|
Electroneum
|

Go to the source code of this file.
Classes | |
| struct | nsec3_cached_hash |
Macros | |
| #define | NSEC3_OPTOUT 0x01 |
| #define | NSEC3_UNKNOWN_FLAGS 0xFE |
| #define | NSEC3_HASH_SHA1 0x01 |
Functions | |
| enum sec_status | nsec3_prove_nameerror (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key **list, size_t num, struct query_info *qinfo, struct key_entry_key *kkey) |
| enum sec_status | nsec3_prove_nodata (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key **list, size_t num, struct query_info *qinfo, struct key_entry_key *kkey) |
| enum sec_status | nsec3_prove_wildcard (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key **list, size_t num, struct query_info *qinfo, struct key_entry_key *kkey, uint8_t *wc) |
| enum sec_status | nsec3_prove_nods (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key **list, size_t num, struct query_info *qinfo, struct key_entry_key *kkey, char **reason, struct module_qstate *qstate) |
| enum sec_status | nsec3_prove_nxornodata (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key **list, size_t num, struct query_info *qinfo, struct key_entry_key *kkey, int *nodata) |
| int | nsec3_hash_cmp (const void *c1, const void *c2) |
| int | nsec3_hash_name (rbtree_type *table, struct regional *region, struct sldns_buffer *buf, struct ub_packed_rrset_key *nsec3, int rr, uint8_t *dname, size_t dname_len, struct nsec3_cached_hash **hash) |
| size_t | nsec3_get_nextowner_b32 (struct ub_packed_rrset_key *rrset, int r, uint8_t *buf, size_t max) |
| size_t | nsec3_hash_to_b32 (uint8_t *hash, size_t hashlen, uint8_t *zone, size_t zonelen, uint8_t *buf, size_t max) |
| int | nsec3_get_params (struct ub_packed_rrset_key *rrset, int r, int *algo, size_t *iter, uint8_t **salt, size_t *saltlen) |
| size_t | nsec3_get_hashed (struct sldns_buffer *buf, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen, uint8_t *res, size_t max) |
| int | nsec3_has_type (struct ub_packed_rrset_key *rrset, int r, uint16_t type) |
| int | nsec3_has_optout (struct ub_packed_rrset_key *rrset, int r) |
| int | nsec3_get_nextowner (struct ub_packed_rrset_key *rrset, int r, uint8_t **next, size_t *nextlen) |
| int | nsec3_covers (uint8_t *zone, struct nsec3_cached_hash *hash, struct ub_packed_rrset_key *rrset, int rr, struct sldns_buffer *buf) |
This file contains helper functions for the validator module. The functions help with NSEC3 checking, the different NSEC3 proofs for denial of existence, and proofs for presence of types.
NSEC3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash Alg. | Flags | Iterations | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Salt Length | Salt / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash Length | Next Hashed Owner Name / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Type Bit Maps / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NSEC3PARAM 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash Alg. | Flags | Iterations | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Salt Length | Salt / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Definition in file val_nsec3.h.
| #define NSEC3_HASH_SHA1 0x01 |
The SHA1 hash algorithm for NSEC3
Definition at line 98 of file val_nsec3.h.
| #define NSEC3_OPTOUT 0x01 |
0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | |O| +-+-+-+-+-+-+-+-+ The OPT-OUT bit in the NSEC3 flags field. If enabled, there can be zero or more unsigned delegations in the span. If disabled, there are zero unsigned delegations in the span.
Definition at line 90 of file val_nsec3.h.
| #define NSEC3_UNKNOWN_FLAGS 0xFE |
The unknown flags in the NSEC3 flags field. They must be zero, or the NSEC3 is ignored.
Definition at line 95 of file val_nsec3.h.
| int nsec3_covers | ( | uint8_t * | zone, |
| struct nsec3_cached_hash * | hash, | ||
| struct ub_packed_rrset_key * | rrset, | ||
| int | rr, | ||
| struct sldns_buffer * | buf | ||
| ) |
nsec3Covers Given a hash and a candidate NSEC3Record, determine if that NSEC3Record covers the hash. Covers specifically means that the hash is in between the owner and next hashes and does not equal either.
| zone | the zone name. |
| hash | the hash of the name |
| rrset | the rrset of the NSEC3. |
| rr | which rr in the rrset. |
| buf | temporary buffer. |
| size_t nsec3_get_hashed | ( | struct sldns_buffer * | buf, |
| uint8_t * | nm, | ||
| size_t | nmlen, | ||
| int | algo, | ||
| size_t | iter, | ||
| uint8_t * | salt, | ||
| size_t | saltlen, | ||
| uint8_t * | res, | ||
| size_t | max | ||
| ) |
Get NSEC3 hashed in a buffer
| buf | buffer for temp use. |
| nm | name to hash |
| nmlen | length of nm. |
| algo | algo to use, must be known. |
| iter | iterations |
| salt | salt for nsec3 |
| saltlen | length of salt. |
| res | result of hash stored here. |
| max | maximum space for result. |
| int nsec3_get_nextowner | ( | struct ub_packed_rrset_key * | rrset, |
| int | r, | ||
| uint8_t ** | next, | ||
| size_t * | nextlen | ||
| ) |
Return nsec3 RR next hashed owner name
| rrset | NSEC3 rrset |
| r | RR in rrset |
| next | ptr into rdata to next owner hash |
| nextlen | length of hash. |
| size_t nsec3_get_nextowner_b32 | ( | struct ub_packed_rrset_key * | rrset, |
| int | r, | ||
| uint8_t * | buf, | ||
| size_t | max | ||
| ) |
Get next owner name, converted to base32 encoding and with the zone name (taken from the nsec3 owner name) appended.
| rrset | the NSEC3 rrset. |
| r | the rr num of the nsec3 in the rrset. |
| buf | buffer to store name in |
| max | size of buffer. |
| int nsec3_get_params | ( | struct ub_packed_rrset_key * | rrset, |
| int | r, | ||
| int * | algo, | ||
| size_t * | iter, | ||
| uint8_t ** | salt, | ||
| size_t * | saltlen | ||
| ) |
Get NSEC3 parameters out of rr.
| rrset | the NSEC3 rrset. |
| r | the rr num of the nsec3 in the rrset. |
| algo | nsec3 hash algo. |
| iter | iteration count. |
| salt | ptr to salt inside rdata. |
| saltlen | length of salt. |
| int nsec3_has_optout | ( | struct ub_packed_rrset_key * | rrset, |
| int | r | ||
| ) |
return if nsec3 RR has the optout flag
| rrset | NSEC3 rrset |
| r | RR in rrset |
| int nsec3_has_type | ( | struct ub_packed_rrset_key * | rrset, |
| int | r, | ||
| uint16_t | type | ||
| ) |
see if NSEC3 RR contains given type
| rrset | NSEC3 rrset |
| r | RR in rrset |
| type | in host order to check bit for. |
| int nsec3_hash_cmp | ( | const void * | c1, |
| const void * | c2 | ||
| ) |
Rbtree for hash cache comparison function.
| c1 | key 1. |
| c2 | key 2. |
| int nsec3_hash_name | ( | rbtree_type * | table, |
| struct regional * | region, | ||
| struct sldns_buffer * | buf, | ||
| struct ub_packed_rrset_key * | nsec3, | ||
| int | rr, | ||
| uint8_t * | dname, | ||
| size_t | dname_len, | ||
| struct nsec3_cached_hash ** | hash | ||
| ) |
Obtain the hash of an owner name. Used internally by the nsec3 proof functions in this file. published to enable unit testing of hash algorithms and cache.
| table | the cache table. Must be initialised at start. |
| region | scratch region to use for allocation. This region holds the tree, if you wipe the region, reinit the tree. |
| buf | temporary buffer. |
| nsec3 | the rrset with parameters |
| rr | rr number from d that has the NSEC3 parameters to hash to. |
| dname | name to hash This pointer is used inside the tree, assumed region-alloced. |
| dname_len | the length of the name. |
| hash | the hash node is returned on success. |
| size_t nsec3_hash_to_b32 | ( | uint8_t * | hash, |
| size_t | hashlen, | ||
| uint8_t * | zone, | ||
| size_t | zonelen, | ||
| uint8_t * | buf, | ||
| size_t | max | ||
| ) |
Convert hash into base32 encoding and with the zone name appended.
| hash | hashed buffer |
| hashlen | length of hash |
| zone | name of zone |
| zonelen | length of zonename. |
| buf | buffer to store name in |
| max | size of buffer. |
| enum sec_status nsec3_prove_nameerror | ( | struct module_env * | env, |
| struct val_env * | ve, | ||
| struct ub_packed_rrset_key ** | list, | ||
| size_t | num, | ||
| struct query_info * | qinfo, | ||
| struct key_entry_key * | kkey | ||
| ) |
Determine if the set of NSEC3 records provided with a response prove NAME ERROR. This means that the NSEC3s prove a) the closest encloser exists, b) the direct child of the closest encloser towards qname doesn't exist, and c) *.closest encloser does not exist.
| env | module environment with temporary region and buffer. |
| ve | validator environment, with iteration count settings. |
| list | array of RRsets, some of which are NSEC3s. |
| num | number of RRsets in the array to examine. |
| qinfo | query that is verified for. |
| kkey | key entry that signed the NSEC3s. |
| enum sec_status nsec3_prove_nodata | ( | struct module_env * | env, |
| struct val_env * | ve, | ||
| struct ub_packed_rrset_key ** | list, | ||
| size_t | num, | ||
| struct query_info * | qinfo, | ||
| struct key_entry_key * | kkey | ||
| ) |
Determine if the NSEC3s provided in a response prove the NOERROR/NODATA status. There are a number of different variants to this:
1) Normal NODATA – qname is matched to an NSEC3 record, type is not present.
2) ENT NODATA – because there must be NSEC3 record for empty-non-terminals, this is the same as #1.
3) NSEC3 ownername NODATA – qname matched an existing, lone NSEC3 ownername, but qtype was not NSEC3. NOTE: as of nsec-05, this case no longer exists.
4) Wildcard NODATA – A wildcard matched the name, but not the type.
5) Opt-In DS NODATA – the qname is covered by an opt-in span and qtype == DS. (or maybe some future record with the same parent-side-only property)
| env | module environment with temporary region and buffer. |
| ve | validator environment, with iteration count settings. |
| list | array of RRsets, some of which are NSEC3s. |
| num | number of RRsets in the array to examine. |
| qinfo | query that is verified for. |
| kkey | key entry that signed the NSEC3s. |
| enum sec_status nsec3_prove_nods | ( | struct module_env * | env, |
| struct val_env * | ve, | ||
| struct ub_packed_rrset_key ** | list, | ||
| size_t | num, | ||
| struct query_info * | qinfo, | ||
| struct key_entry_key * | kkey, | ||
| char ** | reason, | ||
| struct module_qstate * | qstate | ||
| ) |
Prove that a DS response either had no DS, or wasn't a delegation point.
Fundamentally there are two cases here: normal NODATA and Opt-In NODATA.
| env | module environment with temporary region and buffer. |
| ve | validator environment, with iteration count settings. |
| list | array of RRsets, some of which are NSEC3s. |
| num | number of RRsets in the array to examine. |
| qinfo | query that is verified for. |
| kkey | key entry that signed the NSEC3s. |
| reason | string for bogus result. |
| qstate | qstate with region. |
| enum sec_status nsec3_prove_nxornodata | ( | struct module_env * | env, |
| struct val_env * | ve, | ||
| struct ub_packed_rrset_key ** | list, | ||
| size_t | num, | ||
| struct query_info * | qinfo, | ||
| struct key_entry_key * | kkey, | ||
| int * | nodata | ||
| ) |
Prove NXDOMAIN or NODATA.
| env | module environment with temporary region and buffer. |
| ve | validator environment, with iteration count settings. |
| list | array of RRsets, some of which are NSEC3s. |
| num | number of RRsets in the array to examine. |
| qinfo | query that is verified for. |
| kkey | key entry that signed the NSEC3s. |
| nodata | if return value is secure, this indicates if nodata or nxdomain was proven. |
| enum sec_status nsec3_prove_wildcard | ( | struct module_env * | env, |
| struct val_env * | ve, | ||
| struct ub_packed_rrset_key ** | list, | ||
| size_t | num, | ||
| struct query_info * | qinfo, | ||
| struct key_entry_key * | kkey, | ||
| uint8_t * | wc | ||
| ) |
Prove that a positive wildcard match was appropriate (no direct match RRset).
| env | module environment with temporary region and buffer. |
| ve | validator environment, with iteration count settings. |
| list | array of RRsets, some of which are NSEC3s. |
| num | number of RRsets in the array to examine. |
| qinfo | query that is verified for. |
| kkey | key entry that signed the NSEC3s. |
| wc | The purported wildcard that matched. This is the wildcard name as *.wildcard.name., with the *. label already removed. |