layer/validate: moved NSEC wildcard response check to nsec.c

lib/dnssec.c

@@ -144,45 +144,6 @@ static int wildcard_radix_len_diff(const knot_dname_t *expanded,
 	return knot_dname_labels(expanded, NULL) - knot_rrsig_labels(&rrsigs->rrs, sig_pos);
 }
 
-/**
- * Validates the non-existence of closer/exact match.
- * @param pkt        Packet to be validated.
- * @param section_id Section to work with.
- * @param name       The name to be checked.
- * @return           0 or error code.
- */
-static int closer_match_nonexistence_validate(const knot_pkt_t *pkt, knot_section_t section_id,
-                                              const knot_dname_t *name)
-{
-	if (!pkt || !name) {
-		return kr_error(EINVAL);
-	}
-
-	/* Signatures are checked elsewhere. */
-
-	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
-	if (!sec) {
-		return kr_error(EINVAL);
-	}
-	for (unsigned i = 0; i < sec->count; ++i) {
-		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
-		if ((rrset->type != KNOT_RRTYPE_NSEC) &&
-		    (rrset->type != KNOT_RRTYPE_NSEC3)) {
-			continue;
-		}
-		if (rrset->type == KNOT_RRTYPE_NSEC) {
-			if (kr_nsec_nomatch_validate(rrset, name) == 0) {
-				return kr_ok();
-			}
-		} else {
-#warning TODO: NSEC3 currently not supported
-			return kr_error(ENOSYS);
-		}
-	}
-
-	return kr_error(EINVAL);
-}
-
 int kr_rrset_validate(const knot_pkt_t *pkt, knot_section_t section_id,
                       const knot_rrset_t *covered, const knot_rrset_t *keys,
                       const knot_dname_t *zone_name, uint32_t timestamp)
@@ -246,7 +207,7 @@ int kr_rrset_validate_with_key(const knot_pkt_t *pkt, knot_section_t section_id,
 				continue;
 			}
 			if (val_flgs & FLG_WILDCARD_EXPANSION) {
-				if (closer_match_nonexistence_validate(pkt, KNOT_AUTHORITY, covered->owner) != 0) {
+				if (kr_nsec_wildcard_answer_response_check(pkt, KNOT_AUTHORITY, covered->owner) != 0) {
 					continue;
 				}
 			}

lib/dnssec/nsec.c

@@ -54,18 +54,24 @@ bool kr_nsec_bitmap_contains_type(const uint8_t *bm, uint16_t bm_size, uint16_t
 	return false;
 }
 
-int kr_nsec_nomatch_validate(const knot_rrset_t *nsec, const knot_dname_t *name)
+/**
+ * Check whether the NSEC RR proves that there is no closer match for <SNAME, SCLASS>.
+ * @param nsec  NSEC RRSet.
+ * @param sname Searched name.
+ * @return      0 or error code.
+ */
+static int nsec_nonamematch(const knot_rrset_t *nsec, const knot_dname_t *sname)
 {
+	assert(nsec && sname);
+
 	const knot_dname_t *next = knot_nsec_next(&nsec->rrs);
 
-	if ((knot_dname_cmp(nsec->owner, name) < 0) &&
-	    (knot_dname_cmp(name, next) < 0)) {
+	if ((knot_dname_cmp(nsec->owner, sname) < 0) &&
+	    (knot_dname_cmp(sname, next) < 0)) {
 		return kr_ok();
 	} else {
 		return kr_error(EINVAL);
 	}
-
-#warning TODO: Is an additional request for NSEC name or wildcard necessary?
 }
 
 #define FLG_NOEXIST_RRTYPE 0x01 /**< <SNAME, SCLASS> exists, <SNAME, SCLASS, STYPE> does not exist. */
@@ -95,7 +101,7 @@ static int name_error_response_check_rr(int *flags, const knot_rrset_t *nsec,
 {
 	assert(flags && nsec && name);
 
-	if (kr_nsec_nomatch_validate(nsec, name) == 0) {
+	if (nsec_nonamematch(nsec, name) == 0) {
 		*flags |= FLG_NOEXIST_RRSET;
 	}
 
@@ -110,7 +116,7 @@ static int name_error_response_check_rr(int *flags, const knot_rrset_t *nsec,
 		*(--ptr) = '*';
 		*(--ptr) = 1;
 
-		if (kr_nsec_nomatch_validate(nsec, ptr) == 0) {
+		if (nsec_nonamematch(nsec, ptr) == 0) {
 			*flags |= FLG_NOEXIST_WILDCARD;
 			break;
 		}
@@ -279,7 +285,7 @@ static int wildcard_no_data_response_check(int *flags, const knot_rrset_t *nsec,
 {
 	assert(flags && nsec && name);
 
-	if (kr_nsec_nomatch_validate(nsec, name) == 0) {
+	if (nsec_nonamematch(nsec, name) == 0) {
 		*flags |= FLG_NOEXIST_RRSET;
 	}
 
@@ -326,7 +332,27 @@ int kr_nsec_wildcard_no_data_response_check(const knot_pkt_t *pkt, knot_section_
 	}
 
 	return ((flags & FLG_NOEXIST_RRSET) && (flags & FLG_NOEXIST_CLOSER)) ? kr_ok() : kr_error(ENOENT);
-	/* TODO */
+}
+
+int kr_nsec_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
+                                           const knot_dname_t *sname)
+{
+	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
+	if (!sec || !sname) {
+		return kr_error(EINVAL);
+	}
+
+	for (unsigned i = 0; i < sec->count; ++i) {
+		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
+		if (rrset->type != KNOT_RRTYPE_NSEC) {
+			continue;
+		}
+		if (nsec_nonamematch(rrset, sname) == 0) {
+			return kr_ok();
+		}
+	}
+
+	return kr_error(ENOENT);
 }
 
 int kr_nsec_existence_denial(const knot_pkt_t *pkt, knot_section_t section_id,

lib/dnssec/nsec.h

@@ -29,15 +29,6 @@
  */
 bool kr_nsec_bitmap_contains_type(const uint8_t *bm, uint16_t bm_size, uint16_t type);
 
-/**
- * Check the non-existence of an exact/closer match according to RFC4035 5.4, bullet 2.
- * @note No signatures are checked.
- * @param nsec NSEC RRSet containing a single record.
- * @param name Domain name checked against the NSEC record.
- * @return     0 or error code.
- */
-//int kr_nsec_nomatch_validate(const knot_rrset_t *nsec, const knot_dname_t *name);
-
 /**
  * Name error response check (RFC4035 3.1.3.2; RFC4035 5.4, bullet 2).
  * @note No RRSIGs are validated.
@@ -72,6 +63,17 @@ int kr_nsec_no_data_response_check(const knot_pkt_t *pkt, knot_section_t section
 int kr_nsec_wildcard_no_data_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
                                             const knot_dname_t *sname, uint16_t stype);
 
+/**
+ * Wildcard answer response check (RFC4035 3.1.3.3).
+ *
+ * @param pkt        Packet structure to be processed.
+ * @param section_id Packet section to be processed.
+ * @param sname      Name to be checked.
+ * @return           0 or error code.
+ */
+int kr_nsec_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
+                                           const knot_dname_t *sname);
+
 /**
  * Authenticated denial of existence according to RFC4035 5.4.
  * @note No RRSIGs are validated.