IABSD.fr/src/sbin/unwind/libunbound/validator/validator.h

Branch : - branch - master - tag -

• Show log

  Commit

• Author : florian
  Date : 2025-09-14 15:16:53
  Hash : eeb3fa46
  Message : Sync to unbound 1.23.1 heavy lifting by sthen This contains a few fixes for compiler warnings I'm going to feed upstream.

• sbin/unwind/libunbound/validator/validator.h

• /*
   * validator/validator.h - secure validator DNS query response module
   *
   * Copyright (c) 2007, NLnet Labs. All rights reserved.
   *
   * This software is open source.
   * 
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   * 
   * Redistributions of source code must retain the above copyright notice,
   * this list of conditions and the following disclaimer.
   * 
   * Redistributions in binary form must reproduce the above copyright notice,
   * this list of conditions and the following disclaimer in the documentation
   * and/or other materials provided with the distribution.
   * 
   * Neither the name of the NLNET LABS nor the names of its contributors may
   * be used to endorse or promote products derived from this software without
   * specific prior written permission.
   * 
   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
   * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
   * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
   * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
   * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
   * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
   * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
   * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
   * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   */
  
  /**
   * \file
   *
   * This file contains a module that performs validation of DNS queries.
   * According to RFC 4034.
   */
  
  #ifndef VALIDATOR_VALIDATOR_H
  #define VALIDATOR_VALIDATOR_H
  #include "util/module.h"
  #include "util/data/msgreply.h"
  #include "validator/val_utils.h"
  #include "validator/val_nsec3.h"
  struct val_anchors;
  struct key_cache;
  struct key_entry_key;
  struct val_neg_cache;
  struct config_strlist;
  struct comm_timer;
  struct config_file;
  
  /**
   * This is the TTL to use when a trust anchor fails to prime. A trust anchor
   * will be primed no more often than this interval.  Used when harden-
   * dnssec-stripped is off and the trust anchor fails.
   */
  #define NULL_KEY_TTL	60 /* seconds */
  
  /**
   * TTL for bogus key entries.  When a DS or DNSKEY fails in the chain of
   * trust the entire zone for that name is blacked out for this TTL.
   */
  #define BOGUS_KEY_TTL	60 /* seconds */
  
  /** Root key sentinel is ta preamble */
  #define SENTINEL_IS		"root-key-sentinel-is-ta-"
  /** Root key sentinel is not ta preamble */
  #define SENTINEL_NOT		"root-key-sentinel-not-ta-"
  /** Root key sentinel keytag length */
  #define SENTINEL_KEYTAG_LEN	5
  
  /**
   * Global state for the validator. 
   */
  struct val_env {
  	/** key cache; these are validated keys. trusted keys only
  	 * end up here after being primed. */
  	struct key_cache* kcache;
  
  	/** aggressive negative cache. index into NSECs in rrset cache. */
  	struct val_neg_cache* neg_cache;
  
  	/** for debug testing a fixed validation date can be entered.
  	 * if 0, current time is used for rrsig validation */
  	int32_t date_override;
  
  	/** clock skew min for signatures */
  	int32_t skew_min;
  
  	/** clock skew max for signatures */
  	int32_t skew_max;
  
  	/** max number of query restarts, number of IPs to probe */
  	int max_restart;
  
  	/** TTL for bogus data; used instead of untrusted TTL from data.
  	 * Bogus data will not be verified more often than this interval. 
  	 * seconds. */
  	uint32_t bogus_ttl;
  
  	/**
  	 * Number of entries in the NSEC3 maximum iteration count table.
  	 * Keep this table short, and sorted by size
  	 */
  	int nsec3_keyiter_count;
  
  	/**
  	 * NSEC3 maximum iteration count per signing key size.
  	 * This array contains key size values (in increasing order)
  	 */
  	size_t* nsec3_keysize;
  
  	/**
  	 * NSEC3 maximum iteration count per signing key size.
  	 * This array contains the maximum iteration count for the keysize
  	 * in the keysize array.
  	 */
  	size_t* nsec3_maxiter;
  
  	/** lock on bogus counter */
  	lock_basic_type bogus_lock;
  	/** number of times rrsets marked bogus */
  	size_t num_rrset_bogus;
  };
  
  /**
   * State of the validator for a query.
   */
  enum val_state {
  	/** initial state for validation */
  	VAL_INIT_STATE = 0,
  	/** find the proper keys for validation, follow trust chain */
  	VAL_FINDKEY_STATE,
  	/** validate the answer, using found key entry */
  	VAL_VALIDATE_STATE,
  	/** finish up */
  	VAL_FINISHED_STATE,
  };
  
  /**
   * Per query state for the validator module.
   */
  struct val_qstate {
  	/** 
  	 * State of the validator module.
  	 */
  	enum val_state state;
  
  	/**
  	 * The original message we have been given to validate.
  	 */
  	struct dns_msg* orig_msg;
  
  	/**
  	 * The query restart count
  	 */
  	int restart_count;
  	/** The blacklist saved for chain of trust elements */
  	struct sock_list* chain_blacklist;
  
  	/**
  	 * The query name we have chased to; qname after following CNAMEs
  	 */
  	struct query_info qchase;
  
  	/**
  	 * The chased reply, extract from original message. Can be:
  	 * 	o CNAME
  	 * 	o DNAME + CNAME
  	 * 	o answer 
  	 * 	plus authority, additional (nsecs) that have same signature.
  	 */
  	struct reply_info* chase_reply;
  
  	/**
  	 * The cname skip value; the number of rrsets that have been skipped
  	 * due to chasing cnames. This is the offset into the 
  	 * orig_msg->rep->rrsets array, into the answer section.
  	 * starts at 0 - for the full original message.
  	 * if it is >0 - qchase followed the cname, chase_reply setup to be
  	 * that message and relevant authority rrsets.
  	 *
  	 * The skip is also used for referral messages, where it will
  	 * range from 0, over the answer, authority and additional sections.
  	 */
  	size_t rrset_skip;
  
  	/** trust anchor name */
  	uint8_t* trust_anchor_name;
  	/** trust anchor labels */
  	int trust_anchor_labs;
  	/** trust anchor length */
  	size_t trust_anchor_len;
  
  	/** the DS rrset */
  	struct ub_packed_rrset_key* ds_rrset;
  
  	/** domain name for empty nonterminal detection */
  	uint8_t* empty_DS_name;
  	/** length of empty_DS_name */
  	size_t empty_DS_len;
  
  	/** the current key entry */
  	struct key_entry_key* key_entry;
  
  	/** subtype */
  	enum val_classification subtype;
  
  	/** signer name */
  	uint8_t* signer_name;
  	/** length of signer_name */
  	size_t signer_len;
  
  	/** true if this state is waiting to prime a trust anchor */
  	int wait_prime_ta;
  
  	/** State to continue with RRSIG validation in a message later */
  	int msg_signatures_state;
  	/** The rrset index for the msg signatures to continue from */
  	size_t msg_signatures_index;
  	/** Cache table for NSEC3 hashes */
  	struct nsec3_cache_table nsec3_cache_table;
  	/** DS message from sub if it got suspended from NSEC3 calculations */
  	struct dns_msg* sub_ds_msg;
  	/** The timer to resume processing msg signatures */
  	struct comm_timer* suspend_timer;
  	/** Number of suspends */
  	int suspend_count;
  };
  
  /**
   * Get the validator function block.
   * @return: function block with function pointers to validator methods.
   */
  struct module_func_block* val_get_funcblock(void);
  
  /**
   * Get validator state as a string
   * @param state: to convert
   * @return constant string that is printable.
   */
  const char* val_state_to_string(enum val_state state);
  
  /** validator init */
  int val_init(struct module_env* env, int id);
  
  /** validator deinit */
  void val_deinit(struct module_env* env, int id);
  
  /** validator operate on a query */
  void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
          struct outbound_entry* outbound);
  
  /** 
   * inform validator super.
   * 
   * @param qstate: query state that finished.
   * @param id: module id.
   * @param super: the qstate to inform.
   */
  void val_inform_super(struct module_qstate* qstate, int id,
  	struct module_qstate* super);
  
  /** validator cleanup query state */
  void val_clear(struct module_qstate* qstate, int id);
  
  /**
   * Debug helper routine that assists worker in determining memory in 
   * use.
   * @param env: module environment 
   * @param id: module id.
   * @return memory in use in bytes.
   */
  size_t val_get_mem(struct module_env* env, int id);
  
  /** Timer callback for msg signatures continue timer */
  void validate_suspend_timer_cb(void* arg);
  
  /**
   * Parse the val_nsec3_key_iterations string.
   * @param val_nsec3_key_iterations: the string with nsec3 iterations config.
   * @param keysize: returns malloced key size array on success.
   * @param maxiter: returns malloced max iterations array on success.
   * @param keyiter_count: returns size of keysize and maxiter arrays.
   * @return false if it does not parse correctly.
   */
  int val_env_parse_key_iter(char* val_nsec3_key_iterations, size_t** keysize,
  	size_t** maxiter, int* keyiter_count);
  
  /**
   * Apply config to validator env
   * @param val_env: validator env.
   * @param cfg: config
   * @param keysize: nsec3 key size array.
   * @param maxiter: nsec3 max iterations array.
   * @param keyiter_count: size of keysize and maxiter arrays.
   */
  void val_env_apply_cfg(struct val_env* val_env, struct config_file* cfg,
  	size_t* keysize, size_t* maxiter, int keyiter_count);
  
  #endif /* VALIDATOR_VALIDATOR_H */