Swift
summaryrefslogtreecommitdiffstats
path: root/3rdParty/Unbound/src/src/validator/validator.h
diff options
context:
space:
mode:
Diffstat (limited to '3rdParty/Unbound/src/src/validator/validator.h')
-rw-r--r--3rdParty/Unbound/src/src/validator/validator.h294
1 files changed, 294 insertions, 0 deletions
diff --git a/3rdParty/Unbound/src/src/validator/validator.h b/3rdParty/Unbound/src/src/validator/validator.h
new file mode 100644
index 0000000..18e905e
--- /dev/null
+++ b/3rdParty/Unbound/src/src/validator/validator.h
@@ -0,0 +1,294 @@
+/*
+ * validator/validator.h - secure validator DNS query response module
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that performs validation of DNS queries.
+ * According to RFC 4034.
+ */
+
+#ifndef VALIDATOR_VALIDATOR_H
+#define VALIDATOR_VALIDATOR_H
+#include "util/module.h"
+#include "util/data/msgreply.h"
+#include "validator/val_utils.h"
+struct val_anchors;
+struct key_cache;
+struct key_entry_key;
+struct val_neg_cache;
+struct config_strlist;
+
+/**
+ * This is the TTL to use when a trust anchor fails to prime. A trust anchor
+ * will be primed no more often than this interval. Used when harden-
+ * dnssec-stripped is off and the trust anchor fails.
+ */
+#define NULL_KEY_TTL 900 /* seconds */
+
+/**
+ * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of
+ * trust the entire zone for that name is blacked out for this TTL.
+ */
+#define BOGUS_KEY_TTL 900 /* seconds */
+
+/** max number of query restarts, number of IPs to probe */
+#define VAL_MAX_RESTART_COUNT 5
+
+/**
+ * Global state for the validator.
+ */
+struct val_env {
+ /** key cache; these are validated keys. trusted keys only
+ * end up here after being primed. */
+ struct key_cache* kcache;
+
+ /** aggressive negative cache. index into NSECs in rrset cache. */
+ struct val_neg_cache* neg_cache;
+
+ /** for debug testing a fixed validation date can be entered.
+ * if 0, current time is used for rrsig validation */
+ int32_t date_override;
+
+ /** clock skew min for signatures */
+ int32_t skew_min;
+
+ /** clock skew max for signatures */
+ int32_t skew_max;
+
+ /** TTL for bogus data; used instead of untrusted TTL from data.
+ * Bogus data will not be verified more often than this interval.
+ * seconds. */
+ uint32_t bogus_ttl;
+
+ /** If set, the validator should clean the additional section of
+ * secure messages.
+ */
+ int clean_additional;
+
+ /**
+ * If set, the validator will not make messages bogus, instead
+ * indeterminate is issued, so that no clients receive SERVFAIL.
+ * This allows an operator to run validation 'shadow' without
+ * hurting responses to clients.
+ */
+ int permissive_mode;
+
+ /**
+ * Number of entries in the NSEC3 maximum iteration count table.
+ * Keep this table short, and sorted by size
+ */
+ int nsec3_keyiter_count;
+
+ /**
+ * NSEC3 maximum iteration count per signing key size.
+ * This array contains key size values (in increasing order)
+ */
+ size_t* nsec3_keysize;
+
+ /**
+ * NSEC3 maximum iteration count per signing key size.
+ * This array contains the maximum iteration count for the keysize
+ * in the keysize array.
+ */
+ size_t* nsec3_maxiter;
+
+ /** lock on bogus counter */
+ lock_basic_t bogus_lock;
+ /** number of times rrsets marked bogus */
+ size_t num_rrset_bogus;
+};
+
+/**
+ * State of the validator for a query.
+ */
+enum val_state {
+ /** initial state for validation */
+ VAL_INIT_STATE = 0,
+ /** find the proper keys for validation, follow trust chain */
+ VAL_FINDKEY_STATE,
+ /** validate the answer, using found key entry */
+ VAL_VALIDATE_STATE,
+ /** finish up */
+ VAL_FINISHED_STATE,
+ /** DLV lookup state, processing DLV queries */
+ VAL_DLVLOOKUP_STATE
+};
+
+/**
+ * Per query state for the validator module.
+ */
+struct val_qstate {
+ /**
+ * State of the validator module.
+ */
+ enum val_state state;
+
+ /**
+ * The original message we have been given to validate.
+ */
+ struct dns_msg* orig_msg;
+
+ /**
+ * The query restart count
+ */
+ int restart_count;
+ /** The blacklist saved for chainoftrust elements */
+ struct sock_list* chain_blacklist;
+
+ /**
+ * The query name we have chased to; qname after following CNAMEs
+ */
+ struct query_info qchase;
+
+ /**
+ * The chased reply, extract from original message. Can be:
+ * o CNAME
+ * o DNAME + CNAME
+ * o answer
+ * plus authority, additional (nsecs) that have same signature.
+ */
+ struct reply_info* chase_reply;
+
+ /**
+ * The cname skip value; the number of rrsets that have been skipped
+ * due to chasing cnames. This is the offset into the
+ * orig_msg->rep->rrsets array, into the answer section.
+ * starts at 0 - for the full original message.
+ * if it is >0 - qchase followed the cname, chase_reply setup to be
+ * that message and relevant authority rrsets.
+ *
+ * The skip is also used for referral messages, where it will
+ * range from 0, over the answer, authority and additional sections.
+ */
+ size_t rrset_skip;
+
+ /** trust anchor name */
+ uint8_t* trust_anchor_name;
+ /** trust anchor labels */
+ int trust_anchor_labs;
+ /** trust anchor length */
+ size_t trust_anchor_len;
+
+ /** the DS rrset */
+ struct ub_packed_rrset_key* ds_rrset;
+
+ /** domain name for empty nonterminal detection */
+ uint8_t* empty_DS_name;
+ /** length of empty_DS_name */
+ size_t empty_DS_len;
+
+ /** the current key entry */
+ struct key_entry_key* key_entry;
+
+ /** subtype */
+ enum val_classification subtype;
+
+ /** signer name */
+ uint8_t* signer_name;
+ /** length of signer_name */
+ size_t signer_len;
+
+ /** true if this state is waiting to prime a trust anchor */
+ int wait_prime_ta;
+
+ /** have we already checked the DLV? */
+ int dlv_checked;
+ /** The name for which the DLV is looked up. For the current message
+ * or for the current RRset (for CNAME, REFERRAL types).
+ * If there is signer name, that may be it, else a domain name */
+ uint8_t* dlv_lookup_name;
+ /** length of dlv lookup name */
+ size_t dlv_lookup_name_len;
+ /** Name at which chain of trust stopped with insecure, starting DLV
+ * DLV must result in chain going further down */
+ uint8_t* dlv_insecure_at;
+ /** length of dlv insecure point name */
+ size_t dlv_insecure_at_len;
+ /** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
+ enum dlv_status {
+ dlv_error, /* server failure */
+ dlv_success, /* got a DLV */
+ dlv_ask_higher, /* ask again */
+ dlv_there_is_no_dlv /* got no DLV, sure of it */
+ } dlv_status;
+};
+
+/**
+ * Get the validator function block.
+ * @return: function block with function pointers to validator methods.
+ */
+struct module_func_block* val_get_funcblock(void);
+
+/**
+ * Get validator state as a string
+ * @param state: to convert
+ * @return constant string that is printable.
+ */
+const char* val_state_to_string(enum val_state state);
+
+/** validator init */
+int val_init(struct module_env* env, int id);
+
+/** validator deinit */
+void val_deinit(struct module_env* env, int id);
+
+/** validator operate on a query */
+void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
+ struct outbound_entry* outbound);
+
+/**
+ * inform validator super.
+ *
+ * @param qstate: query state that finished.
+ * @param id: module id.
+ * @param super: the qstate to inform.
+ */
+void val_inform_super(struct module_qstate* qstate, int id,
+ struct module_qstate* super);
+
+/** validator cleanup query state */
+void val_clear(struct module_qstate* qstate, int id);
+
+/**
+ * Debug helper routine that assists worker in determining memory in
+ * use.
+ * @param env: module environment
+ * @param id: module id.
+ * @return memory in use in bytes.
+ */
+size_t val_get_mem(struct module_env* env, int id);
+
+#endif /* VALIDATOR_VALIDATOR_H */