mDNSCore/dnssec.h

   1 /* -*- Mode: C; tab-width: 4 -*-
   2  *
   3  * Copyright (c) 2011 Apple Computer, Inc. All rights reserved.
   4  *
   5  * Licensed under the Apache License, Version 2.0 (the "License");
   6  * you may not use this file except in compliance with the License.
   7  * You may obtain a copy of the License at
   8  *
   9  *     http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  * Unless required by applicable law or agreed to in writing, software
  12  * distributed under the License is distributed on an "AS IS" BASIS,
  13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  * See the License for the specific language governing permissions and
  15  * limitations under the License.
  16  */
  17 #ifndef __DNSSEC_H
  18 #define __DNSSEC_H
  19
  20 #include "CryptoAlg.h"
  21 #include "mDNSDebug.h"
  22
  23 typedef enum
  24 {
  25     RRVS_rr, RRVS_rrsig, RRVS_key, RRVS_rrsig_key, RRVS_ds, RRVS_done,
  26 } RRVerifierSet;
  27
  28 typedef struct RRVerifier_struct RRVerifier;
  29 typedef struct DNSSECVerifier_struct DNSSECVerifier;
  30 typedef struct AuthChain_struct AuthChain;
  31
  32 struct RRVerifier_struct
  33 {
  34     RRVerifier *next;
  35     mDNSu16 rrtype;
  36     mDNSu16 rrclass;
  37     mDNSu32 rroriginalttl;
  38     mDNSu16 rdlength;
  39     mDNSu16 found;
  40     mDNSu32 namehash;
  41     mDNSu32 rdatahash;
  42     domainname name;
  43     mDNSu8  *rdata;
  44 };
  45
  46 // Each AuthChain element has one rrset (with multiple resource records of same type), rrsig and key
  47 // that validates the rrset.
  48 struct AuthChain_struct
  49 {
  50         AuthChain  *next;               // Next element in the chain
  51         RRVerifier *rrset;              // RRSET that is authenticated
  52         RRVerifier *rrsig;              // Signature for that RRSET
  53         RRVerifier *key;                // Public key for that RRSET
  54 };
  55
  56 typedef void DNSSECVerifierCallback (mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status);
  57 //
  58 // When we do a validation for a question, there might be additional validations that needs to be done e.g.,
  59 // wildcard expanded answer. It is also possible that in the case of nsec we need to prove both that a wildcard
  60 // does not apply and the closest encloser proves that name does not exist. We identify these with the following
  61 // flags.
  62 //
  63 // Note: In the following, by "marking the validation", we mean that as part of validation we need to prove
  64 // the ones that are marked with.
  65 //
  66 // A wildcard may be used to answer a question. In that case, we need to verify that the right wildcard was
  67 // used in answering the question. This is done by marking the validation with WILDCARD_PROVES_ANSWER_EXPANDED.
  68 //
  69 // Sometimes we get a NXDOMAIN response. In this case, we may have a wildcard where we need to prove
  70 // that the wildcard proves that the name does not exist. This is done by marking the validation with
  71 // WILDCARD_PROVES_NONAME_EXISTS.
  72 //
  73 // In the case of NODATA error, sometimes the name may exist but the query type does not exist. This is done by
  74 // marking the validation with NSEC_PROVES_NOTYPE_EXISTS.
  75 //
  76 // In both NXDOMAIN and NODATA proofs, we may have to prove that the NAME does not exist. This is done by marking
  77 // the validation with NSEC_PROVES_NONAME_EXISTS.
  78 //
  79 #define WILDCARD_PROVES_ANSWER_EXPANDED 0x00000001
  80 #define WILDCARD_PROVES_NONAME_EXISTS   0x00000002
  81 #define NSEC_PROVES_NOTYPE_EXISTS       0x00000004
  82 #define NSEC_PROVES_NONAME_EXISTS       0x00000008
  83
  84 struct DNSSECVerifier_struct
  85 {
  86     domainname origName;    // Original question name that needs verification
  87     mDNSu16 origType;       // Original question type corresponding to origName
  88     mDNSu16 currQtype;      // Current question type that is being verified
  89     mDNSInterfaceID InterfaceID; // InterfaceID of the question
  90     DNSQuestion q;
  91     mDNSu8 recursed;           // Number of times recursed during validation
  92     mDNSu32 flags;
  93     RRVerifierSet next;
  94     domainname *wildcardName; // set if the answer is wildcard expanded
  95     RRVerifier *pendingNSEC;
  96     DNSSECVerifierCallback *DVCallback;
  97     DNSSECVerifier *parent;
  98     RRVerifier *rrset;      // rrset for which we have to verify
  99     RRVerifier *rrsig;      // RRSIG for rrset
 100     RRVerifier *key;        // DNSKEY for rrset
 101     RRVerifier *rrsigKey;   // RRSIG for DNSKEY
 102     RRVerifier *ds;         // DS for DNSKEY set in parent zone
 103     AuthChain *ac;
 104     AuthChain **actail;
 105     AlgContext *ctx;
 106 };
 107
 108 #define LogDNSSEC LogOperation
 109
 110 #define DNS_SERIAL_GT(a, b) ((int)((a) - (b)) > 0)
 111 #define DNS_SERIAL_LT(a, b) ((int)((a) - (b)) < 0)
 112
 113 extern void StartDNSSECVerification(mDNS *const m, DNSSECVerifier *dv);
 114 extern RRVerifier* AllocateRRVerifier(const ResourceRecord *const rr, mStatus *status);
 115 extern mStatus AddRRSetToVerifier(DNSSECVerifier *dv, const ResourceRecord *const rr, RRVerifier *rv, RRVerifierSet set);
 116 extern void VerifySignature(mDNS *const m, DNSSECVerifier *dv, DNSQuestion *q);
 117 extern void FreeDNSSECVerifier(mDNS *const m, DNSSECVerifier *dv);
 118 extern DNSSECVerifier *AllocateDNSSECVerifier(mDNS *const m, const domainname *name, mDNSu16 rrtype, mDNSInterfaceID InterfaceID,
 119                                               DNSSECVerifierCallback dvcallback, mDNSQuestionCallback qcallback);
 120 extern void InitializeQuestion(mDNS *const m, DNSQuestion *question, mDNSInterfaceID InterfaceID, const domainname *qname,
 121                                mDNSu16 qtype, mDNSQuestionCallback *callback, void *context);
 122 extern void ValidateRRSIG(DNSSECVerifier *dv, RRVerifierSet type, const ResourceRecord *const rr);
 123 extern void AuthChainLink(DNSSECVerifier *dv, AuthChain *ae);
 124
 125 #endif // __DNSSEC_H