layer/validate: added function searching for RR type in packet

11522457 · Karel Slaný · 89b0a013 · 11522457 · 11522457 · 11522457
Commit 11522457 authored 9 years ago by Karel Slaný
--- a/lib/dnssec/packet/pkt.c
+++ b/lib/dnssec/packet/pkt.c
+/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#include <libknot/internal/consts.h>
+#include "lib/dnssec/packet/pkt.h"
+/**
+ * Search in section for given type.
+ * @param sec  Packet section.
+ * @param type Type to search for.
+ * @return     True if found.
+ */
+static bool section_has_type(const knot_pktsection_t *sec, uint16_t type)
+{
+	if (!sec) {
+		return false;
+	}
+	for (unsigned i = 0; i < sec->count; ++i) {
+		const knot_rrset_t *rr = knot_pkt_rr(sec, i);
+		if (rr->type == type) {
+			return true;
+		}
+	}
+	return false;
+}
+bool _knot_pkt_has_type(const knot_pkt_t *pkt, uint16_t type)
+{
+	if (!pkt) {
+		return false;
+	}
+	if (section_has_type(knot_pkt_section(pkt, KNOT_ANSWER), type)) {
+		return true;
+	}
+	if (section_has_type(knot_pkt_section(pkt, KNOT_AUTHORITY), type)) {
+		return true;
+	}
+	return section_has_type(knot_pkt_section(pkt, KNOT_ADDITIONAL), type);
+}
--- a/lib/dnssec/packet/pkt.h
+++ b/lib/dnssec/packet/pkt.h
+/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#pragma once
+#include <libknot/packet/pkt.h>
+/**
+ * Check whether packet contains given type.
+ * @param pkt  Packet to seek through.
+ * @param type RR type to search for.
+ * @return     True if found.
+ */
+bool _knot_pkt_has_type(const knot_pkt_t *pkt, uint16_t type);
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -22,6 +22,7 @@
 #include <libknot/rrtype/rrsig.h>
 #include "lib/dnssec/nsec.h"
+#include "lib/dnssec/packet/pkt.h"
 #include "lib/dnssec/ta.h"
 #include "lib/dnssec.h"
 #include "lib/layer.h"
@@ -186,13 +187,6 @@ static int validate_records(struct kr_query *qry, knot_pkt_t *answer, mm_ctx_t *
 	return ret;
 }
-static int validate_proof(struct kr_query *qry, knot_pkt_t *answer, mm_ctx_t *pool)
-{
-#warning TODO: validate NSECx proof, RRSIGs will be checked later if it matches
-	int ret = kr_nsec_existence_denial(answer, KNOT_AUTHORITY, qry->sname, qry->stype, pool);
-	return ret;
-}
 static int validate_keyset(struct kr_query *qry, knot_pkt_t *answer)
 {
 	/* Merge DNSKEY records from answer */
@@ -342,9 +336,16 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
 		return KNOT_STATE_FAIL;
 	}
+	bool has_nsec3 = _knot_pkt_has_type(pkt, KNOT_RRTYPE_NSEC3);
 	/* Validate non-existence proof if not positive answer. */
 	if (knot_wire_get_rcode(pkt->wire) == KNOT_RCODE_NXDOMAIN) {
-		ret = validate_proof(qry, pkt, &req->pool);
+#warning TODO: validate NSECx proof, RRSIGs will be checked later if it matches
+		if (!has_nsec3) {
+			ret = kr_nsec_existence_denial(pkt, KNOT_AUTHORITY, qry->sname, qry->stype, &req->pool);
+		} else {
+			/* TODO */
+		}
 		if (ret != 0) {
 			DEBUG_MSG("<= bad NXDOMAIN proof\n");
 			qry->flags |= QUERY_DNSSEC_BOGUS;

--- a/lib/lib.mk
+++ b/lib/lib.mk
@@ -12,6 +12,7 @@ libkres_SOURCES := \
 	lib/layer/rrcache.c    \
 	lib/layer/pktcache.c   \
 	lib/dnssec/nsec.c      \
+	lib/dnssec/packet/pkt.c \
 	lib/dnssec/signature.c \
 	lib/dnssec/ta.c        \
 	lib/dnssec.c           \
@@ -30,6 +31,7 @@ libkres_HEADERS := \
 	lib/layer.h            \
 	lib/kayer/rrset/ds.h   \
 	lib/dnssec/nsec.h      \
+	lib/dnssec/packet/pkt.h \
 	lib/dnssec/rrtype/ds.h \
 	lib/dnssec/signature.h \
 	lib/dnssec/ta.h        \