diff options
Diffstat (limited to 'external/unbound/validator/validator.h')
m--------- | external/unbound | 0 | ||||
-rw-r--r-- | external/unbound/validator/validator.h | 294 |
2 files changed, 0 insertions, 294 deletions
diff --git a/external/unbound b/external/unbound new file mode 160000 +Subproject 193bdc4ee3fe2b0d17e547e86512528c2614483 diff --git a/external/unbound/validator/validator.h b/external/unbound/validator/validator.h deleted file mode 100644 index 23d307242..000000000 --- a/external/unbound/validator/validator.h +++ /dev/null @@ -1,294 +0,0 @@ -/* - * validator/validator.h - secure validator DNS query response module - * - * Copyright (c) 2007, NLnet Labs. All rights reserved. - * - * This software is open source. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of the NLNET LABS nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED - * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * \file - * - * This file contains a module that performs validation of DNS queries. - * According to RFC 4034. - */ - -#ifndef VALIDATOR_VALIDATOR_H -#define VALIDATOR_VALIDATOR_H -#include "util/module.h" -#include "util/data/msgreply.h" -#include "validator/val_utils.h" -struct val_anchors; -struct key_cache; -struct key_entry_key; -struct val_neg_cache; -struct config_strlist; - -/** - * This is the TTL to use when a trust anchor fails to prime. A trust anchor - * will be primed no more often than this interval. Used when harden- - * dnssec-stripped is off and the trust anchor fails. - */ -#define NULL_KEY_TTL 60 /* seconds */ - -/** - * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of - * trust the entire zone for that name is blacked out for this TTL. - */ -#define BOGUS_KEY_TTL 60 /* seconds */ - -/** max number of query restarts, number of IPs to probe */ -#define VAL_MAX_RESTART_COUNT 5 - -/** - * Global state for the validator. - */ -struct val_env { - /** key cache; these are validated keys. trusted keys only - * end up here after being primed. */ - struct key_cache* kcache; - - /** aggressive negative cache. index into NSECs in rrset cache. */ - struct val_neg_cache* neg_cache; - - /** for debug testing a fixed validation date can be entered. - * if 0, current time is used for rrsig validation */ - int32_t date_override; - - /** clock skew min for signatures */ - int32_t skew_min; - - /** clock skew max for signatures */ - int32_t skew_max; - - /** TTL for bogus data; used instead of untrusted TTL from data. - * Bogus data will not be verified more often than this interval. - * seconds. */ - uint32_t bogus_ttl; - - /** If set, the validator should clean the additional section of - * secure messages. - */ - int clean_additional; - - /** - * If set, the validator will not make messages bogus, instead - * indeterminate is issued, so that no clients receive SERVFAIL. - * This allows an operator to run validation 'shadow' without - * hurting responses to clients. - */ - int permissive_mode; - - /** - * Number of entries in the NSEC3 maximum iteration count table. - * Keep this table short, and sorted by size - */ - int nsec3_keyiter_count; - - /** - * NSEC3 maximum iteration count per signing key size. - * This array contains key size values (in increasing order) - */ - size_t* nsec3_keysize; - - /** - * NSEC3 maximum iteration count per signing key size. - * This array contains the maximum iteration count for the keysize - * in the keysize array. - */ - size_t* nsec3_maxiter; - - /** lock on bogus counter */ - lock_basic_type bogus_lock; - /** number of times rrsets marked bogus */ - size_t num_rrset_bogus; -}; - -/** - * State of the validator for a query. - */ -enum val_state { - /** initial state for validation */ - VAL_INIT_STATE = 0, - /** find the proper keys for validation, follow trust chain */ - VAL_FINDKEY_STATE, - /** validate the answer, using found key entry */ - VAL_VALIDATE_STATE, - /** finish up */ - VAL_FINISHED_STATE, - /** DLV lookup state, processing DLV queries */ - VAL_DLVLOOKUP_STATE -}; - -/** - * Per query state for the validator module. - */ -struct val_qstate { - /** - * State of the validator module. - */ - enum val_state state; - - /** - * The original message we have been given to validate. - */ - struct dns_msg* orig_msg; - - /** - * The query restart count - */ - int restart_count; - /** The blacklist saved for chainoftrust elements */ - struct sock_list* chain_blacklist; - - /** - * The query name we have chased to; qname after following CNAMEs - */ - struct query_info qchase; - - /** - * The chased reply, extract from original message. Can be: - * o CNAME - * o DNAME + CNAME - * o answer - * plus authority, additional (nsecs) that have same signature. - */ - struct reply_info* chase_reply; - - /** - * The cname skip value; the number of rrsets that have been skipped - * due to chasing cnames. This is the offset into the - * orig_msg->rep->rrsets array, into the answer section. - * starts at 0 - for the full original message. - * if it is >0 - qchase followed the cname, chase_reply setup to be - * that message and relevant authority rrsets. - * - * The skip is also used for referral messages, where it will - * range from 0, over the answer, authority and additional sections. - */ - size_t rrset_skip; - - /** trust anchor name */ - uint8_t* trust_anchor_name; - /** trust anchor labels */ - int trust_anchor_labs; - /** trust anchor length */ - size_t trust_anchor_len; - - /** the DS rrset */ - struct ub_packed_rrset_key* ds_rrset; - - /** domain name for empty nonterminal detection */ - uint8_t* empty_DS_name; - /** length of empty_DS_name */ - size_t empty_DS_len; - - /** the current key entry */ - struct key_entry_key* key_entry; - - /** subtype */ - enum val_classification subtype; - - /** signer name */ - uint8_t* signer_name; - /** length of signer_name */ - size_t signer_len; - - /** true if this state is waiting to prime a trust anchor */ - int wait_prime_ta; - - /** have we already checked the DLV? */ - int dlv_checked; - /** The name for which the DLV is looked up. For the current message - * or for the current RRset (for CNAME, REFERRAL types). - * If there is signer name, that may be it, else a domain name */ - uint8_t* dlv_lookup_name; - /** length of dlv lookup name */ - size_t dlv_lookup_name_len; - /** Name at which chain of trust stopped with insecure, starting DLV - * DLV must result in chain going further down */ - uint8_t* dlv_insecure_at; - /** length of dlv insecure point name */ - size_t dlv_insecure_at_len; - /** status of DLV lookup. Indication to VAL_DLV_STATE what to do */ - enum dlv_status { - dlv_error, /* server failure */ - dlv_success, /* got a DLV */ - dlv_ask_higher, /* ask again */ - dlv_there_is_no_dlv /* got no DLV, sure of it */ - } dlv_status; -}; - -/** - * Get the validator function block. - * @return: function block with function pointers to validator methods. - */ -struct module_func_block* val_get_funcblock(void); - -/** - * Get validator state as a string - * @param state: to convert - * @return constant string that is printable. - */ -const char* val_state_to_string(enum val_state state); - -/** validator init */ -int val_init(struct module_env* env, int id); - -/** validator deinit */ -void val_deinit(struct module_env* env, int id); - -/** validator operate on a query */ -void val_operate(struct module_qstate* qstate, enum module_ev event, int id, - struct outbound_entry* outbound); - -/** - * inform validator super. - * - * @param qstate: query state that finished. - * @param id: module id. - * @param super: the qstate to inform. - */ -void val_inform_super(struct module_qstate* qstate, int id, - struct module_qstate* super); - -/** validator cleanup query state */ -void val_clear(struct module_qstate* qstate, int id); - -/** - * Debug helper routine that assists worker in determining memory in - * use. - * @param env: module environment - * @param id: module id. - * @return memory in use in bytes. - */ -size_t val_get_mem(struct module_env* env, int id); - -#endif /* VALIDATOR_VALIDATOR_H */ |