From 26f9ea8942bedf164ae01e325dfb4504e1729c6f Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 11 Sep 2007 18:18:16 +0000
Subject: [PATCH] nsec3 work.

git-svn-id: file:///svn/unbound/trunk@607 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog         |   2 +
 doc/TODO              |   1 +
 validator/val_nsec3.c | 206 ++++++++++++++++++++++++++++++++++++++++++
 validator/val_nsec3.h |  54 +++++++++++
 4 files changed, 263 insertions(+)
 create mode 100644 validator/val_nsec3.c
 create mode 100644 validator/val_nsec3.h

diff --git a/doc/Changelog b/doc/Changelog
index 79aba72d5..da6cb1e78 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,8 @@
 	- fixup to find libevent on mac port install.
 	- fixup size_t vs unsigned portability in validator/sigcrypt.
 	- please compiler on different platforms, for unreachable code.
+	- val_nsec3 file.
+	- pthread_rwlock type is optional, in case of old pthread libs.
 
 5 September 2007: Wouter
 	- cname, name error validator tests.
diff --git a/doc/TODO b/doc/TODO
index e3466917b..2bd365da7 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -44,6 +44,7 @@ o improve compression of DNS packets by first puttig uncompressible rrs, then
 o if one server is not responsive do not spend 75 secs on that server, but
   try other servers with lower rtt.
 o NSID rfc 5001 support.
+o timers rfc 5011 support.
 o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
 o grab ports nonconsequtive and change the set after a while (change within
   a given range). Could be bad for OS if wrong port. unsure if it helps secure.
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
new file mode 100644
index 000000000..830e96215
--- /dev/null
+++ b/validator/val_nsec3.c
@@ -0,0 +1,206 @@
+/*
+ * validator/val_nsec3.c - validator NSEC3 denial of existance functions.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains helper functions for the validator module.
+ * The functions help with NSEC3 checking, the different NSEC3 proofs
+ * for denial of existance, and proofs for presence of types.
+ */
+#include "config.h"
+#include "validator/val_nsec3.h"
+#include "util/region-allocator.h"
+#include "util/rbtree.h"
+
+/**
+ * The NSEC3 hash result storage.
+ * Consists of an rbtree, with these nodes in it.
+ * The nodes detail how a set of parameters (from nsec3 rr) plus
+ * a dname result in a hash.
+ */
+struct nsec3_cached_hash {
+	/** rbtree node, key is this structure */
+	rbnode_t node;
+	/** where are the parameters for conversion, in this rrset data */
+	struct packed_rrset_data* data;
+	/** where are the parameters for conversion, this RR number in data */
+	size_t rr;
+	/** the name to convert */
+	uint8_t* dname;
+	/** length of the dname */
+	size_t dname_len;
+	/** the hash result (not base32 encoded) */
+	uint8_t* hash;
+	/** length of hash in bytes */
+	size_t hashlen;
+	/** the hash result in base32 encoding */
+	uint8_t* b32;
+	/** length of base32 encoding (as a label) */
+	size_t b32_len;
+};
+
+/**
+ * Closest encloser (ce) proof results
+ * Contains the ce and the next-closer (nc) proof.
+ */
+struct ce_response {
+	/** the closest encloser name */
+	uint8_t* ce;
+	/** length of ce */
+	size_t ce_len;
+	/** NSEC3 record that proved ce. rrset */
+	struct ub_packed_rrset_key* ce_rrset;
+	/** NSEC3 record that proved ce. rr number */
+	size_t ce_rr;
+	/** NSEC3 record that proved nc. rrset */
+	struct ub_packed_rrset_key* nc_rrset;
+	/** NSEC3 record that proved nc. rr*/
+	size_t nc_rr;
+};
+
+/**
+ * Filter conditions for NSEC3 proof
+ */
+struct nsec3_filter {
+	/** Zone name, only NSEC3 records for this zone are considered */
+	uint8_t* zone;
+	/** length of the zonename */
+	size_t zone_len;
+	/** the list of NSEC3s to filter; array */
+	struct ub_packed_rrset_key** list;
+	/** number of rrsets in list */
+	size_t num;
+};
+
+/** 
+ * Iterate through NSEC3 list, per RR 
+ * Start with rrset = list, rrnum = 0.
+ * End when rrset becomes NULL.
+ * This routine gives the next RR in the list (or sets rrset null).
+ * 
+ * Also filters out 
+ * 	o unknown flag NSEC3s
+ * 	o unknown algorithm NSEC3s.
+ * @param filter: nsec3 filter structure.
+ * @param rrset: in/out rrset to look at.
+ * @param rrnum: in/out rr number in rrset to look at.
+ */
+static void
+filter_next(struct nsec3_filter* filter, struct ub_packed_rrset_key** rrset,
+	size_t rrnum)
+{
+}
+
+/** 
+ * Initialize the filter structure.
+ * Finds the zone by looking at available NSEC3 records and best match.
+ * 	(skips the unknown flag and unknown algo NSEC3s).
+ *
+ * @param filter: nsec3 filter structure.
+ * @param list: list of rrsets.
+ * @param num: number of rrsets in list.
+ * @param qtype: query type (if DS a higher zone must be chosen)
+ */
+static void
+filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key* list,
+	size_t num, uint16_t qtype)
+{
+}
+
+/** 
+ * Determine if any of the NSEC3 rrs iteration count is too high, from key.
+ * @param ve: validator environment with iteration count config settings.
+ * @param filter: what NSEC3s to loop over.
+ * @param kkey: key entry used for verification; used for iteration counts.
+ * @return 0 if some nsec3s are above the max iteration count.
+ */
+
+/** perform hash of name */
+
+/** nsec3_cache_compare for rbtree */
+
+/**
+ * Obtain the hash of an owner name.
+ * @param table: the cache table.
+ * @param region: scratch region to use for allocation.
+ * @param d: the rrset data
+ * @param rr: rr number from d that has the NSEC3 parameters to hash to.
+ * @param dname: name to hash
+ * @param dname_len: the length of the name.
+ * @param hash: the hash node is returned on success.
+ * @return:
+ * 	1 on success, either from cache or newly hashed hash is returned.
+ * 	0 on a malloc failure.
+ * 	-1 if the NSEC3 rr was badly formatted (i.e. formerr).
+ */
+static int
+nsec3_hash_name(rbtree_t* table, struct region* region, 
+	struct packed_rrset_data* data, size_t rr, uint8_t* dname, 
+	size_t dname_len, struct nsec3_cached_hash** hash)
+{
+}
+
+/**
+ * Find matching NSEC3
+ * Find the NSEC3Record that matches a hash of a name.
+ */
+
+/**
+ * nsec3Covers
+ * Given a hash and a candidate NSEC3Record, determine if that NSEC3Record
+ * covers the hash. Covers specifically means that the hash is in between
+ * the owner and next hashes and does not equal either.
+ */
+
+/**
+ * findCoveringNSEC3
+ * Given a pre-hashed name, find a covering NSEC3 from among a list of
+ * NSEC3s.
+ */
+
+/**
+ * findClosestEncloser
+ * Given a name and a list of NSEC3s, find the candidate closest encloser.
+ * This will be the first ancestor of 'name' (including itself) to have a
+ * matching NSEC3 RR.
+ */
+
+/**
+ * proveClosestEncloser
+ * Given a List of nsec3 RRs, find and prove the closest encloser to qname.
+ */
+
+
diff --git a/validator/val_nsec3.h b/validator/val_nsec3.h
new file mode 100644
index 000000000..8f1b52ec9
--- /dev/null
+++ b/validator/val_nsec3.h
@@ -0,0 +1,54 @@
+/*
+ * validator/val_nsec3.h - validator NSEC3 denial of existance functions.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains helper functions for the validator module.
+ * The functions help with NSEC3 checking, the different NSEC3 proofs
+ * for denial of existance, and proofs for presence of types.
+ */
+
+#ifndef VALIDATOR_VAL_NSEC3_H
+#define VALIDATOR_VAL_NSEC3_H
+struct val_env;
+struct module_env;
+struct ub_packed_rrset_key;
+enum sec_status;
+struct reply_info;
+struct query_info;
+struct key_entry_key;
+
+#endif /* VALIDATOR_VAL_NSEC3_H */
-- 
2.47.2