xref: /freebsd/contrib/unbound/validator/validator.h (revision 783d3ff6d7fae619db8a7990b8a6387de0c677b5)
1 /*
2  * validator/validator.h - secure validator DNS query response module
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains a module that performs validation of DNS queries.
40  * According to RFC 4034.
41  */
42 
43 #ifndef VALIDATOR_VALIDATOR_H
44 #define VALIDATOR_VALIDATOR_H
45 #include "util/module.h"
46 #include "util/data/msgreply.h"
47 #include "validator/val_utils.h"
48 #include "validator/val_nsec3.h"
49 struct val_anchors;
50 struct key_cache;
51 struct key_entry_key;
52 struct val_neg_cache;
53 struct config_strlist;
54 struct comm_timer;
55 
56 /**
57  * This is the TTL to use when a trust anchor fails to prime. A trust anchor
58  * will be primed no more often than this interval.  Used when harden-
59  * dnssec-stripped is off and the trust anchor fails.
60  */
61 #define NULL_KEY_TTL	60 /* seconds */
62 
63 /**
64  * TTL for bogus key entries.  When a DS or DNSKEY fails in the chain of
65  * trust the entire zone for that name is blacked out for this TTL.
66  */
67 #define BOGUS_KEY_TTL	60 /* seconds */
68 
69 /** Root key sentinel is ta preamble */
70 #define SENTINEL_IS		"root-key-sentinel-is-ta-"
71 /** Root key sentinel is not ta preamble */
72 #define SENTINEL_NOT		"root-key-sentinel-not-ta-"
73 /** Root key sentinel keytag length */
74 #define SENTINEL_KEYTAG_LEN	5
75 
76 /**
77  * Global state for the validator.
78  */
79 struct val_env {
80 	/** key cache; these are validated keys. trusted keys only
81 	 * end up here after being primed. */
82 	struct key_cache* kcache;
83 
84 	/** aggressive negative cache. index into NSECs in rrset cache. */
85 	struct val_neg_cache* neg_cache;
86 
87 	/** for debug testing a fixed validation date can be entered.
88 	 * if 0, current time is used for rrsig validation */
89 	int32_t date_override;
90 
91 	/** clock skew min for signatures */
92 	int32_t skew_min;
93 
94 	/** clock skew max for signatures */
95 	int32_t skew_max;
96 
97 	/** max number of query restarts, number of IPs to probe */
98 	int max_restart;
99 
100 	/** TTL for bogus data; used instead of untrusted TTL from data.
101 	 * Bogus data will not be verified more often than this interval.
102 	 * seconds. */
103 	uint32_t bogus_ttl;
104 
105 	/**
106 	 * Number of entries in the NSEC3 maximum iteration count table.
107 	 * Keep this table short, and sorted by size
108 	 */
109 	int nsec3_keyiter_count;
110 
111 	/**
112 	 * NSEC3 maximum iteration count per signing key size.
113 	 * This array contains key size values (in increasing order)
114 	 */
115 	size_t* nsec3_keysize;
116 
117 	/**
118 	 * NSEC3 maximum iteration count per signing key size.
119 	 * This array contains the maximum iteration count for the keysize
120 	 * in the keysize array.
121 	 */
122 	size_t* nsec3_maxiter;
123 
124 	/** lock on bogus counter */
125 	lock_basic_type bogus_lock;
126 	/** number of times rrsets marked bogus */
127 	size_t num_rrset_bogus;
128 };
129 
130 /**
131  * State of the validator for a query.
132  */
133 enum val_state {
134 	/** initial state for validation */
135 	VAL_INIT_STATE = 0,
136 	/** find the proper keys for validation, follow trust chain */
137 	VAL_FINDKEY_STATE,
138 	/** validate the answer, using found key entry */
139 	VAL_VALIDATE_STATE,
140 	/** finish up */
141 	VAL_FINISHED_STATE,
142 };
143 
144 /**
145  * Per query state for the validator module.
146  */
147 struct val_qstate {
148 	/**
149 	 * State of the validator module.
150 	 */
151 	enum val_state state;
152 
153 	/**
154 	 * The original message we have been given to validate.
155 	 */
156 	struct dns_msg* orig_msg;
157 
158 	/**
159 	 * The query restart count
160 	 */
161 	int restart_count;
162 	/** The blacklist saved for chainoftrust elements */
163 	struct sock_list* chain_blacklist;
164 
165 	/**
166 	 * The query name we have chased to; qname after following CNAMEs
167 	 */
168 	struct query_info qchase;
169 
170 	/**
171 	 * The chased reply, extract from original message. Can be:
172 	 * 	o CNAME
173 	 * 	o DNAME + CNAME
174 	 * 	o answer
175 	 * 	plus authority, additional (nsecs) that have same signature.
176 	 */
177 	struct reply_info* chase_reply;
178 
179 	/**
180 	 * The cname skip value; the number of rrsets that have been skipped
181 	 * due to chasing cnames. This is the offset into the
182 	 * orig_msg->rep->rrsets array, into the answer section.
183 	 * starts at 0 - for the full original message.
184 	 * if it is >0 - qchase followed the cname, chase_reply setup to be
185 	 * that message and relevant authority rrsets.
186 	 *
187 	 * The skip is also used for referral messages, where it will
188 	 * range from 0, over the answer, authority and additional sections.
189 	 */
190 	size_t rrset_skip;
191 
192 	/** trust anchor name */
193 	uint8_t* trust_anchor_name;
194 	/** trust anchor labels */
195 	int trust_anchor_labs;
196 	/** trust anchor length */
197 	size_t trust_anchor_len;
198 
199 	/** the DS rrset */
200 	struct ub_packed_rrset_key* ds_rrset;
201 
202 	/** domain name for empty nonterminal detection */
203 	uint8_t* empty_DS_name;
204 	/** length of empty_DS_name */
205 	size_t empty_DS_len;
206 
207 	/** the current key entry */
208 	struct key_entry_key* key_entry;
209 
210 	/** subtype */
211 	enum val_classification subtype;
212 
213 	/** signer name */
214 	uint8_t* signer_name;
215 	/** length of signer_name */
216 	size_t signer_len;
217 
218 	/** true if this state is waiting to prime a trust anchor */
219 	int wait_prime_ta;
220 
221 	/** State to continue with RRSIG validation in a message later */
222 	int msg_signatures_state;
223 	/** The rrset index for the msg signatures to continue from */
224 	size_t msg_signatures_index;
225 	/** Cache table for NSEC3 hashes */
226 	struct nsec3_cache_table nsec3_cache_table;
227 	/** DS message from sub if it got suspended from NSEC3 calculations */
228 	struct dns_msg* sub_ds_msg;
229 	/** The timer to resume processing msg signatures */
230 	struct comm_timer* suspend_timer;
231 	/** Number of suspends */
232 	int suspend_count;
233 };
234 
235 /**
236  * Get the validator function block.
237  * @return: function block with function pointers to validator methods.
238  */
239 struct module_func_block* val_get_funcblock(void);
240 
241 /**
242  * Get validator state as a string
243  * @param state: to convert
244  * @return constant string that is printable.
245  */
246 const char* val_state_to_string(enum val_state state);
247 
248 /** validator init */
249 int val_init(struct module_env* env, int id);
250 
251 /** validator deinit */
252 void val_deinit(struct module_env* env, int id);
253 
254 /** validator operate on a query */
255 void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
256         struct outbound_entry* outbound);
257 
258 /**
259  * inform validator super.
260  *
261  * @param qstate: query state that finished.
262  * @param id: module id.
263  * @param super: the qstate to inform.
264  */
265 void val_inform_super(struct module_qstate* qstate, int id,
266 	struct module_qstate* super);
267 
268 /** validator cleanup query state */
269 void val_clear(struct module_qstate* qstate, int id);
270 
271 /**
272  * Debug helper routine that assists worker in determining memory in
273  * use.
274  * @param env: module environment
275  * @param id: module id.
276  * @return memory in use in bytes.
277  */
278 size_t val_get_mem(struct module_env* env, int id);
279 
280 /** Timer callback for msg signatures continue timer */
281 void validate_suspend_timer_cb(void* arg);
282 
283 #endif /* VALIDATOR_VALIDATOR_H */
284