1/*	$NetBSD: validator.h,v 1.9 2024/02/21 22:52:11 christos Exp $	*/
2
3/*
4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5 *
6 * SPDX-License-Identifier: MPL-2.0
7 *
8 * This Source Code Form is subject to the terms of the Mozilla Public
9 * License, v. 2.0. If a copy of the MPL was not distributed with this
10 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11 *
12 * See the COPYRIGHT file distributed with this work for additional
13 * information regarding copyright ownership.
14 */
15
16#pragma once
17
18/*****
19***** Module Info
20*****/
21
22/*! \file dns/validator.h
23 *
24 * \brief
25 * DNS Validator
26 * This is the BIND 9 validator, the module responsible for validating the
27 * rdatasets and negative responses (messages).  It makes use of zones in
28 * the view and may fetch RRset to complete trust chains.  It implements
29 * DNSSEC as specified in RFC 4033, 4034 and 4035.
30 *
31 * Correct operation is critical to preventing spoofed answers from secure
32 * zones being accepted.
33 *
34 * MP:
35 *\li	The module ensures appropriate synchronization of data structures it
36 *	creates and manipulates.
37 *
38 * Reliability:
39 *\li	No anticipated impact.
40 *
41 * Resources:
42 *\li	TBS
43 *
44 * Security:
45 *\li	No anticipated impact.
46 *
47 * Standards:
48 *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
49 */
50
51#include <stdbool.h>
52
53#include <isc/event.h>
54#include <isc/lang.h>
55#include <isc/mutex.h>
56
57#include <dns/fixedname.h>
58#include <dns/rdataset.h>
59#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
60#include <dns/types.h>
61
62#include <dst/dst.h>
63
64/*%
65 * A dns_validatorevent_t is sent when a 'validation' completes.
66 * \brief
67 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
68 * supplied when dns_validator_create() was called.  They are returned to the
69 * caller so that they may be freed.
70 *
71 * If the RESULT is ISC_R_SUCCESS and the answer is secure then
72 * proofs[] will contain the names of the NSEC records that hold the
73 * various proofs.  Note the same name may appear multiple times.
74 */
75typedef struct dns_validatorevent {
76	ISC_EVENT_COMMON(struct dns_validatorevent);
77	dns_validator_t *validator;
78	isc_result_t	 result;
79	/*
80	 * Name and type of the response to be validated.
81	 */
82	dns_name_t     *name;
83	dns_rdatatype_t type;
84	/*
85	 * Rdata and RRSIG (if any) for positive responses.
86	 */
87	dns_rdataset_t *rdataset;
88	dns_rdataset_t *sigrdataset;
89	/*
90	 * The full response.  Required for negative responses.
91	 * Also required for positive wildcard responses.
92	 */
93	dns_message_t *message;
94	/*
95	 * Proofs to be cached.
96	 */
97	dns_name_t *proofs[4];
98	/*
99	 * Optout proof seen.
100	 */
101	bool optout;
102	/*
103	 * Answer is secure.
104	 */
105	bool secure;
106} dns_validatorevent_t;
107
108#define DNS_VALIDATOR_NOQNAMEPROOF    0
109#define DNS_VALIDATOR_NODATAPROOF     1
110#define DNS_VALIDATOR_NOWILDCARDPROOF 2
111#define DNS_VALIDATOR_CLOSESTENCLOSER 3
112
113/*%
114 * A validator object represents a validation in progress.
115 * \brief
116 * Clients are strongly discouraged from using this type directly, with
117 * the exception of the 'link' field, which may be used directly for
118 * whatever purpose the client desires.
119 */
120struct dns_validator {
121	/* Unlocked. */
122	unsigned int magic;
123	isc_mutex_t  lock;
124	dns_view_t  *view;
125	/* Locked by lock. */
126	unsigned int	      options;
127	unsigned int	      attributes;
128	dns_validatorevent_t *event;
129	dns_fetch_t	     *fetch;
130	dns_validator_t	     *subvalidator;
131	dns_validator_t	     *parent;
132	dns_keytable_t	     *keytable;
133	dst_key_t	     *key;
134	dns_rdata_rrsig_t    *siginfo;
135	isc_task_t	     *task;
136	isc_taskaction_t      action;
137	void		     *arg;
138	unsigned int	      labels;
139	dns_rdataset_t	     *currentset;
140	dns_rdataset_t	     *keyset;
141	dns_rdataset_t	     *dsset;
142	dns_rdataset_t	      fdsset;
143	dns_rdataset_t	      frdataset;
144	dns_rdataset_t	      fsigrdataset;
145	dns_fixedname_t	      fname;
146	dns_fixedname_t	      wild;
147	dns_fixedname_t	      closest;
148	ISC_LINK(dns_validator_t) link;
149	bool	      mustbesecure;
150	unsigned int  depth;
151	unsigned int  authcount;
152	unsigned int  authfail;
153	bool	      failed;
154	isc_stdtime_t start;
155};
156
157/*%
158 * dns_validator_create() options.
159 */
160/* obsolete: #define DNS_VALIDATOR_DLV	0x0001U */
161#define DNS_VALIDATOR_DEFER    0x0002U
162#define DNS_VALIDATOR_NOCDFLAG 0x0004U
163#define DNS_VALIDATOR_NONTA    0x0008U /*% Ignore NTA table */
164
165ISC_LANG_BEGINDECLS
166
167isc_result_t
168dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
169		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
170		     dns_message_t *message, unsigned int options,
171		     isc_task_t *task, isc_taskaction_t action, void *arg,
172		     dns_validator_t **validatorp);
173/*%<
174 * Start a DNSSEC validation.
175 *
176 * This validates a response to the question given by
177 * 'name' and 'type'.
178 *
179 * To validate a positive response, the response data is
180 * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
181 * is NULL, the data is presumed insecure and an attempt
182 * is made to prove its insecurity by finding the appropriate
183 * null key.
184 *
185 * The complete response message may be given in 'message',
186 * to make available any authority section NSECs that may be
187 * needed for validation of a response resulting from a
188 * wildcard expansion (though no such wildcard validation
189 * is implemented yet).  If the complete response message
190 * is not available, 'message' is NULL.
191 *
192 * To validate a negative response, the complete negative response
193 * message is given in 'message'.  The 'rdataset', and
194 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
195 * arguments must be provided.
196 *
197 * The validation is performed in the context of 'view'.
198 *
199 * When the validation finishes, a dns_validatorevent_t with
200 * the given 'action' and 'arg' are sent to 'task'.
201 * Its 'result' field will be ISC_R_SUCCESS iff the
202 * response was successfully proven to be either secure or
203 * part of a known insecure domain.
204 */
205
206void
207dns_validator_send(dns_validator_t *validator);
208/*%<
209 * Send a deferred validation request
210 *
211 * Requires:
212 *	'validator' to points to a valid DNSSEC validator.
213 */
214
215void
216dns_validator_cancel(dns_validator_t *validator);
217/*%<
218 * Cancel a DNSSEC validation in progress.
219 *
220 * Requires:
221 *\li	'validator' points to a valid DNSSEC validator, which
222 *	may or may not already have completed.
223 *
224 * Ensures:
225 *\li	It the validator has not already sent its completion
226 *	event, it will send it with result code ISC_R_CANCELED.
227 */
228
229void
230dns_validator_destroy(dns_validator_t **validatorp);
231/*%<
232 * Destroy a DNSSEC validator.
233 *
234 * Requires:
235 *\li	'*validatorp' points to a valid DNSSEC validator.
236 * \li	The validator must have completed and sent its completion
237 * 	event.
238 *
239 * Ensures:
240 *\li	All resources used by the validator are freed.
241 */
242
243ISC_LANG_ENDDECLS
244