diff options
Diffstat (limited to '')
-rw-r--r-- | external/unbound/validator/validator.h | 294 |
1 files changed, 294 insertions, 0 deletions
diff --git a/external/unbound/validator/validator.h b/external/unbound/validator/validator.h new file mode 100644 index 000000000..20f806ada --- /dev/null +++ b/external/unbound/validator/validator.h @@ -0,0 +1,294 @@ +/* + * validator/validator.h - secure validator DNS query response module + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains a module that performs validation of DNS queries. + * According to RFC 4034. + */ + +#ifndef VALIDATOR_VALIDATOR_H +#define VALIDATOR_VALIDATOR_H +#include "util/module.h" +#include "util/data/msgreply.h" +#include "validator/val_utils.h" +struct val_anchors; +struct key_cache; +struct key_entry_key; +struct val_neg_cache; +struct config_strlist; + +/** + * This is the TTL to use when a trust anchor fails to prime. A trust anchor + * will be primed no more often than this interval. Used when harden- + * dnssec-stripped is off and the trust anchor fails. + */ +#define NULL_KEY_TTL 60 /* seconds */ + +/** + * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of + * trust the entire zone for that name is blacked out for this TTL. + */ +#define BOGUS_KEY_TTL 60 /* seconds */ + +/** max number of query restarts, number of IPs to probe */ +#define VAL_MAX_RESTART_COUNT 5 + +/** + * Global state for the validator. + */ +struct val_env { + /** key cache; these are validated keys. trusted keys only + * end up here after being primed. */ + struct key_cache* kcache; + + /** aggressive negative cache. index into NSECs in rrset cache. */ + struct val_neg_cache* neg_cache; + + /** for debug testing a fixed validation date can be entered. + * if 0, current time is used for rrsig validation */ + int32_t date_override; + + /** clock skew min for signatures */ + int32_t skew_min; + + /** clock skew max for signatures */ + int32_t skew_max; + + /** TTL for bogus data; used instead of untrusted TTL from data. + * Bogus data will not be verified more often than this interval. + * seconds. */ + uint32_t bogus_ttl; + + /** If set, the validator should clean the additional section of + * secure messages. + */ + int clean_additional; + + /** + * If set, the validator will not make messages bogus, instead + * indeterminate is issued, so that no clients receive SERVFAIL. + * This allows an operator to run validation 'shadow' without + * hurting responses to clients. + */ + int permissive_mode; + + /** + * Number of entries in the NSEC3 maximum iteration count table. + * Keep this table short, and sorted by size + */ + int nsec3_keyiter_count; + + /** + * NSEC3 maximum iteration count per signing key size. + * This array contains key size values (in increasing order) + */ + size_t* nsec3_keysize; + + /** + * NSEC3 maximum iteration count per signing key size. + * This array contains the maximum iteration count for the keysize + * in the keysize array. + */ + size_t* nsec3_maxiter; + + /** lock on bogus counter */ + lock_basic_t bogus_lock; + /** number of times rrsets marked bogus */ + size_t num_rrset_bogus; +}; + +/** + * State of the validator for a query. + */ +enum val_state { + /** initial state for validation */ + VAL_INIT_STATE = 0, + /** find the proper keys for validation, follow trust chain */ + VAL_FINDKEY_STATE, + /** validate the answer, using found key entry */ + VAL_VALIDATE_STATE, + /** finish up */ + VAL_FINISHED_STATE, + /** DLV lookup state, processing DLV queries */ + VAL_DLVLOOKUP_STATE +}; + +/** + * Per query state for the validator module. + */ +struct val_qstate { + /** + * State of the validator module. + */ + enum val_state state; + + /** + * The original message we have been given to validate. + */ + struct dns_msg* orig_msg; + + /** + * The query restart count + */ + int restart_count; + /** The blacklist saved for chainoftrust elements */ + struct sock_list* chain_blacklist; + + /** + * The query name we have chased to; qname after following CNAMEs + */ + struct query_info qchase; + + /** + * The chased reply, extract from original message. Can be: + * o CNAME + * o DNAME + CNAME + * o answer + * plus authority, additional (nsecs) that have same signature. + */ + struct reply_info* chase_reply; + + /** + * The cname skip value; the number of rrsets that have been skipped + * due to chasing cnames. This is the offset into the + * orig_msg->rep->rrsets array, into the answer section. + * starts at 0 - for the full original message. + * if it is >0 - qchase followed the cname, chase_reply setup to be + * that message and relevant authority rrsets. + * + * The skip is also used for referral messages, where it will + * range from 0, over the answer, authority and additional sections. + */ + size_t rrset_skip; + + /** trust anchor name */ + uint8_t* trust_anchor_name; + /** trust anchor labels */ + int trust_anchor_labs; + /** trust anchor length */ + size_t trust_anchor_len; + + /** the DS rrset */ + struct ub_packed_rrset_key* ds_rrset; + + /** domain name for empty nonterminal detection */ + uint8_t* empty_DS_name; + /** length of empty_DS_name */ + size_t empty_DS_len; + + /** the current key entry */ + struct key_entry_key* key_entry; + + /** subtype */ + enum val_classification subtype; + + /** signer name */ + uint8_t* signer_name; + /** length of signer_name */ + size_t signer_len; + + /** true if this state is waiting to prime a trust anchor */ + int wait_prime_ta; + + /** have we already checked the DLV? */ + int dlv_checked; + /** The name for which the DLV is looked up. For the current message + * or for the current RRset (for CNAME, REFERRAL types). + * If there is signer name, that may be it, else a domain name */ + uint8_t* dlv_lookup_name; + /** length of dlv lookup name */ + size_t dlv_lookup_name_len; + /** Name at which chain of trust stopped with insecure, starting DLV + * DLV must result in chain going further down */ + uint8_t* dlv_insecure_at; + /** length of dlv insecure point name */ + size_t dlv_insecure_at_len; + /** status of DLV lookup. Indication to VAL_DLV_STATE what to do */ + enum dlv_status { + dlv_error, /* server failure */ + dlv_success, /* got a DLV */ + dlv_ask_higher, /* ask again */ + dlv_there_is_no_dlv /* got no DLV, sure of it */ + } dlv_status; +}; + +/** + * Get the validator function block. + * @return: function block with function pointers to validator methods. + */ +struct module_func_block* val_get_funcblock(void); + +/** + * Get validator state as a string + * @param state: to convert + * @return constant string that is printable. + */ +const char* val_state_to_string(enum val_state state); + +/** validator init */ +int val_init(struct module_env* env, int id); + +/** validator deinit */ +void val_deinit(struct module_env* env, int id); + +/** validator operate on a query */ +void val_operate(struct module_qstate* qstate, enum module_ev event, int id, + struct outbound_entry* outbound); + +/** + * inform validator super. + * + * @param qstate: query state that finished. + * @param id: module id. + * @param super: the qstate to inform. + */ +void val_inform_super(struct module_qstate* qstate, int id, + struct module_qstate* super); + +/** validator cleanup query state */ +void val_clear(struct module_qstate* qstate, int id); + +/** + * Debug helper routine that assists worker in determining memory in + * use. + * @param env: module environment + * @param id: module id. + * @return memory in use in bytes. + */ +size_t val_get_mem(struct module_env* env, int id); + +#endif /* VALIDATOR_VALIDATOR_H */ |