From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 7 Aug 2007 08:27:23 +0000 (+0000)
Subject: security status.
X-Git-Tag: release-0.5~146
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff4f04de2a6a75c1004611120f704fc2a8aba319;p=thirdparty%2Funbound.git

security status.


git-svn-id: file:///svn/unbound/trunk@495 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index b16c94218..d8f394449 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+7 August 2007: Wouter
+	- security status type.
+
 6 August 2007: Wouter
 	- key cache for validator.
 	- moved isroot and dellabel to own dname routines, with unit test.
diff --git a/util/data/msgreply.c b/util/data/msgreply.c
index 64b0c9ef2..46d943bc3 100644
--- a/util/data/msgreply.c
+++ b/util/data/msgreply.c
@@ -73,7 +73,8 @@ parse_create_qinfo(ldns_buffer* pkt, struct msg_parse* msg,
 /** constructor for replyinfo */
 static struct reply_info*
 construct_reply_info_base(struct region* region, uint16_t flags, size_t qd,
-	uint32_t ttl, size_t an, size_t ns, size_t ar, size_t total)
+	uint32_t ttl, size_t an, size_t ns, size_t ar, size_t total,
+	enum sec_status sec)
 {
 	struct reply_info* rep;
 	/* rrset_count-1 because the first ref is part of the struct. */
@@ -92,6 +93,7 @@ construct_reply_info_base(struct region* region, uint16_t flags, size_t qd,
 	rep->ns_numrrsets = ns;
 	rep->ar_numrrsets = ar;
 	rep->rrset_count = total;
+	rep->security = sec;
 	/* array starts after the refs */
 	if(region)
 		rep->rrsets = (struct ub_packed_rrset_key**)&(rep->ref[0]);
@@ -110,7 +112,7 @@ parse_create_repinfo(struct msg_parse* msg, struct reply_info** rep,
 {
 	*rep = construct_reply_info_base(region, msg->flags, msg->qdcount, 0,
 		msg->an_rrsets, msg->ns_rrsets, msg->ar_rrsets, 
-		msg->rrset_count);
+		msg->rrset_count, sec_status_unchecked);
 	if(!*rep)
 		return 0;
 	return 1;
@@ -229,6 +231,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset,
 	data->count = pset->rr_count;
 	data->rrsig_count = pset->rrsig_count;
 	data->trust = rrset_trust_none;
+	data->security = sec_status_unchecked;
 	/* layout: struct - rr_len - rr_data - rr_ttl - rdata - rrsig */
 	data->rr_len = (size_t*)((uint8_t*)data + 
 		sizeof(struct packed_rrset_data));
@@ -345,6 +348,7 @@ parse_copy_decompress(ldns_buffer* pkt, struct msg_parse* msg,
 	struct packed_rrset_data* data;
 	log_assert(rep);
 	rep->ttl = MAX_TTL;
+	rep->security = sec_status_unchecked;
 	if(rep->rrset_count == 0)
 		rep->ttl = NORR_TTL;
 
@@ -623,7 +627,7 @@ reply_info_copy(struct reply_info* rep, struct alloc_cache* alloc,
 	struct reply_info* cp;
 	cp = construct_reply_info_base(region, rep->flags, rep->qdcount, 
 		rep->ttl, rep->an_numrrsets, rep->ns_numrrsets, 
-		rep->ar_numrrsets, rep->rrset_count);
+		rep->ar_numrrsets, rep->rrset_count, rep->security);
 	if(!cp)
 		return NULL;
 	/* allocate ub_key structures special or not */
diff --git a/util/data/msgreply.h b/util/data/msgreply.h
index c75afe36d..f7a30cc3c 100644
--- a/util/data/msgreply.h
+++ b/util/data/msgreply.h
@@ -109,6 +109,11 @@ struct reply_info {
 	 */
 	uint32_t ttl;
 
+	/**
+	 * The security status from DNSSEC validation of this message.
+	 */
+	enum sec_status security;
+
 	/**
 	 * Number of RRsets in each section.
 	 * The answer section. Add up the RRs in every RRset to calculate
diff --git a/util/data/packed_rrset.c b/util/data/packed_rrset.c
index 9ee948e0a..286beb18e 100644
--- a/util/data/packed_rrset.c
+++ b/util/data/packed_rrset.c
@@ -223,3 +223,37 @@ packed_rrset_ttl_add(struct packed_rrset_data* data, uint32_t add)
 	for(i=0; i<total; i++)
 		data->rr_ttl[i] += add;
 }
+
+const char* 
+rrset_trust_to_string(enum rrset_trust s)
+{
+	switch(s) {
+	case rrset_trust_none: 		return "rrset_trust_none";
+	case rrset_trust_add_noAA: 	return "rrset_trust_add_noAA";
+	case rrset_trust_auth_noAA: 	return "rrset_trust_auth_noAA";
+	case rrset_trust_add_AA: 	return "rrset_trust_add_AA";
+	case rrset_trust_nonauth_ans_AA:return "rrset_trust_nonauth_ans_AA";
+	case rrset_trust_ans_noAA: 	return "rrset_trust_ans_noAA";
+	case rrset_trust_glue: 		return "rrset_trust_glue";
+	case rrset_trust_auth_AA: 	return "rrset_trust_auth_AA";
+	case rrset_trust_ans_AA: 	return "rrset_trust_ans_AA";
+	case rrset_trust_sec_noglue: 	return "rrset_trust_sec_noglue";
+	case rrset_trust_prim_noglue: 	return "rrset_trust_prim_noglue";
+	case rrset_trust_validated: 	return "rrset_trust_validated";
+	case rrset_trust_ultimate: 	return "rrset_trust_ultimate";
+	}
+	return "unknown_rrset_trust_value";
+}
+
+const char* 
+sec_status_to_string(enum sec_status s)
+{
+	switch(s) {
+	case sec_status_unchecked: 	return "sec_status_unchecked";
+	case sec_status_bogus: 		return "sec_status_bogus";
+	case sec_status_indeterminate: 	return "sec_status_indeterminate";
+	case sec_status_insecure: 	return "sec_status_insecure";
+	case sec_status_secure: 	return "sec_status_secure";
+	}
+	return "unknown_sec_status_value";
+}
diff --git a/util/data/packed_rrset.h b/util/data/packed_rrset.h
index 1439ff508..482be3a46 100644
--- a/util/data/packed_rrset.h
+++ b/util/data/packed_rrset.h
@@ -149,6 +149,28 @@ enum rrset_trust {
 	rrset_trust_ultimate
 };
 
+/**
+ * Security status from validation for data.
+ */
+enum sec_status {
+	/** UNCHECKED means that object has yet to be validated. */
+	sec_status_unchecked = 0,
+	/** BOGUS means that the object (RRset or message) failed to validate
+	 *  (according to local policy), but should have validated. */
+	sec_status_bogus,
+	/** INDETERMINATE means that the object is insecure, but not 
+	 * authoritatively so. Generally this means that the RRset is not 
+	 * below a configured trust anchor. */
+	sec_status_indeterminate,
+	/** INSECURE means that the object is authoritatively known to be 
+	 * insecure. Generally this means that this RRset is below a trust 
+	 * anchor, but also below a verified, insecure delegation. */
+	sec_status_insecure,
+	/** SECURE means that the object (RRset or message) validated 
+	 * according to local policy. */
+	sec_status_secure
+};
+
 /**
  * RRset data.
  *
@@ -189,6 +211,8 @@ struct packed_rrset_data {
 	size_t rrsig_count;
 	/** the trustworthiness of the rrset data */
 	enum rrset_trust trust; 
+	/** security status of the rrset data */
+	enum sec_status security;
 	/** length of every rr's rdata, rr_len[i] is size of rr_data[i]. */
 	size_t* rr_len;
 	/** ttl of every rr. rr_ttl[i] ttl of rr i. */
@@ -318,4 +342,18 @@ void packed_rrset_ttl_add(struct packed_rrset_data* data, uint32_t add);
 void get_cname_target(struct ub_packed_rrset_key* rrset, uint8_t** dname, 
 	size_t* dname_len);
 
+/**
+ * Get a printable string for a rrset trust value 
+ * @param s: rrset trust value
+ * @return printable string.
+ */
+const char* rrset_trust_to_string(enum rrset_trust s);
+
+/**
+ * Get a printable string for a security status value 
+ * @param s: security status
+ * @return printable string.
+ */
+const char* sec_status_to_string(enum sec_status s);
+
 #endif /* UTIL_DATA_PACKED_RRSET_H */