aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/validator/validator.h
diff options
context:
space:
mode:
Diffstat (limited to 'external/unbound/validator/validator.h')
-rw-r--r--external/unbound/validator/validator.h294
1 files changed, 0 insertions, 294 deletions
diff --git a/external/unbound/validator/validator.h b/external/unbound/validator/validator.h
deleted file mode 100644
index 23d307242..000000000
--- a/external/unbound/validator/validator.h
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * validator/validator.h - secure validator DNS query response module
- *
- * Copyright (c) 2007, NLnet Labs. All rights reserved.
- *
- * This software is open source.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * Neither the name of the NLNET LABS nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * \file
- *
- * This file contains a module that performs validation of DNS queries.
- * According to RFC 4034.
- */
-
-#ifndef VALIDATOR_VALIDATOR_H
-#define VALIDATOR_VALIDATOR_H
-#include "util/module.h"
-#include "util/data/msgreply.h"
-#include "validator/val_utils.h"
-struct val_anchors;
-struct key_cache;
-struct key_entry_key;
-struct val_neg_cache;
-struct config_strlist;
-
-/**
- * This is the TTL to use when a trust anchor fails to prime. A trust anchor
- * will be primed no more often than this interval. Used when harden-
- * dnssec-stripped is off and the trust anchor fails.
- */
-#define NULL_KEY_TTL 60 /* seconds */
-
-/**
- * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of
- * trust the entire zone for that name is blacked out for this TTL.
- */
-#define BOGUS_KEY_TTL 60 /* seconds */
-
-/** max number of query restarts, number of IPs to probe */
-#define VAL_MAX_RESTART_COUNT 5
-
-/**
- * Global state for the validator.
- */
-struct val_env {
- /** key cache; these are validated keys. trusted keys only
- * end up here after being primed. */
- struct key_cache* kcache;
-
- /** aggressive negative cache. index into NSECs in rrset cache. */
- struct val_neg_cache* neg_cache;
-
- /** for debug testing a fixed validation date can be entered.
- * if 0, current time is used for rrsig validation */
- int32_t date_override;
-
- /** clock skew min for signatures */
- int32_t skew_min;
-
- /** clock skew max for signatures */
- int32_t skew_max;
-
- /** TTL for bogus data; used instead of untrusted TTL from data.
- * Bogus data will not be verified more often than this interval.
- * seconds. */
- uint32_t bogus_ttl;
-
- /** If set, the validator should clean the additional section of
- * secure messages.
- */
- int clean_additional;
-
- /**
- * If set, the validator will not make messages bogus, instead
- * indeterminate is issued, so that no clients receive SERVFAIL.
- * This allows an operator to run validation 'shadow' without
- * hurting responses to clients.
- */
- int permissive_mode;
-
- /**
- * Number of entries in the NSEC3 maximum iteration count table.
- * Keep this table short, and sorted by size
- */
- int nsec3_keyiter_count;
-
- /**
- * NSEC3 maximum iteration count per signing key size.
- * This array contains key size values (in increasing order)
- */
- size_t* nsec3_keysize;
-
- /**
- * NSEC3 maximum iteration count per signing key size.
- * This array contains the maximum iteration count for the keysize
- * in the keysize array.
- */
- size_t* nsec3_maxiter;
-
- /** lock on bogus counter */
- lock_basic_type bogus_lock;
- /** number of times rrsets marked bogus */
- size_t num_rrset_bogus;
-};
-
-/**
- * State of the validator for a query.
- */
-enum val_state {
- /** initial state for validation */
- VAL_INIT_STATE = 0,
- /** find the proper keys for validation, follow trust chain */
- VAL_FINDKEY_STATE,
- /** validate the answer, using found key entry */
- VAL_VALIDATE_STATE,
- /** finish up */
- VAL_FINISHED_STATE,
- /** DLV lookup state, processing DLV queries */
- VAL_DLVLOOKUP_STATE
-};
-
-/**
- * Per query state for the validator module.
- */
-struct val_qstate {
- /**
- * State of the validator module.
- */
- enum val_state state;
-
- /**
- * The original message we have been given to validate.
- */
- struct dns_msg* orig_msg;
-
- /**
- * The query restart count
- */
- int restart_count;
- /** The blacklist saved for chainoftrust elements */
- struct sock_list* chain_blacklist;
-
- /**
- * The query name we have chased to; qname after following CNAMEs
- */
- struct query_info qchase;
-
- /**
- * The chased reply, extract from original message. Can be:
- * o CNAME
- * o DNAME + CNAME
- * o answer
- * plus authority, additional (nsecs) that have same signature.
- */
- struct reply_info* chase_reply;
-
- /**
- * The cname skip value; the number of rrsets that have been skipped
- * due to chasing cnames. This is the offset into the
- * orig_msg->rep->rrsets array, into the answer section.
- * starts at 0 - for the full original message.
- * if it is >0 - qchase followed the cname, chase_reply setup to be
- * that message and relevant authority rrsets.
- *
- * The skip is also used for referral messages, where it will
- * range from 0, over the answer, authority and additional sections.
- */
- size_t rrset_skip;
-
- /** trust anchor name */
- uint8_t* trust_anchor_name;
- /** trust anchor labels */
- int trust_anchor_labs;
- /** trust anchor length */
- size_t trust_anchor_len;
-
- /** the DS rrset */
- struct ub_packed_rrset_key* ds_rrset;
-
- /** domain name for empty nonterminal detection */
- uint8_t* empty_DS_name;
- /** length of empty_DS_name */
- size_t empty_DS_len;
-
- /** the current key entry */
- struct key_entry_key* key_entry;
-
- /** subtype */
- enum val_classification subtype;
-
- /** signer name */
- uint8_t* signer_name;
- /** length of signer_name */
- size_t signer_len;
-
- /** true if this state is waiting to prime a trust anchor */
- int wait_prime_ta;
-
- /** have we already checked the DLV? */
- int dlv_checked;
- /** The name for which the DLV is looked up. For the current message
- * or for the current RRset (for CNAME, REFERRAL types).
- * If there is signer name, that may be it, else a domain name */
- uint8_t* dlv_lookup_name;
- /** length of dlv lookup name */
- size_t dlv_lookup_name_len;
- /** Name at which chain of trust stopped with insecure, starting DLV
- * DLV must result in chain going further down */
- uint8_t* dlv_insecure_at;
- /** length of dlv insecure point name */
- size_t dlv_insecure_at_len;
- /** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
- enum dlv_status {
- dlv_error, /* server failure */
- dlv_success, /* got a DLV */
- dlv_ask_higher, /* ask again */
- dlv_there_is_no_dlv /* got no DLV, sure of it */
- } dlv_status;
-};
-
-/**
- * Get the validator function block.
- * @return: function block with function pointers to validator methods.
- */
-struct module_func_block* val_get_funcblock(void);
-
-/**
- * Get validator state as a string
- * @param state: to convert
- * @return constant string that is printable.
- */
-const char* val_state_to_string(enum val_state state);
-
-/** validator init */
-int val_init(struct module_env* env, int id);
-
-/** validator deinit */
-void val_deinit(struct module_env* env, int id);
-
-/** validator operate on a query */
-void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
- struct outbound_entry* outbound);
-
-/**
- * inform validator super.
- *
- * @param qstate: query state that finished.
- * @param id: module id.
- * @param super: the qstate to inform.
- */
-void val_inform_super(struct module_qstate* qstate, int id,
- struct module_qstate* super);
-
-/** validator cleanup query state */
-void val_clear(struct module_qstate* qstate, int id);
-
-/**
- * Debug helper routine that assists worker in determining memory in
- * use.
- * @param env: module environment
- * @param id: module id.
- * @return memory in use in bytes.
- */
-size_t val_get_mem(struct module_env* env, int id);
-
-#endif /* VALIDATOR_VALIDATOR_H */