xref: /freebsd/contrib/unbound/validator/validator.h (revision 190cef3d52236565eb22e18b33e9e865ec634aa3)
1 /*
2  * validator/validator.h - secure validator DNS query response module
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains a module that performs validation of DNS queries.
40  * According to RFC 4034.
41  */
42 
43 #ifndef VALIDATOR_VALIDATOR_H
44 #define VALIDATOR_VALIDATOR_H
45 #include "util/module.h"
46 #include "util/data/msgreply.h"
47 #include "validator/val_utils.h"
48 struct val_anchors;
49 struct key_cache;
50 struct key_entry_key;
51 struct val_neg_cache;
52 struct config_strlist;
53 
54 /**
55  * This is the TTL to use when a trust anchor fails to prime. A trust anchor
56  * will be primed no more often than this interval.  Used when harden-
57  * dnssec-stripped is off and the trust anchor fails.
58  */
59 #define NULL_KEY_TTL	60 /* seconds */
60 
61 /**
62  * TTL for bogus key entries.  When a DS or DNSKEY fails in the chain of
63  * trust the entire zone for that name is blacked out for this TTL.
64  */
65 #define BOGUS_KEY_TTL	60 /* seconds */
66 
67 /** max number of query restarts, number of IPs to probe */
68 #define VAL_MAX_RESTART_COUNT 5
69 
70 /** Root key sentinel is ta preamble */
71 #define SENTINEL_IS		"root-key-sentinel-is-ta-"
72 /** Root key sentinel is not ta preamble */
73 #define SENTINEL_NOT		"root-key-sentinel-not-ta-"
74 /** Root key sentinal keytag length */
75 #define SENTINEL_KEYTAG_LEN	5
76 
77 /**
78  * Global state for the validator.
79  */
80 struct val_env {
81 	/** key cache; these are validated keys. trusted keys only
82 	 * end up here after being primed. */
83 	struct key_cache* kcache;
84 
85 	/** aggressive negative cache. index into NSECs in rrset cache. */
86 	struct val_neg_cache* neg_cache;
87 
88 	/** for debug testing a fixed validation date can be entered.
89 	 * if 0, current time is used for rrsig validation */
90 	int32_t date_override;
91 
92 	/** clock skew min for signatures */
93 	int32_t skew_min;
94 
95 	/** clock skew max for signatures */
96 	int32_t skew_max;
97 
98 	/** TTL for bogus data; used instead of untrusted TTL from data.
99 	 * Bogus data will not be verified more often than this interval.
100 	 * seconds. */
101 	uint32_t bogus_ttl;
102 
103 	/**
104 	 * Number of entries in the NSEC3 maximum iteration count table.
105 	 * Keep this table short, and sorted by size
106 	 */
107 	int nsec3_keyiter_count;
108 
109 	/**
110 	 * NSEC3 maximum iteration count per signing key size.
111 	 * This array contains key size values (in increasing order)
112 	 */
113 	size_t* nsec3_keysize;
114 
115 	/**
116 	 * NSEC3 maximum iteration count per signing key size.
117 	 * This array contains the maximum iteration count for the keysize
118 	 * in the keysize array.
119 	 */
120 	size_t* nsec3_maxiter;
121 
122 	/** lock on bogus counter */
123 	lock_basic_type bogus_lock;
124 	/** number of times rrsets marked bogus */
125 	size_t num_rrset_bogus;
126 };
127 
128 /**
129  * State of the validator for a query.
130  */
131 enum val_state {
132 	/** initial state for validation */
133 	VAL_INIT_STATE = 0,
134 	/** find the proper keys for validation, follow trust chain */
135 	VAL_FINDKEY_STATE,
136 	/** validate the answer, using found key entry */
137 	VAL_VALIDATE_STATE,
138 	/** finish up */
139 	VAL_FINISHED_STATE,
140 	/** DLV lookup state, processing DLV queries */
141 	VAL_DLVLOOKUP_STATE
142 };
143 
144 /**
145  * Per query state for the validator module.
146  */
147 struct val_qstate {
148 	/**
149 	 * State of the validator module.
150 	 */
151 	enum val_state state;
152 
153 	/**
154 	 * The original message we have been given to validate.
155 	 */
156 	struct dns_msg* orig_msg;
157 
158 	/**
159 	 * The query restart count
160 	 */
161 	int restart_count;
162 	/** The blacklist saved for chainoftrust elements */
163 	struct sock_list* chain_blacklist;
164 
165 	/**
166 	 * The query name we have chased to; qname after following CNAMEs
167 	 */
168 	struct query_info qchase;
169 
170 	/**
171 	 * The chased reply, extract from original message. Can be:
172 	 * 	o CNAME
173 	 * 	o DNAME + CNAME
174 	 * 	o answer
175 	 * 	plus authority, additional (nsecs) that have same signature.
176 	 */
177 	struct reply_info* chase_reply;
178 
179 	/**
180 	 * The cname skip value; the number of rrsets that have been skipped
181 	 * due to chasing cnames. This is the offset into the
182 	 * orig_msg->rep->rrsets array, into the answer section.
183 	 * starts at 0 - for the full original message.
184 	 * if it is >0 - qchase followed the cname, chase_reply setup to be
185 	 * that message and relevant authority rrsets.
186 	 *
187 	 * The skip is also used for referral messages, where it will
188 	 * range from 0, over the answer, authority and additional sections.
189 	 */
190 	size_t rrset_skip;
191 
192 	/** trust anchor name */
193 	uint8_t* trust_anchor_name;
194 	/** trust anchor labels */
195 	int trust_anchor_labs;
196 	/** trust anchor length */
197 	size_t trust_anchor_len;
198 
199 	/** the DS rrset */
200 	struct ub_packed_rrset_key* ds_rrset;
201 
202 	/** domain name for empty nonterminal detection */
203 	uint8_t* empty_DS_name;
204 	/** length of empty_DS_name */
205 	size_t empty_DS_len;
206 
207 	/** the current key entry */
208 	struct key_entry_key* key_entry;
209 
210 	/** subtype */
211 	enum val_classification subtype;
212 
213 	/** signer name */
214 	uint8_t* signer_name;
215 	/** length of signer_name */
216 	size_t signer_len;
217 
218 	/** true if this state is waiting to prime a trust anchor */
219 	int wait_prime_ta;
220 
221 	/** have we already checked the DLV? */
222 	int dlv_checked;
223 	/** The name for which the DLV is looked up. For the current message
224 	 * or for the current RRset (for CNAME, REFERRAL types).
225 	 * If there is signer name, that may be it, else a domain name */
226 	uint8_t* dlv_lookup_name;
227 	/** length of dlv lookup name */
228 	size_t dlv_lookup_name_len;
229 	/** Name at which chain of trust stopped with insecure, starting DLV
230 	 * DLV must result in chain going further down */
231 	uint8_t* dlv_insecure_at;
232 	/** length of dlv insecure point name */
233 	size_t dlv_insecure_at_len;
234 	/** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
235 	enum dlv_status {
236 		dlv_error, /* server failure */
237 		dlv_success, /* got a DLV */
238 		dlv_ask_higher, /* ask again */
239 		dlv_there_is_no_dlv /* got no DLV, sure of it */
240 	} dlv_status;
241 };
242 
243 /**
244  * Get the validator function block.
245  * @return: function block with function pointers to validator methods.
246  */
247 struct module_func_block* val_get_funcblock(void);
248 
249 /**
250  * Get validator state as a string
251  * @param state: to convert
252  * @return constant string that is printable.
253  */
254 const char* val_state_to_string(enum val_state state);
255 
256 /** validator init */
257 int val_init(struct module_env* env, int id);
258 
259 /** validator deinit */
260 void val_deinit(struct module_env* env, int id);
261 
262 /** validator operate on a query */
263 void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
264         struct outbound_entry* outbound);
265 
266 /**
267  * inform validator super.
268  *
269  * @param qstate: query state that finished.
270  * @param id: module id.
271  * @param super: the qstate to inform.
272  */
273 void val_inform_super(struct module_qstate* qstate, int id,
274 	struct module_qstate* super);
275 
276 /** validator cleanup query state */
277 void val_clear(struct module_qstate* qstate, int id);
278 
279 /**
280  * Debug helper routine that assists worker in determining memory in
281  * use.
282  * @param env: module environment
283  * @param id: module id.
284  * @return memory in use in bytes.
285  */
286 size_t val_get_mem(struct module_env* env, int id);
287 
288 #endif /* VALIDATOR_VALIDATOR_H */
289