2014-10-06 00:44:31 +03:00
|
|
|
/*
|
|
|
|
* validator/validator.h - secure validator DNS query response module
|
|
|
|
*
|
|
|
|
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
|
|
|
*
|
|
|
|
* This software is open source.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
*
|
|
|
|
* Redistributions of source code must retain the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
*
|
|
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
|
* and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* Neither the name of the NLNET LABS nor the names of its contributors may
|
|
|
|
* be used to endorse or promote products derived from this software without
|
|
|
|
* specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
|
|
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* \file
|
|
|
|
*
|
|
|
|
* This file contains a module that performs validation of DNS queries.
|
|
|
|
* According to RFC 4034.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef VALIDATOR_VALIDATOR_H
|
|
|
|
#define VALIDATOR_VALIDATOR_H
|
|
|
|
#include "util/module.h"
|
|
|
|
#include "util/data/msgreply.h"
|
|
|
|
#include "validator/val_utils.h"
|
|
|
|
struct val_anchors;
|
|
|
|
struct key_cache;
|
|
|
|
struct key_entry_key;
|
|
|
|
struct val_neg_cache;
|
|
|
|
struct config_strlist;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* This is the TTL to use when a trust anchor fails to prime. A trust anchor
|
|
|
|
* will be primed no more often than this interval. Used when harden-
|
|
|
|
* dnssec-stripped is off and the trust anchor fails.
|
|
|
|
*/
|
|
|
|
#define NULL_KEY_TTL 60 /* seconds */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* TTL for bogus key entries. When a DS or DNSKEY fails in the chain of
|
|
|
|
* trust the entire zone for that name is blacked out for this TTL.
|
|
|
|
*/
|
|
|
|
#define BOGUS_KEY_TTL 60 /* seconds */
|
|
|
|
|
|
|
|
/** max number of query restarts, number of IPs to probe */
|
|
|
|
#define VAL_MAX_RESTART_COUNT 5
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Global state for the validator.
|
|
|
|
*/
|
|
|
|
struct val_env {
|
|
|
|
/** key cache; these are validated keys. trusted keys only
|
|
|
|
* end up here after being primed. */
|
|
|
|
struct key_cache* kcache;
|
|
|
|
|
|
|
|
/** aggressive negative cache. index into NSECs in rrset cache. */
|
|
|
|
struct val_neg_cache* neg_cache;
|
|
|
|
|
|
|
|
/** for debug testing a fixed validation date can be entered.
|
|
|
|
* if 0, current time is used for rrsig validation */
|
|
|
|
int32_t date_override;
|
|
|
|
|
|
|
|
/** clock skew min for signatures */
|
|
|
|
int32_t skew_min;
|
|
|
|
|
|
|
|
/** clock skew max for signatures */
|
|
|
|
int32_t skew_max;
|
|
|
|
|
|
|
|
/** TTL for bogus data; used instead of untrusted TTL from data.
|
|
|
|
* Bogus data will not be verified more often than this interval.
|
|
|
|
* seconds. */
|
|
|
|
uint32_t bogus_ttl;
|
|
|
|
|
|
|
|
/** If set, the validator should clean the additional section of
|
|
|
|
* secure messages.
|
|
|
|
*/
|
|
|
|
int clean_additional;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* If set, the validator will not make messages bogus, instead
|
|
|
|
* indeterminate is issued, so that no clients receive SERVFAIL.
|
|
|
|
* This allows an operator to run validation 'shadow' without
|
|
|
|
* hurting responses to clients.
|
|
|
|
*/
|
|
|
|
int permissive_mode;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Number of entries in the NSEC3 maximum iteration count table.
|
|
|
|
* Keep this table short, and sorted by size
|
|
|
|
*/
|
|
|
|
int nsec3_keyiter_count;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* NSEC3 maximum iteration count per signing key size.
|
|
|
|
* This array contains key size values (in increasing order)
|
|
|
|
*/
|
|
|
|
size_t* nsec3_keysize;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* NSEC3 maximum iteration count per signing key size.
|
|
|
|
* This array contains the maximum iteration count for the keysize
|
|
|
|
* in the keysize array.
|
|
|
|
*/
|
|
|
|
size_t* nsec3_maxiter;
|
|
|
|
|
|
|
|
/** lock on bogus counter */
|
2017-06-16 13:16:05 +03:00
|
|
|
lock_basic_type bogus_lock;
|
2014-10-06 00:44:31 +03:00
|
|
|
/** number of times rrsets marked bogus */
|
|
|
|
size_t num_rrset_bogus;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* State of the validator for a query.
|
|
|
|
*/
|
|
|
|
enum val_state {
|
|
|
|
/** initial state for validation */
|
|
|
|
VAL_INIT_STATE = 0,
|
|
|
|
/** find the proper keys for validation, follow trust chain */
|
|
|
|
VAL_FINDKEY_STATE,
|
|
|
|
/** validate the answer, using found key entry */
|
|
|
|
VAL_VALIDATE_STATE,
|
|
|
|
/** finish up */
|
|
|
|
VAL_FINISHED_STATE,
|
|
|
|
/** DLV lookup state, processing DLV queries */
|
|
|
|
VAL_DLVLOOKUP_STATE
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Per query state for the validator module.
|
|
|
|
*/
|
|
|
|
struct val_qstate {
|
|
|
|
/**
|
|
|
|
* State of the validator module.
|
|
|
|
*/
|
|
|
|
enum val_state state;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The original message we have been given to validate.
|
|
|
|
*/
|
|
|
|
struct dns_msg* orig_msg;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The query restart count
|
|
|
|
*/
|
|
|
|
int restart_count;
|
|
|
|
/** The blacklist saved for chainoftrust elements */
|
|
|
|
struct sock_list* chain_blacklist;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The query name we have chased to; qname after following CNAMEs
|
|
|
|
*/
|
|
|
|
struct query_info qchase;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The chased reply, extract from original message. Can be:
|
|
|
|
* o CNAME
|
|
|
|
* o DNAME + CNAME
|
|
|
|
* o answer
|
|
|
|
* plus authority, additional (nsecs) that have same signature.
|
|
|
|
*/
|
|
|
|
struct reply_info* chase_reply;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The cname skip value; the number of rrsets that have been skipped
|
|
|
|
* due to chasing cnames. This is the offset into the
|
|
|
|
* orig_msg->rep->rrsets array, into the answer section.
|
|
|
|
* starts at 0 - for the full original message.
|
|
|
|
* if it is >0 - qchase followed the cname, chase_reply setup to be
|
|
|
|
* that message and relevant authority rrsets.
|
|
|
|
*
|
|
|
|
* The skip is also used for referral messages, where it will
|
|
|
|
* range from 0, over the answer, authority and additional sections.
|
|
|
|
*/
|
|
|
|
size_t rrset_skip;
|
|
|
|
|
|
|
|
/** trust anchor name */
|
|
|
|
uint8_t* trust_anchor_name;
|
|
|
|
/** trust anchor labels */
|
|
|
|
int trust_anchor_labs;
|
|
|
|
/** trust anchor length */
|
|
|
|
size_t trust_anchor_len;
|
|
|
|
|
|
|
|
/** the DS rrset */
|
|
|
|
struct ub_packed_rrset_key* ds_rrset;
|
|
|
|
|
|
|
|
/** domain name for empty nonterminal detection */
|
|
|
|
uint8_t* empty_DS_name;
|
|
|
|
/** length of empty_DS_name */
|
|
|
|
size_t empty_DS_len;
|
|
|
|
|
|
|
|
/** the current key entry */
|
|
|
|
struct key_entry_key* key_entry;
|
|
|
|
|
|
|
|
/** subtype */
|
|
|
|
enum val_classification subtype;
|
|
|
|
|
|
|
|
/** signer name */
|
|
|
|
uint8_t* signer_name;
|
|
|
|
/** length of signer_name */
|
|
|
|
size_t signer_len;
|
|
|
|
|
|
|
|
/** true if this state is waiting to prime a trust anchor */
|
|
|
|
int wait_prime_ta;
|
|
|
|
|
|
|
|
/** have we already checked the DLV? */
|
|
|
|
int dlv_checked;
|
|
|
|
/** The name for which the DLV is looked up. For the current message
|
|
|
|
* or for the current RRset (for CNAME, REFERRAL types).
|
|
|
|
* If there is signer name, that may be it, else a domain name */
|
|
|
|
uint8_t* dlv_lookup_name;
|
|
|
|
/** length of dlv lookup name */
|
|
|
|
size_t dlv_lookup_name_len;
|
|
|
|
/** Name at which chain of trust stopped with insecure, starting DLV
|
|
|
|
* DLV must result in chain going further down */
|
|
|
|
uint8_t* dlv_insecure_at;
|
|
|
|
/** length of dlv insecure point name */
|
|
|
|
size_t dlv_insecure_at_len;
|
|
|
|
/** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
|
|
|
|
enum dlv_status {
|
|
|
|
dlv_error, /* server failure */
|
|
|
|
dlv_success, /* got a DLV */
|
|
|
|
dlv_ask_higher, /* ask again */
|
|
|
|
dlv_there_is_no_dlv /* got no DLV, sure of it */
|
|
|
|
} dlv_status;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the validator function block.
|
|
|
|
* @return: function block with function pointers to validator methods.
|
|
|
|
*/
|
|
|
|
struct module_func_block* val_get_funcblock(void);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get validator state as a string
|
|
|
|
* @param state: to convert
|
|
|
|
* @return constant string that is printable.
|
|
|
|
*/
|
|
|
|
const char* val_state_to_string(enum val_state state);
|
|
|
|
|
|
|
|
/** validator init */
|
|
|
|
int val_init(struct module_env* env, int id);
|
|
|
|
|
|
|
|
/** validator deinit */
|
|
|
|
void val_deinit(struct module_env* env, int id);
|
|
|
|
|
|
|
|
/** validator operate on a query */
|
|
|
|
void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
|
|
|
struct outbound_entry* outbound);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* inform validator super.
|
|
|
|
*
|
|
|
|
* @param qstate: query state that finished.
|
|
|
|
* @param id: module id.
|
|
|
|
* @param super: the qstate to inform.
|
|
|
|
*/
|
|
|
|
void val_inform_super(struct module_qstate* qstate, int id,
|
|
|
|
struct module_qstate* super);
|
|
|
|
|
|
|
|
/** validator cleanup query state */
|
|
|
|
void val_clear(struct module_qstate* qstate, int id);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Debug helper routine that assists worker in determining memory in
|
|
|
|
* use.
|
|
|
|
* @param env: module environment
|
|
|
|
* @param id: module id.
|
|
|
|
* @return memory in use in bytes.
|
|
|
|
*/
|
|
|
|
size_t val_get_mem(struct module_env* env, int id);
|
|
|
|
|
|
|
|
#endif /* VALIDATOR_VALIDATOR_H */
|