1/* -*- Mode: C; tab-width: 4 -*- 2 * 3 * Copyright (c) 2011-2013 Apple Inc. All rights reserved. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 18#ifndef __DNSSEC_H 19#define __DNSSEC_H 20 21#include "CryptoAlg.h" 22#include "mDNSDebug.h" 23 24typedef enum 25{ 26 RRVS_rr, RRVS_rrsig, RRVS_key, RRVS_rrsig_key, RRVS_ds, RRVS_done, 27} RRVerifierSet; 28 29typedef struct RRVerifier_struct RRVerifier; 30typedef struct DNSSECVerifier_struct DNSSECVerifier; 31typedef struct AuthChain_struct AuthChain; 32typedef struct InsecureContext_struct InsecureContext; 33 34struct RRVerifier_struct 35{ 36 RRVerifier *next; 37 mDNSu16 rrtype; 38 mDNSu16 rrclass; 39 mDNSu32 rroriginalttl; 40 mDNSu16 rdlength; 41 mDNSu16 found; 42 mDNSu32 namehash; 43 mDNSu32 rdatahash; 44 domainname name; 45 mDNSu8 *rdata; 46}; 47 48// Each AuthChain element has one rrset (with multiple resource records of same type), rrsig and key 49// that validates the rrset. 50struct AuthChain_struct 51{ 52 AuthChain *next; // Next element in the chain 53 RRVerifier *rrset; // RRSET that is authenticated 54 RRVerifier *rrsig; // Signature for that RRSET 55 RRVerifier *key; // Public key for that RRSET 56}; 57 58#define ResetAuthChain(dv) { \ 59 (dv)->ac = mDNSNULL; \ 60 (dv)->actail = &((dv)->ac); \ 61} 62 63typedef void DNSSECVerifierCallback (mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status); 64// 65// When we do a validation for a question, there might be additional validations that needs to be done e.g., 66// wildcard expanded answer. It is also possible that in the case of nsec we need to prove both that a wildcard 67// does not apply and the closest encloser proves that name does not exist. We identify these with the following 68// flags. 69// 70// Note: In the following, by "marking the validation", we mean that as part of validation we need to prove 71// the ones that are marked with. 72// 73// A wildcard may be used to answer a question. In that case, we need to verify that the right wildcard was 74// used in answering the question. This is done by marking the validation with WILDCARD_PROVES_ANSWER_EXPANDED. 75// 76// Sometimes we get a NXDOMAIN response. In this case, we may have a wildcard where we need to prove 77// that the wildcard proves that the name does not exist. This is done by marking the validation with 78// WILDCARD_PROVES_NONAME_EXISTS. 79// 80// In the case of NODATA error, sometimes the name may exist but the query type does not exist. This is done by 81// marking the validation with NSEC_PROVES_NOTYPE_EXISTS. 82// 83// In both NXDOMAIN and NODATA proofs, we may have to prove that the NAME does not exist. This is done by marking 84// the validation with NSEC_PROVES_NONAME_EXISTS. 85// 86#define WILDCARD_PROVES_ANSWER_EXPANDED 0x00000001 87#define WILDCARD_PROVES_NONAME_EXISTS 0x00000002 88#define NSEC_PROVES_NOTYPE_EXISTS 0x00000004 89#define NSEC_PROVES_NONAME_EXISTS 0x00000008 90#define NSEC3_OPT_OUT 0x00000010 // OptOut was set in NSEC3 91 92struct DNSSECVerifier_struct 93{ 94 domainname origName; // Original question name that needs verification 95 mDNSu16 origType; // Original question type corresponding to origName 96 mDNSu16 currQtype; // Current question type that is being verified 97 mDNSInterfaceID InterfaceID; // InterfaceID of the question 98 DNSQuestion q; 99 mDNSu8 recursed; // Number of times recursed during validation 100 mDNSu8 ValidationRequired; // Copy of the question's ValidationRequired status 101 mDNSu8 InsecureProofDone; 102 mDNSu8 NumPackets; // Number of packets that we send on the wire for DNSSEC verification. 103 mDNSs32 StartTime; // Time the DNSSEC verification starts 104 mDNSu32 flags; 105 RRVerifierSet next; 106 domainname *wildcardName; // set if the answer is wildcard expanded 107 RRVerifier *pendingNSEC; 108 DNSSECVerifierCallback *DVCallback; 109 DNSSECVerifier *parent; 110 RRVerifier *rrset; // rrset for which we have to verify 111 RRVerifier *rrsig; // RRSIG for rrset 112 RRVerifier *key; // DNSKEY for rrset 113 RRVerifier *rrsigKey; // RRSIG for DNSKEY 114 RRVerifier *ds; // DS for DNSKEY set in parent zone 115 AuthChain *saveac; 116 AuthChain *ac; 117 AuthChain **actail; 118 AlgContext *ctx; 119}; 120 121 122struct InsecureContext_struct 123{ 124 DNSSECVerifier *dv; // dv for which we are doing the insecure proof 125 mDNSu8 skip; // labels to skip for forming the name from origName 126 DNSSECStatus status; // status to deliver when done 127 mDNSu8 triggerLabelCount; // Label count of the name that triggered the insecure proof 128 DNSQuestion q; 129}; 130 131#define LogDNSSEC LogOperation 132 133#define DNS_SERIAL_GT(a, b) ((int)((a) - (b)) > 0) 134#define DNS_SERIAL_LT(a, b) ((int)((a) - (b)) < 0) 135 136extern void StartDNSSECVerification(mDNS *const m, void *context); 137extern RRVerifier* AllocateRRVerifier(const ResourceRecord *const rr, mStatus *status); 138extern mStatus AddRRSetToVerifier(DNSSECVerifier *dv, const ResourceRecord *const rr, RRVerifier *rv, RRVerifierSet set); 139extern void VerifySignature(mDNS *const m, DNSSECVerifier *dv, DNSQuestion *q); 140extern void FreeDNSSECVerifier(mDNS *const m, DNSSECVerifier *dv); 141extern DNSSECVerifier *AllocateDNSSECVerifier(mDNS *const m, const domainname *name, mDNSu16 rrtype, mDNSInterfaceID InterfaceID, 142 mDNSu8 ValidationRequired, DNSSECVerifierCallback dvcallback, mDNSQuestionCallback qcallback); 143extern void InitializeQuestion(mDNS *const m, DNSQuestion *question, mDNSInterfaceID InterfaceID, const domainname *qname, 144 mDNSu16 qtype, mDNSQuestionCallback *callback, void *context); 145extern void ValidateRRSIG(DNSSECVerifier *dv, RRVerifierSet type, const ResourceRecord *const rr); 146extern void AuthChainLink(DNSSECVerifier *dv, AuthChain *ae); 147extern mStatus DNSNameToLowerCase(domainname *d, domainname *result); 148extern int DNSMemCmp(const mDNSu8 *const m1, const mDNSu8 *const m2, int len); 149extern int DNSSECCanonicalOrder(const domainname *const d1, const domainname *const d2, int *subdomain); 150extern void ProveInsecure(mDNS *const m, DNSSECVerifier *dv, InsecureContext *ic, domainname *trigger); 151extern void BumpDNSSECStats(mDNS *const m, DNSSECStatsAction action, DNSSECStatsType type, mDNSu32 value); 152extern char *DNSSECStatusName(DNSSECStatus status); 153 154// DNSSECProbe belongs in DNSSECSupport.h but then we don't want to expose yet another plaform specific dnssec file 155// to other platforms where dnssec is not supported. 156extern void DNSSECProbe(mDNS *const m); 157 158#endif // __DNSSEC_H 159