1 files changed, 294 insertions, 0 deletions

diff --git a/external/unbound/validator/validator.h b/external/unbound/validator/validator.h
new file mode 100644
index 000000000..20f806ada
--- /dev/null
+++ b/external/unbound/validator/validator.h
@@ -0,0 +1,294 @@
+/*
+ * validator/validator.h - secure validator DNS query response module
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that performs validation of DNS queries.
+ * According to RFC 4034.
+ */
+
+#ifndef VALIDATOR_VALIDATOR_H
+#define VALIDATOR_VALIDATOR_H
+#include "util/module.h"
+#include "util/data/msgreply.h"
+#include "validator/val_utils.h"
+struct val_anchors;
+struct key_cache;
+struct key_entry_key;
+struct val_neg_cache;
+struct config_strlist;
+
+/**
+ * This is the TTL to use when a trust anchor fails to prime. A trust anchor
+ * will be primed no more often than this interval.  Used when harden-
+ * dnssec-stripped is off and the trust anchor fails.
+ */
+#define NULL_KEY_TTL	60 /* seconds */
+
+/**
+ * TTL for bogus key entries.  When a DS or DNSKEY fails in the chain of
+ * trust the entire zone for that name is blacked out for this TTL.
+ */
+#define BOGUS_KEY_TTL	60 /* seconds */
+
+/** max number of query restarts, number of IPs to probe */
+#define VAL_MAX_RESTART_COUNT 5
+
+/**
+ * Global state for the validator. 
+ */
+struct val_env {
+	/** key cache; these are validated keys. trusted keys only
+	 * end up here after being primed. */
+	struct key_cache* kcache;
+
+	/** aggressive negative cache. index into NSECs in rrset cache. */
+	struct val_neg_cache* neg_cache;
+
+	/** for debug testing a fixed validation date can be entered.
+	 * if 0, current time is used for rrsig validation */
+	int32_t date_override;
+
+	/** clock skew min for signatures */
+	int32_t skew_min;
+
+	/** clock skew max for signatures */
+	int32_t skew_max;
+
+	/** TTL for bogus data; used instead of untrusted TTL from data.
+	 * Bogus data will not be verified more often than this interval. 
+	 * seconds. */
+	uint32_t bogus_ttl;
+
+	/** If set, the validator should clean the additional section of
+	 * secure messages.
+	 */
+	int clean_additional;
+
+	/**
+	 * If set, the validator will not make messages bogus, instead
+	 * indeterminate is issued, so that no clients receive SERVFAIL.
+	 * This allows an operator to run validation 'shadow' without
+	 * hurting responses to clients.
+	 */
+	int permissive_mode;
+
+	/**
+	 * Number of entries in the NSEC3 maximum iteration count table.
+	 * Keep this table short, and sorted by size
+	 */
+	int nsec3_keyiter_count;
+
+	/**
+	 * NSEC3 maximum iteration count per signing key size.
+	 * This array contains key size values (in increasing order)
+	 */
+	size_t* nsec3_keysize;
+
+	/**
+	 * NSEC3 maximum iteration count per signing key size.
+	 * This array contains the maximum iteration count for the keysize
+	 * in the keysize array.
+	 */
+	size_t* nsec3_maxiter;
+
+	/** lock on bogus counter */
+	lock_basic_t bogus_lock;
+	/** number of times rrsets marked bogus */
+	size_t num_rrset_bogus;
+};
+
+/**
+ * State of the validator for a query.
+ */
+enum val_state {
+	/** initial state for validation */
+	VAL_INIT_STATE = 0,
+	/** find the proper keys for validation, follow trust chain */
+	VAL_FINDKEY_STATE,
+	/** validate the answer, using found key entry */
+	VAL_VALIDATE_STATE,
+	/** finish up */
+	VAL_FINISHED_STATE,
+	/** DLV lookup state, processing DLV queries */
+	VAL_DLVLOOKUP_STATE
+};
+
+/**
+ * Per query state for the validator module.
+ */
+struct val_qstate {
+	/** 
+	 * State of the validator module.
+	 */
+	enum val_state state;
+
+	/**
+	 * The original message we have been given to validate.
+	 */
+	struct dns_msg* orig_msg;
+
+	/**
+	 * The query restart count
+	 */
+	int restart_count;
+	/** The blacklist saved for chainoftrust elements */
+	struct sock_list* chain_blacklist;
+
+	/**
+	 * The query name we have chased to; qname after following CNAMEs
+	 */
+	struct query_info qchase;
+
+	/**
+	 * The chased reply, extract from original message. Can be:
+	 * 	o CNAME
+	 * 	o DNAME + CNAME
+	 * 	o answer 
+	 * 	plus authority, additional (nsecs) that have same signature.
+	 */
+	struct reply_info* chase_reply;
+
+	/**
+	 * The cname skip value; the number of rrsets that have been skipped
+	 * due to chasing cnames. This is the offset into the 
+	 * orig_msg->rep->rrsets array, into the answer section.
+	 * starts at 0 - for the full original message.
+	 * if it is >0 - qchase followed the cname, chase_reply setup to be
+	 * that message and relevant authority rrsets.
+	 *
+	 * The skip is also used for referral messages, where it will
+	 * range from 0, over the answer, authority and additional sections.
+	 */
+	size_t rrset_skip;
+
+	/** trust anchor name */
+	uint8_t* trust_anchor_name;
+	/** trust anchor labels */
+	int trust_anchor_labs;
+	/** trust anchor length */
+	size_t trust_anchor_len;
+
+	/** the DS rrset */
+	struct ub_packed_rrset_key* ds_rrset;
+
+	/** domain name for empty nonterminal detection */
+	uint8_t* empty_DS_name;
+	/** length of empty_DS_name */
+	size_t empty_DS_len;
+
+	/** the current key entry */
+	struct key_entry_key* key_entry;
+
+	/** subtype */
+	enum val_classification subtype;
+
+	/** signer name */
+	uint8_t* signer_name;
+	/** length of signer_name */
+	size_t signer_len;
+
+	/** true if this state is waiting to prime a trust anchor */
+	int wait_prime_ta;
+
+	/** have we already checked the DLV? */
+	int dlv_checked;
+	/** The name for which the DLV is looked up. For the current message
+	 * or for the current RRset (for CNAME, REFERRAL types).
+	 * If there is signer name, that may be it, else a domain name */
+	uint8_t* dlv_lookup_name;
+	/** length of dlv lookup name */
+	size_t dlv_lookup_name_len;
+	/** Name at which chain of trust stopped with insecure, starting DLV
+	 * DLV must result in chain going further down */
+	uint8_t* dlv_insecure_at;
+	/** length of dlv insecure point name */
+	size_t dlv_insecure_at_len;
+	/** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
+	enum dlv_status {
+		dlv_error, /* server failure */
+		dlv_success, /* got a DLV */
+		dlv_ask_higher, /* ask again */
+		dlv_there_is_no_dlv /* got no DLV, sure of it */
+	} dlv_status;
+};
+
+/**
+ * Get the validator function block.
+ * @return: function block with function pointers to validator methods.
+ */
+struct module_func_block* val_get_funcblock(void);
+
+/**
+ * Get validator state as a string
+ * @param state: to convert
+ * @return constant string that is printable.
+ */
+const char* val_state_to_string(enum val_state state);
+
+/** validator init */
+int val_init(struct module_env* env, int id);
+
+/** validator deinit */
+void val_deinit(struct module_env* env, int id);
+
+/** validator operate on a query */
+void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
+        struct outbound_entry* outbound);
+
+/** 
+ * inform validator super.
+ * 
+ * @param qstate: query state that finished.
+ * @param id: module id.
+ * @param super: the qstate to inform.
+ */
+void val_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super);
+
+/** validator cleanup query state */
+void val_clear(struct module_qstate* qstate, int id);
+
+/**
+ * Debug helper routine that assists worker in determining memory in 
+ * use.
+ * @param env: module environment 
+ * @param id: module id.
+ * @return memory in use in bytes.
+ */
+size_t val_get_mem(struct module_env* env, int id);
+
+#endif /* VALIDATOR_VALIDATOR_H */