator module.
 * The functions help with NSEC3 checking, the different NSEC3 proofs
 * for denial of existance, and proofs for presence of types.
 */
#include "config.h"
#include "validator/val_nsec3.h"
#include "util/region-allocator.h"
#include "util/rbtree.h"

/**
 * The NSEC3 hash result storage.
 * Consists of an rbtree, with these nodes in it.
 * The nodes detail how a set of parameters (from nsec3 rr) plus
 * a dname result in a hash.
 */
struct nsec3_cached_hash {
	/** rbtree node, key is this structure */
	rbnode_t node;
	/** where are the parameters for conversion, in this rrset data */
	struct packed_rrset_data* data;
	/** where are the parameters for conversion, this RR number in data */
	size_t rr;
	/** the name to convert */
	uint8_t* dname;
	/** length of the dname */
	size_t dname_len;
	/** the hash result (not base32 encoded) */
	uint8_t* hash;
	/** length of hash in bytes */
	size_t hashlen;
	/** the hash result in base32 encoding */
	uint8_t* b32;
	/** length of base32 encoding (as a label) */
	size_t b32_len;
};

/**
 * Closest encloser (ce) proof results
 * Contains the ce and the next-closer (nc) proof.
 */
struct ce_response {
	/** the closest encloser name */
	uint8_t* ce;
	/** length of ce */
	size_t ce_len;
	/** NSEC3 record that proved ce. rrset */
	struct ub_packed_rrset_key* ce_rrset;
	/** NSEC3 record that proved ce. rr number */
	size_t ce_rr;
	/** NSEC3 record that proved nc. rrset */
	struct ub_packed_rrset_key* nc_rrset;
	/** NSEC3 record that proved nc. rr*/
	size_t nc_rr;
};

/**
 * Filter conditions for NSEC3 proof
 */
struct nsec3_filter {
	/** Zone name, only NSEC3 records for this zone are considered */
	uint8_t* zone;
	/** length of the zonename */
	size_t zone_len;
	/** the list of NSEC3s to filter; array */
	struct ub_packed_rrset_key** list;
	/** number of rrsets in list */
	size_t num;
};

/** 
 * Iterate through NSEC3 list, per RR 
 * Start with rrset = list, rrnum = 0.
 * End when rrset becomes NULL.
 * This routine gives the next RR in the list (or sets rrset null).
 * 
 * Also filters out 
 * 	o unknown flag NSEC3s
 * 	o unknown algorithm NSEC3s.
 * @param filter: nsec3 filter structure.
 * @param rrset: in/out rrset to look at.
 * @param rrnum: in/out rr number in rrset to look at.
 */
static void
filter_next(struct nsec3_filter* filter, struct ub_packed_rrset_key** rrset,
	size_t rrnum)
{
}

/** 
 * Initialize the filter structure.
 * Finds the zone by looking at available NSEC3 records and best match.
 * 	(skips the unknown flag and unknown algo NSEC3s).
 *
 * @param filter: nsec3 filter structure.
 * @param list: list of rrsets.
 * @param num: number of rrsets in list.
 * @param qtype: query type (if DS a higher zone must be chosen)
 */
static void
filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key* list,
	size_t num, uint16_t qtype)
{
}

/** 
 * Determine if any of the NSEC3 rrs iteration count is too high, from key.
 * @param ve: validator environment with iteration count config settings.
 * @param filter: what NSEC3s to loop over.
 * @param kkey: key entry used for verification; used for iteration counts.
 * @return 0 if some nsec3s are above the max iteration count.
 */

/** perform hash of name */

/** nsec3_cache_compare for rbtree */

/**
 * Obtain the hash of an owner name.
 * @param table: the cache table.
 * @param region: scratch region to use for allocation.
 * @param d: the rrset data
 * @param rr: rr number from d that has the NSEC3 parameters to hash to.
 * @param dname: name to hash
 * @param dname_len: the length of the name.
 * @param hash: the hash node is returned on success.
 * @return:
 * 	1 on success, either from cache or newly hashed hash is returned.
 * 	0 on a malloc failure.
 * 	-1 if the NSEC3 rr was badly formatted (i.e. formerr).
 */
static int
nsec3_hash_name(rbtree_t* table, struct region* region, 
	struct packed_rrset_data* data, size_t rr, uint8_t* dname, 
	size_t dname_len, struct nsec3_cached_hash** hash)
{
}

/**
 * Find matching NSEC3
 * Find the NSEC3Record that matches a hash of a name.
 */

/**
 * nsec3Covers
 * Given a hash and a candidate NSEC3Record, determine if that NSEC3Record
 * covers the hash. Covers specifically means that the hash is in between
 * the owner and next hashes and does not equal either.
 */

/**
 * findCoveringNSEC3
 * Given a pre-hashed name, find a covering NSEC3 from among a list of
 * NSEC3s.
 */

/**
 * findClosestEncloser
 * Given a name and a list of NSEC3s, find the candidate closest encloser.
 * This will be the first ancestor of 'name' (including itself) to have a
 * matching NSEC3 RR.
 */

/**
 * proveClosestEncloser
 * Given a List of nsec3 RRs, find and prove the closest encloser to qname.
 */
nsec3 work. git-svn-id: file:///svn/unbound/trunk@607 be551aaa-1e26-0410-a405-d3ace91eadb9 2007-09-11 18:18:16 +00:00			`/*`
			`* validator/val_nsec3.c - validator NSEC3 denial of existance functions.`
			`*`
			`* Copyright (c) 2007, NLnet Labs. All rights reserved.`
			`*`
			`* This software is open source.`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions`
			`* are met:`
			`*`
			`* Redistributions of source code must retain the above copyright notice,`
			`* this list of conditions and the following disclaimer.`
			`*`
			`* Redistributions in binary form must reproduce the above copyright notice,`
			`* this list of conditions and the following disclaimer in the documentation`
			`* and/or other materials provided with the distribution.`
			`*`
			`* Neither the name of the NLNET LABS nor the names of its contributors may`
			`* be used to endorse or promote products derived from this software without`
			`* specific prior written permission.`
			`*`
			`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS`
			`* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED`
			`* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR`
			`* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE`
			`* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
			`* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
			`* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
			`* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
			`* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`* POSSIBILITY OF SUCH DAMAGE.`
			`*/`

			`/**`
			`* \file`
			`*`
			`* This file contains helper functions for the validator module.`
			`* The functions help with NSEC3 checking, the different NSEC3 proofs`
			`* for denial of existance, and proofs for presence of types.`
			`*/`
			`#include "config.h"`
			`#include "validator/val_nsec3.h"`
			`#include "util/region-allocator.h"`
			`#include "util/rbtree.h"`

			`/**`
			`* The NSEC3 hash result storage.`
			`* Consists of an rbtree, with these nodes in it.`
			`* The nodes detail how a set of parameters (from nsec3 rr) plus`
			`* a dname result in a hash.`
			`*/`
			`struct nsec3_cached_hash {`
			`/** rbtree node, key is this structure */`
			`rbnode_t node;`
			`/** where are the parameters for conversion, in this rrset data */`
			`struct packed_rrset_data* data;`
			`/** where are the parameters for conversion, this RR number in data */`
			`size_t rr;`
			`/** the name to convert */`
			`uint8_t* dname;`
			`/** length of the dname */`
			`size_t dname_len;`
			`/** the hash result (not base32 encoded) */`
			`uint8_t* hash;`
			`/** length of hash in bytes */`
			`size_t hashlen;`
			`/** the hash result in base32 encoding */`
			`uint8_t* b32;`
			`/** length of base32 encoding (as a label) */`
			`size_t b32_len;`
			`};`

			`/**`
			`* Closest encloser (ce) proof results`
			`* Contains the ce and the next-closer (nc) proof.`
			`*/`
			`struct ce_response {`
			`/** the closest encloser name */`
			`uint8_t* ce;`
			`/** length of ce */`
			`size_t ce_len;`
			`/** NSEC3 record that proved ce. rrset */`
			`struct ub_packed_rrset_key* ce_rrset;`
			`/** NSEC3 record that proved ce. rr number */`
			`size_t ce_rr;`
			`/** NSEC3 record that proved nc. rrset */`
			`struct ub_packed_rrset_key* nc_rrset;`
			`/** NSEC3 record that proved nc. rr*/`
			`size_t nc_rr;`
			`};`

			`/**`
			`* Filter conditions for NSEC3 proof`
			`*/`
			`struct nsec3_filter {`
			`/** Zone name, only NSEC3 records for this zone are considered */`
			`uint8_t* zone;`
			`/** length of the zonename */`
			`size_t zone_len;`
			`/** the list of NSEC3s to filter; array */`
			`struct ub_packed_rrset_key** list;`
			`/** number of rrsets in list */`
			`size_t num;`
			`};`

			`/**`
			`* Iterate through NSEC3 list, per RR`
			`* Start with rrset = list, rrnum = 0.`
			`* End when rrset becomes NULL.`
			`* This routine gives the next RR in the list (or sets rrset null).`
			`*`
			`* Also filters out`
			`* o unknown flag NSEC3s`
			`* o unknown algorithm NSEC3s.`
			`* @param filter: nsec3 filter structure.`
			`* @param rrset: in/out rrset to look at.`
			`* @param rrnum: in/out rr number in rrset to look at.`
			`*/`
			`static void`
			`filter_next(struct nsec3_filter* filter, struct ub_packed_rrset_key** rrset,`
			`size_t rrnum)`
			`{`
			`}`

			`/**`
			`* Initialize the filter structure.`
			`* Finds the zone by looking at available NSEC3 records and best match.`
			`* (skips the unknown flag and unknown algo NSEC3s).`
			`*`
			`* @param filter: nsec3 filter structure.`
			`* @param list: list of rrsets.`
			`* @param num: number of rrsets in list.`
			`* @param qtype: query type (if DS a higher zone must be chosen)`
			`*/`
			`static void`
			`filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key* list,`
			`size_t num, uint16_t qtype)`
			`{`
			`}`

			`/**`
			`* Determine if any of the NSEC3 rrs iteration count is too high, from key.`
			`* @param ve: validator environment with iteration count config settings.`
			`* @param filter: what NSEC3s to loop over.`
			`* @param kkey: key entry used for verification; used for iteration counts.`
			`* @return 0 if some nsec3s are above the max iteration count.`
			`*/`

			`/** perform hash of name */`

			`/** nsec3_cache_compare for rbtree */`

			`/**`
			`* Obtain the hash of an owner name.`
			`* @param table: the cache table.`
			`* @param region: scratch region to use for allocation.`
			`* @param d: the rrset data`
			`* @param rr: rr number from d that has the NSEC3 parameters to hash to.`
			`* @param dname: name to hash`
			`* @param dname_len: the length of the name.`
			`* @param hash: the hash node is returned on success.`
			`* @return:`
			`* 1 on success, either from cache or newly hashed hash is returned.`
			`* 0 on a malloc failure.`
			`* -1 if the NSEC3 rr was badly formatted (i.e. formerr).`
			`*/`
			`static int`
			`nsec3_hash_name(rbtree_t* table, struct region* region,`
			`struct packed_rrset_data* data, size_t rr, uint8_t* dname,`
			`size_t dname_len, struct nsec3_cached_hash** hash)`
			`{`
			`}`

			`/**`
			`* Find matching NSEC3`
			`* Find the NSEC3Record that matches a hash of a name.`
			`*/`

			`/**`
			`* nsec3Covers`
			`* Given a hash and a candidate NSEC3Record, determine if that NSEC3Record`
			`* covers the hash. Covers specifically means that the hash is in between`
			`* the owner and next hashes and does not equal either.`
			`*/`

			`/**`
			`* findCoveringNSEC3`
			`* Given a pre-hashed name, find a covering NSEC3 from among a list of`
			`* NSEC3s.`
			`*/`

			`/**`
			`* findClosestEncloser`
			`* Given a name and a list of NSEC3s, find the candidate closest encloser.`
			`* This will be the first ancestor of 'name' (including itself) to have a`
			`* matching NSEC3 RR.`
			`*/`

			`/**`
			`* proveClosestEncloser`
			`* Given a List of nsec3 RRs, find and prove the closest encloser to qname.`
			`*/`