1b7579f77SDag-Erling Smørgrav /* 2b7579f77SDag-Erling Smørgrav * validator/validator.h - secure validator DNS query response module 3b7579f77SDag-Erling Smørgrav * 4b7579f77SDag-Erling Smørgrav * Copyright (c) 2007, NLnet Labs. All rights reserved. 5b7579f77SDag-Erling Smørgrav * 6b7579f77SDag-Erling Smørgrav * This software is open source. 7b7579f77SDag-Erling Smørgrav * 8b7579f77SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 9b7579f77SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 10b7579f77SDag-Erling Smørgrav * are met: 11b7579f77SDag-Erling Smørgrav * 12b7579f77SDag-Erling Smørgrav * Redistributions of source code must retain the above copyright notice, 13b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer. 14b7579f77SDag-Erling Smørgrav * 15b7579f77SDag-Erling Smørgrav * Redistributions in binary form must reproduce the above copyright notice, 16b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer in the documentation 17b7579f77SDag-Erling Smørgrav * and/or other materials provided with the distribution. 18b7579f77SDag-Erling Smørgrav * 19b7579f77SDag-Erling Smørgrav * Neither the name of the NLNET LABS nor the names of its contributors may 20b7579f77SDag-Erling Smørgrav * be used to endorse or promote products derived from this software without 21b7579f77SDag-Erling Smørgrav * specific prior written permission. 22b7579f77SDag-Erling Smørgrav * 23b7579f77SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 2417d15b25SDag-Erling Smørgrav * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2517d15b25SDag-Erling Smørgrav * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 2617d15b25SDag-Erling Smørgrav * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 2717d15b25SDag-Erling Smørgrav * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 2817d15b25SDag-Erling Smørgrav * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 2917d15b25SDag-Erling Smørgrav * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 3017d15b25SDag-Erling Smørgrav * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 3117d15b25SDag-Erling Smørgrav * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 3217d15b25SDag-Erling Smørgrav * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 3317d15b25SDag-Erling Smørgrav * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34b7579f77SDag-Erling Smørgrav */ 35b7579f77SDag-Erling Smørgrav 36b7579f77SDag-Erling Smørgrav /** 37b7579f77SDag-Erling Smørgrav * \file 38b7579f77SDag-Erling Smørgrav * 39b7579f77SDag-Erling Smørgrav * This file contains a module that performs validation of DNS queries. 40b7579f77SDag-Erling Smørgrav * According to RFC 4034. 41b7579f77SDag-Erling Smørgrav */ 42b7579f77SDag-Erling Smørgrav 43b7579f77SDag-Erling Smørgrav #ifndef VALIDATOR_VALIDATOR_H 44b7579f77SDag-Erling Smørgrav #define VALIDATOR_VALIDATOR_H 45b7579f77SDag-Erling Smørgrav #include "util/module.h" 46b7579f77SDag-Erling Smørgrav #include "util/data/msgreply.h" 47b7579f77SDag-Erling Smørgrav #include "validator/val_utils.h" 48b76ef9a7SCy Schubert #include "validator/val_nsec3.h" 49b7579f77SDag-Erling Smørgrav struct val_anchors; 50b7579f77SDag-Erling Smørgrav struct key_cache; 51b7579f77SDag-Erling Smørgrav struct key_entry_key; 52b7579f77SDag-Erling Smørgrav struct val_neg_cache; 53b7579f77SDag-Erling Smørgrav struct config_strlist; 54b76ef9a7SCy Schubert struct comm_timer; 55*be771a7bSCy Schubert struct config_file; 56b7579f77SDag-Erling Smørgrav 57b7579f77SDag-Erling Smørgrav /** 58b7579f77SDag-Erling Smørgrav * This is the TTL to use when a trust anchor fails to prime. A trust anchor 59b7579f77SDag-Erling Smørgrav * will be primed no more often than this interval. Used when harden- 60b7579f77SDag-Erling Smørgrav * dnssec-stripped is off and the trust anchor fails. 61b7579f77SDag-Erling Smørgrav */ 628ed2b524SDag-Erling Smørgrav #define NULL_KEY_TTL 60 /* seconds */ 63b7579f77SDag-Erling Smørgrav 64b7579f77SDag-Erling Smørgrav /** 65b7579f77SDag-Erling Smørgrav * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of 66b7579f77SDag-Erling Smørgrav * trust the entire zone for that name is blacked out for this TTL. 67b7579f77SDag-Erling Smørgrav */ 688ed2b524SDag-Erling Smørgrav #define BOGUS_KEY_TTL 60 /* seconds */ 69b7579f77SDag-Erling Smørgrav 700fb34990SDag-Erling Smørgrav /** Root key sentinel is ta preamble */ 710fb34990SDag-Erling Smørgrav #define SENTINEL_IS "root-key-sentinel-is-ta-" 720fb34990SDag-Erling Smørgrav /** Root key sentinel is not ta preamble */ 730fb34990SDag-Erling Smørgrav #define SENTINEL_NOT "root-key-sentinel-not-ta-" 7424e36522SCy Schubert /** Root key sentinel keytag length */ 750fb34990SDag-Erling Smørgrav #define SENTINEL_KEYTAG_LEN 5 760fb34990SDag-Erling Smørgrav 77b7579f77SDag-Erling Smørgrav /** 78b7579f77SDag-Erling Smørgrav * Global state for the validator. 79b7579f77SDag-Erling Smørgrav */ 80b7579f77SDag-Erling Smørgrav struct val_env { 81b7579f77SDag-Erling Smørgrav /** key cache; these are validated keys. trusted keys only 82b7579f77SDag-Erling Smørgrav * end up here after being primed. */ 83b7579f77SDag-Erling Smørgrav struct key_cache* kcache; 84b7579f77SDag-Erling Smørgrav 85b7579f77SDag-Erling Smørgrav /** aggressive negative cache. index into NSECs in rrset cache. */ 86b7579f77SDag-Erling Smørgrav struct val_neg_cache* neg_cache; 87b7579f77SDag-Erling Smørgrav 88b7579f77SDag-Erling Smørgrav /** for debug testing a fixed validation date can be entered. 89b7579f77SDag-Erling Smørgrav * if 0, current time is used for rrsig validation */ 90b7579f77SDag-Erling Smørgrav int32_t date_override; 91b7579f77SDag-Erling Smørgrav 92b7579f77SDag-Erling Smørgrav /** clock skew min for signatures */ 93b7579f77SDag-Erling Smørgrav int32_t skew_min; 94b7579f77SDag-Erling Smørgrav 95b7579f77SDag-Erling Smørgrav /** clock skew max for signatures */ 96b7579f77SDag-Erling Smørgrav int32_t skew_max; 97b7579f77SDag-Erling Smørgrav 985469a995SCy Schubert /** max number of query restarts, number of IPs to probe */ 99a39a5a69SCy Schubert int max_restart; 1005469a995SCy Schubert 101b7579f77SDag-Erling Smørgrav /** TTL for bogus data; used instead of untrusted TTL from data. 102b7579f77SDag-Erling Smørgrav * Bogus data will not be verified more often than this interval. 103b7579f77SDag-Erling Smørgrav * seconds. */ 104b7579f77SDag-Erling Smørgrav uint32_t bogus_ttl; 105b7579f77SDag-Erling Smørgrav 106b7579f77SDag-Erling Smørgrav /** 107b7579f77SDag-Erling Smørgrav * Number of entries in the NSEC3 maximum iteration count table. 108b7579f77SDag-Erling Smørgrav * Keep this table short, and sorted by size 109b7579f77SDag-Erling Smørgrav */ 110b7579f77SDag-Erling Smørgrav int nsec3_keyiter_count; 111b7579f77SDag-Erling Smørgrav 112b7579f77SDag-Erling Smørgrav /** 113b7579f77SDag-Erling Smørgrav * NSEC3 maximum iteration count per signing key size. 114b7579f77SDag-Erling Smørgrav * This array contains key size values (in increasing order) 115b7579f77SDag-Erling Smørgrav */ 116b7579f77SDag-Erling Smørgrav size_t* nsec3_keysize; 117b7579f77SDag-Erling Smørgrav 118b7579f77SDag-Erling Smørgrav /** 119b7579f77SDag-Erling Smørgrav * NSEC3 maximum iteration count per signing key size. 120b7579f77SDag-Erling Smørgrav * This array contains the maximum iteration count for the keysize 121b7579f77SDag-Erling Smørgrav * in the keysize array. 122b7579f77SDag-Erling Smørgrav */ 123b7579f77SDag-Erling Smørgrav size_t* nsec3_maxiter; 124b7579f77SDag-Erling Smørgrav 125b7579f77SDag-Erling Smørgrav /** lock on bogus counter */ 1263005e0a3SDag-Erling Smørgrav lock_basic_type bogus_lock; 127b7579f77SDag-Erling Smørgrav /** number of times rrsets marked bogus */ 128b7579f77SDag-Erling Smørgrav size_t num_rrset_bogus; 129b7579f77SDag-Erling Smørgrav }; 130b7579f77SDag-Erling Smørgrav 131b7579f77SDag-Erling Smørgrav /** 132b7579f77SDag-Erling Smørgrav * State of the validator for a query. 133b7579f77SDag-Erling Smørgrav */ 134b7579f77SDag-Erling Smørgrav enum val_state { 135b7579f77SDag-Erling Smørgrav /** initial state for validation */ 136b7579f77SDag-Erling Smørgrav VAL_INIT_STATE = 0, 137b7579f77SDag-Erling Smørgrav /** find the proper keys for validation, follow trust chain */ 138b7579f77SDag-Erling Smørgrav VAL_FINDKEY_STATE, 139b7579f77SDag-Erling Smørgrav /** validate the answer, using found key entry */ 140b7579f77SDag-Erling Smørgrav VAL_VALIDATE_STATE, 141b7579f77SDag-Erling Smørgrav /** finish up */ 142b7579f77SDag-Erling Smørgrav VAL_FINISHED_STATE, 143b7579f77SDag-Erling Smørgrav }; 144b7579f77SDag-Erling Smørgrav 145b7579f77SDag-Erling Smørgrav /** 146b7579f77SDag-Erling Smørgrav * Per query state for the validator module. 147b7579f77SDag-Erling Smørgrav */ 148b7579f77SDag-Erling Smørgrav struct val_qstate { 149b7579f77SDag-Erling Smørgrav /** 150b7579f77SDag-Erling Smørgrav * State of the validator module. 151b7579f77SDag-Erling Smørgrav */ 152b7579f77SDag-Erling Smørgrav enum val_state state; 153b7579f77SDag-Erling Smørgrav 154b7579f77SDag-Erling Smørgrav /** 155b7579f77SDag-Erling Smørgrav * The original message we have been given to validate. 156b7579f77SDag-Erling Smørgrav */ 157b7579f77SDag-Erling Smørgrav struct dns_msg* orig_msg; 158b7579f77SDag-Erling Smørgrav 159b7579f77SDag-Erling Smørgrav /** 160b7579f77SDag-Erling Smørgrav * The query restart count 161b7579f77SDag-Erling Smørgrav */ 162b7579f77SDag-Erling Smørgrav int restart_count; 163b7579f77SDag-Erling Smørgrav /** The blacklist saved for chain of trust elements */ 164b7579f77SDag-Erling Smørgrav struct sock_list* chain_blacklist; 165b7579f77SDag-Erling Smørgrav 166b7579f77SDag-Erling Smørgrav /** 167b7579f77SDag-Erling Smørgrav * The query name we have chased to; qname after following CNAMEs 168b7579f77SDag-Erling Smørgrav */ 169b7579f77SDag-Erling Smørgrav struct query_info qchase; 170b7579f77SDag-Erling Smørgrav 171b7579f77SDag-Erling Smørgrav /** 172b7579f77SDag-Erling Smørgrav * The chased reply, extract from original message. Can be: 173b7579f77SDag-Erling Smørgrav * o CNAME 174b7579f77SDag-Erling Smørgrav * o DNAME + CNAME 175b7579f77SDag-Erling Smørgrav * o answer 176b7579f77SDag-Erling Smørgrav * plus authority, additional (nsecs) that have same signature. 177b7579f77SDag-Erling Smørgrav */ 178b7579f77SDag-Erling Smørgrav struct reply_info* chase_reply; 179b7579f77SDag-Erling Smørgrav 180b7579f77SDag-Erling Smørgrav /** 181b7579f77SDag-Erling Smørgrav * The cname skip value; the number of rrsets that have been skipped 182b7579f77SDag-Erling Smørgrav * due to chasing cnames. This is the offset into the 183b7579f77SDag-Erling Smørgrav * orig_msg->rep->rrsets array, into the answer section. 184b7579f77SDag-Erling Smørgrav * starts at 0 - for the full original message. 185b7579f77SDag-Erling Smørgrav * if it is >0 - qchase followed the cname, chase_reply setup to be 186b7579f77SDag-Erling Smørgrav * that message and relevant authority rrsets. 187b7579f77SDag-Erling Smørgrav * 188b7579f77SDag-Erling Smørgrav * The skip is also used for referral messages, where it will 189b7579f77SDag-Erling Smørgrav * range from 0, over the answer, authority and additional sections. 190b7579f77SDag-Erling Smørgrav */ 191b7579f77SDag-Erling Smørgrav size_t rrset_skip; 192b7579f77SDag-Erling Smørgrav 193b7579f77SDag-Erling Smørgrav /** trust anchor name */ 194b7579f77SDag-Erling Smørgrav uint8_t* trust_anchor_name; 195b7579f77SDag-Erling Smørgrav /** trust anchor labels */ 196b7579f77SDag-Erling Smørgrav int trust_anchor_labs; 197b7579f77SDag-Erling Smørgrav /** trust anchor length */ 198b7579f77SDag-Erling Smørgrav size_t trust_anchor_len; 199b7579f77SDag-Erling Smørgrav 200b7579f77SDag-Erling Smørgrav /** the DS rrset */ 201b7579f77SDag-Erling Smørgrav struct ub_packed_rrset_key* ds_rrset; 202b7579f77SDag-Erling Smørgrav 203b7579f77SDag-Erling Smørgrav /** domain name for empty nonterminal detection */ 204b7579f77SDag-Erling Smørgrav uint8_t* empty_DS_name; 205b7579f77SDag-Erling Smørgrav /** length of empty_DS_name */ 206b7579f77SDag-Erling Smørgrav size_t empty_DS_len; 207b7579f77SDag-Erling Smørgrav 208b7579f77SDag-Erling Smørgrav /** the current key entry */ 209b7579f77SDag-Erling Smørgrav struct key_entry_key* key_entry; 210b7579f77SDag-Erling Smørgrav 211b7579f77SDag-Erling Smørgrav /** subtype */ 212b7579f77SDag-Erling Smørgrav enum val_classification subtype; 213b7579f77SDag-Erling Smørgrav 214b7579f77SDag-Erling Smørgrav /** signer name */ 215b7579f77SDag-Erling Smørgrav uint8_t* signer_name; 216b7579f77SDag-Erling Smørgrav /** length of signer_name */ 217b7579f77SDag-Erling Smørgrav size_t signer_len; 218b7579f77SDag-Erling Smørgrav 219b7579f77SDag-Erling Smørgrav /** true if this state is waiting to prime a trust anchor */ 220b7579f77SDag-Erling Smørgrav int wait_prime_ta; 221b76ef9a7SCy Schubert 222b76ef9a7SCy Schubert /** State to continue with RRSIG validation in a message later */ 223b76ef9a7SCy Schubert int msg_signatures_state; 224b76ef9a7SCy Schubert /** The rrset index for the msg signatures to continue from */ 225b76ef9a7SCy Schubert size_t msg_signatures_index; 226b76ef9a7SCy Schubert /** Cache table for NSEC3 hashes */ 227b76ef9a7SCy Schubert struct nsec3_cache_table nsec3_cache_table; 228b76ef9a7SCy Schubert /** DS message from sub if it got suspended from NSEC3 calculations */ 229b76ef9a7SCy Schubert struct dns_msg* sub_ds_msg; 230b76ef9a7SCy Schubert /** The timer to resume processing msg signatures */ 231b76ef9a7SCy Schubert struct comm_timer* suspend_timer; 232b76ef9a7SCy Schubert /** Number of suspends */ 233b76ef9a7SCy Schubert int suspend_count; 234b7579f77SDag-Erling Smørgrav }; 235b7579f77SDag-Erling Smørgrav 236b7579f77SDag-Erling Smørgrav /** 237b7579f77SDag-Erling Smørgrav * Get the validator function block. 238b7579f77SDag-Erling Smørgrav * @return: function block with function pointers to validator methods. 239b7579f77SDag-Erling Smørgrav */ 240b7579f77SDag-Erling Smørgrav struct module_func_block* val_get_funcblock(void); 241b7579f77SDag-Erling Smørgrav 242b7579f77SDag-Erling Smørgrav /** 243b7579f77SDag-Erling Smørgrav * Get validator state as a string 244b7579f77SDag-Erling Smørgrav * @param state: to convert 245b7579f77SDag-Erling Smørgrav * @return constant string that is printable. 246b7579f77SDag-Erling Smørgrav */ 247b7579f77SDag-Erling Smørgrav const char* val_state_to_string(enum val_state state); 248b7579f77SDag-Erling Smørgrav 249b7579f77SDag-Erling Smørgrav /** validator init */ 250b7579f77SDag-Erling Smørgrav int val_init(struct module_env* env, int id); 251b7579f77SDag-Erling Smørgrav 252b7579f77SDag-Erling Smørgrav /** validator deinit */ 253b7579f77SDag-Erling Smørgrav void val_deinit(struct module_env* env, int id); 254b7579f77SDag-Erling Smørgrav 255b7579f77SDag-Erling Smørgrav /** validator operate on a query */ 256b7579f77SDag-Erling Smørgrav void val_operate(struct module_qstate* qstate, enum module_ev event, int id, 257b7579f77SDag-Erling Smørgrav struct outbound_entry* outbound); 258b7579f77SDag-Erling Smørgrav 259b7579f77SDag-Erling Smørgrav /** 260b7579f77SDag-Erling Smørgrav * inform validator super. 261b7579f77SDag-Erling Smørgrav * 262b7579f77SDag-Erling Smørgrav * @param qstate: query state that finished. 263b7579f77SDag-Erling Smørgrav * @param id: module id. 264b7579f77SDag-Erling Smørgrav * @param super: the qstate to inform. 265b7579f77SDag-Erling Smørgrav */ 266b7579f77SDag-Erling Smørgrav void val_inform_super(struct module_qstate* qstate, int id, 267b7579f77SDag-Erling Smørgrav struct module_qstate* super); 268b7579f77SDag-Erling Smørgrav 269b7579f77SDag-Erling Smørgrav /** validator cleanup query state */ 270b7579f77SDag-Erling Smørgrav void val_clear(struct module_qstate* qstate, int id); 271b7579f77SDag-Erling Smørgrav 272b7579f77SDag-Erling Smørgrav /** 273b7579f77SDag-Erling Smørgrav * Debug helper routine that assists worker in determining memory in 274b7579f77SDag-Erling Smørgrav * use. 275b7579f77SDag-Erling Smørgrav * @param env: module environment 276b7579f77SDag-Erling Smørgrav * @param id: module id. 277b7579f77SDag-Erling Smørgrav * @return memory in use in bytes. 278b7579f77SDag-Erling Smørgrav */ 279b7579f77SDag-Erling Smørgrav size_t val_get_mem(struct module_env* env, int id); 280b7579f77SDag-Erling Smørgrav 281b76ef9a7SCy Schubert /** Timer callback for msg signatures continue timer */ 282b76ef9a7SCy Schubert void validate_suspend_timer_cb(void* arg); 283b76ef9a7SCy Schubert 284*be771a7bSCy Schubert /** 285*be771a7bSCy Schubert * Parse the val_nsec3_key_iterations string. 286*be771a7bSCy Schubert * @param val_nsec3_key_iterations: the string with nsec3 iterations config. 287*be771a7bSCy Schubert * @param keysize: returns malloced key size array on success. 288*be771a7bSCy Schubert * @param maxiter: returns malloced max iterations array on success. 289*be771a7bSCy Schubert * @param keyiter_count: returns size of keysize and maxiter arrays. 290*be771a7bSCy Schubert * @return false if it does not parse correctly. 291*be771a7bSCy Schubert */ 292*be771a7bSCy Schubert int val_env_parse_key_iter(char* val_nsec3_key_iterations, size_t** keysize, 293*be771a7bSCy Schubert size_t** maxiter, int* keyiter_count); 294*be771a7bSCy Schubert 295*be771a7bSCy Schubert /** 296*be771a7bSCy Schubert * Apply config to validator env 297*be771a7bSCy Schubert * @param val_env: validator env. 298*be771a7bSCy Schubert * @param cfg: config 299*be771a7bSCy Schubert * @param keysize: nsec3 key size array. 300*be771a7bSCy Schubert * @param maxiter: nsec3 max iterations array. 301*be771a7bSCy Schubert * @param keyiter_count: size of keysize and maxiter arrays. 302*be771a7bSCy Schubert */ 303*be771a7bSCy Schubert void val_env_apply_cfg(struct val_env* val_env, struct config_file* cfg, 304*be771a7bSCy Schubert size_t* keysize, size_t* maxiter, int keyiter_count); 305*be771a7bSCy Schubert 306b7579f77SDag-Erling Smørgrav #endif /* VALIDATOR_VALIDATOR_H */ 307