2 * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: keytable.c,v 1.41 2010/06/25 23:46:51 tbox Exp $ */
25 #include <isc/rwlock.h>
26 #include <isc/string.h> /* Required for HP/UX (and others?) */
29 #include <dns/keytable.h>
30 #include <dns/fixedname.h>
32 #include <dns/result.h>
35 free_keynode(void *node, void *arg) {
36 dns_keynode_t *keynode = node;
37 isc_mem_t *mctx = arg;
39 dns_keynode_detachall(mctx, &keynode);
43 dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
44 dns_keytable_t *keytable;
51 REQUIRE(keytablep != NULL && *keytablep == NULL);
53 keytable = isc_mem_get(mctx, sizeof(*keytable));
55 return (ISC_R_NOMEMORY);
57 keytable->table = NULL;
58 result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
59 if (result != ISC_R_SUCCESS)
60 goto cleanup_keytable;
62 result = isc_mutex_init(&keytable->lock);
63 if (result != ISC_R_SUCCESS)
66 result = isc_rwlock_init(&keytable->rwlock, 0, 0);
67 if (result != ISC_R_SUCCESS)
70 keytable->mctx = mctx;
71 keytable->active_nodes = 0;
72 keytable->references = 1;
73 keytable->magic = KEYTABLE_MAGIC;
74 *keytablep = keytable;
76 return (ISC_R_SUCCESS);
79 DESTROYLOCK(&keytable->lock);
82 dns_rbt_destroy(&keytable->table);
85 isc_mem_put(mctx, keytable, sizeof(*keytable));
91 dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
94 * Attach *targetp to source.
97 REQUIRE(VALID_KEYTABLE(source));
98 REQUIRE(targetp != NULL && *targetp == NULL);
100 RWLOCK(&source->rwlock, isc_rwlocktype_write);
102 INSIST(source->references > 0);
103 source->references++;
104 INSIST(source->references != 0);
106 RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
112 dns_keytable_detach(dns_keytable_t **keytablep) {
113 isc_boolean_t destroy = ISC_FALSE;
114 dns_keytable_t *keytable;
117 * Detach *keytablep from its keytable.
120 REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
122 keytable = *keytablep;
124 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
126 INSIST(keytable->references > 0);
127 keytable->references--;
128 LOCK(&keytable->lock);
129 if (keytable->references == 0 && keytable->active_nodes == 0)
131 UNLOCK(&keytable->lock);
133 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
136 dns_rbt_destroy(&keytable->table);
137 isc_rwlock_destroy(&keytable->rwlock);
138 DESTROYLOCK(&keytable->lock);
140 isc_mem_put(keytable->mctx, keytable, sizeof(*keytable));
147 insert(dns_keytable_t *keytable, isc_boolean_t managed,
148 dns_name_t *keyname, dst_key_t **keyp)
151 dns_keynode_t *knode = NULL;
154 REQUIRE(keyp == NULL || *keyp != NULL);
155 REQUIRE(VALID_KEYTABLE(keytable));
157 result = dns_keynode_create(keytable->mctx, &knode);
158 if (result != ISC_R_SUCCESS)
161 knode->managed = managed;
163 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
166 result = dns_rbt_addnode(keytable->table, keyname, &node);
169 if (result == ISC_R_EXISTS) {
170 /* Key already in table? */
172 for (k = node->data; k != NULL; k = k->next) {
173 if (k->key == NULL) {
177 if (dst_key_compare(k->key, *keyp) == ISC_TRUE)
182 result = ISC_R_SUCCESS;
187 if (result == ISC_R_SUCCESS) {
189 knode->next = node->data;
194 if (result == ISC_R_SUCCESS) {
199 /* Key was already there? That's the same as a success */
200 if (result == ISC_R_EXISTS)
201 result = ISC_R_SUCCESS;
203 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
206 dns_keynode_detach(keytable->mctx, &knode);
212 dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
215 REQUIRE(keyp != NULL && *keyp != NULL);
216 return (insert(keytable, managed, dst_key_name(*keyp), keyp));
220 dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name) {
221 return (insert(keytable, ISC_TRUE, name, NULL));
225 dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname) {
227 dns_rbtnode_t *node = NULL;
229 REQUIRE(VALID_KEYTABLE(keytable));
230 REQUIRE(keyname != NULL);
232 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
233 result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
234 DNS_RBTFIND_NOOPTIONS, NULL, NULL);
235 if (result == ISC_R_SUCCESS) {
236 if (node->data != NULL)
237 result = dns_rbt_deletenode(keytable->table,
240 result = ISC_R_NOTFOUND;
241 } else if (result == DNS_R_PARTIALMATCH)
242 result = ISC_R_NOTFOUND;
243 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
249 dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey) {
252 dns_rbtnode_t *node = NULL;
253 dns_keynode_t *knode = NULL, **kprev = NULL;
255 REQUIRE(VALID_KEYTABLE(keytable));
256 REQUIRE(dstkey != NULL);
258 keyname = dst_key_name(dstkey);
260 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
261 result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
262 DNS_RBTFIND_NOOPTIONS, NULL, NULL);
264 if (result == DNS_R_PARTIALMATCH)
265 result = ISC_R_NOTFOUND;
266 if (result != ISC_R_SUCCESS)
269 if (node->data == NULL) {
270 result = ISC_R_NOTFOUND;
275 if (knode->next == NULL &&
276 (knode->key == NULL ||
277 dst_key_compare(knode->key, dstkey) == ISC_TRUE)) {
278 result = dns_rbt_deletenode(keytable->table, node, ISC_FALSE);
282 kprev = (dns_keynode_t **) &node->data;
283 while (knode != NULL) {
284 if (dst_key_compare(knode->key, dstkey) == ISC_TRUE)
286 kprev = &knode->next;
291 if (knode->key != NULL)
292 dst_key_free(&knode->key);
294 * This is equivalent to:
295 * dns_keynode_attach(knode->next, &tmp);
296 * dns_keynode_detach(kprev);
297 * dns_keynode_attach(tmp, &kprev);
298 * dns_keynode_detach(&tmp);
300 *kprev = knode->next;
302 dns_keynode_detach(keytable->mctx, &knode);
304 result = DNS_R_PARTIALMATCH;
306 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
311 dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
312 dns_keynode_t **keynodep)
315 dns_rbtnode_t *node = NULL;
317 REQUIRE(VALID_KEYTABLE(keytable));
318 REQUIRE(keyname != NULL);
319 REQUIRE(keynodep != NULL && *keynodep == NULL);
321 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
322 result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
323 DNS_RBTFIND_NOOPTIONS, NULL, NULL);
324 if (result == ISC_R_SUCCESS) {
325 if (node->data != NULL) {
326 LOCK(&keytable->lock);
327 keytable->active_nodes++;
328 UNLOCK(&keytable->lock);
329 dns_keynode_attach(node->data, keynodep);
331 result = ISC_R_NOTFOUND;
332 } else if (result == DNS_R_PARTIALMATCH)
333 result = ISC_R_NOTFOUND;
334 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
340 dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
341 dns_keynode_t **nextnodep)
344 * Return the next key after 'keynode', regardless of
348 REQUIRE(VALID_KEYTABLE(keytable));
349 REQUIRE(VALID_KEYNODE(keynode));
350 REQUIRE(nextnodep != NULL && *nextnodep == NULL);
352 if (keynode->next == NULL)
353 return (ISC_R_NOTFOUND);
355 dns_keynode_attach(keynode->next, nextnodep);
356 LOCK(&keytable->lock);
357 keytable->active_nodes++;
358 UNLOCK(&keytable->lock);
360 return (ISC_R_SUCCESS);
364 dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
365 dns_secalg_t algorithm, dns_keytag_t tag,
366 dns_keynode_t **keynodep)
369 dns_keynode_t *knode;
373 * Search for a key named 'name', matching 'algorithm' and 'tag' in
377 REQUIRE(VALID_KEYTABLE(keytable));
378 REQUIRE(dns_name_isabsolute(name));
379 REQUIRE(keynodep != NULL && *keynodep == NULL);
381 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
384 * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
385 * as that indicates that 'name' was not found.
387 * DNS_R_PARTIALMATCH indicates that the name was found but we
388 * didn't get a match on algorithm and key id arguments.
392 result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
394 if (result == ISC_R_SUCCESS) {
395 INSIST(data != NULL);
396 for (knode = data; knode != NULL; knode = knode->next) {
397 if (knode->key == NULL) {
401 if (algorithm == dst_key_alg(knode->key)
402 && tag == dst_key_id(knode->key))
406 LOCK(&keytable->lock);
407 keytable->active_nodes++;
408 UNLOCK(&keytable->lock);
409 dns_keynode_attach(knode, keynodep);
411 result = DNS_R_PARTIALMATCH;
412 } else if (result == DNS_R_PARTIALMATCH)
413 result = ISC_R_NOTFOUND;
415 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
421 dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
422 dns_keynode_t **nextnodep)
425 dns_keynode_t *knode;
428 * Search for the next key with the same properties as 'keynode' in
432 REQUIRE(VALID_KEYTABLE(keytable));
433 REQUIRE(VALID_KEYNODE(keynode));
434 REQUIRE(nextnodep != NULL && *nextnodep == NULL);
436 for (knode = keynode->next; knode != NULL; knode = knode->next) {
437 if (knode->key == NULL) {
441 if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
442 dst_key_id(keynode->key) == dst_key_id(knode->key))
446 LOCK(&keytable->lock);
447 keytable->active_nodes++;
448 UNLOCK(&keytable->lock);
449 result = ISC_R_SUCCESS;
450 dns_keynode_attach(knode, nextnodep);
452 result = ISC_R_NOTFOUND;
458 dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
459 dns_name_t *foundname)
465 * Search for the deepest match in 'keytable'.
468 REQUIRE(VALID_KEYTABLE(keytable));
469 REQUIRE(dns_name_isabsolute(name));
470 REQUIRE(foundname != NULL);
472 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
475 result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
477 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
478 result = ISC_R_SUCCESS;
480 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
486 dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
487 dns_keynode_t **target)
490 * Give back a keynode found via dns_keytable_findkeynode().
493 REQUIRE(VALID_KEYTABLE(keytable));
494 REQUIRE(VALID_KEYNODE(source));
495 REQUIRE(target != NULL && *target == NULL);
497 LOCK(&keytable->lock);
498 keytable->active_nodes++;
499 UNLOCK(&keytable->lock);
501 dns_keynode_attach(source, target);
505 dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
508 * Give back a keynode found via dns_keytable_findkeynode().
511 REQUIRE(VALID_KEYTABLE(keytable));
512 REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
514 LOCK(&keytable->lock);
515 INSIST(keytable->active_nodes > 0);
516 keytable->active_nodes--;
517 UNLOCK(&keytable->lock);
519 dns_keynode_detach(keytable->mctx, keynodep);
523 dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
524 isc_boolean_t *wantdnssecp)
530 * Is 'name' at or beneath a trusted key?
533 REQUIRE(VALID_KEYTABLE(keytable));
534 REQUIRE(dns_name_isabsolute(name));
535 REQUIRE(wantdnssecp != NULL);
537 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
540 result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
542 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
543 INSIST(data != NULL);
544 *wantdnssecp = ISC_TRUE;
545 result = ISC_R_SUCCESS;
546 } else if (result == ISC_R_NOTFOUND) {
547 *wantdnssecp = ISC_FALSE;
548 result = ISC_R_SUCCESS;
551 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
557 dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
560 dns_keynode_t *knode;
562 dns_rbtnodechain_t chain;
564 REQUIRE(VALID_KEYTABLE(keytable));
566 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
567 dns_rbtnodechain_init(&chain, keytable->mctx);
568 result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
569 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
572 char pbuf[DST_KEY_FORMATSIZE];
574 dns_rbtnodechain_current(&chain, NULL, NULL, &node);
575 for (knode = node->data; knode != NULL; knode = knode->next) {
576 dst_key_format(knode->key, pbuf, sizeof(pbuf));
577 fprintf(fp, "%s ; %s\n", pbuf,
578 knode->managed ? "managed" : "trusted");
580 result = dns_rbtnodechain_next(&chain, NULL, NULL);
581 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
582 if (result == ISC_R_NOMORE)
583 result = ISC_R_SUCCESS;
589 dns_rbtnodechain_invalidate(&chain);
590 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
595 dns_keynode_key(dns_keynode_t *keynode) {
598 * Get the DST key associated with keynode.
601 REQUIRE(VALID_KEYNODE(keynode));
603 return (keynode->key);
607 dns_keynode_managed(dns_keynode_t *keynode) {
609 * Is this a managed key?
611 REQUIRE(VALID_KEYNODE(keynode));
613 return (keynode->managed);
617 dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
619 dns_keynode_t *knode = NULL;
621 REQUIRE(target != NULL && *target == NULL);
623 knode = isc_mem_get(mctx, sizeof(dns_keynode_t));
625 return (ISC_R_NOMEMORY);
627 knode->magic = KEYNODE_MAGIC;
628 knode->managed = ISC_FALSE;
632 result = isc_refcount_init(&knode->refcount, 1);
633 if (result != ISC_R_SUCCESS)
637 return (ISC_R_SUCCESS);
641 dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target) {
642 REQUIRE(VALID_KEYNODE(source));
643 isc_refcount_increment(&source->refcount, NULL);
648 dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **keynode) {
650 dns_keynode_t *node = *keynode;
651 REQUIRE(VALID_KEYNODE(node));
652 isc_refcount_decrement(&node->refcount, &refs);
654 if (node->key != NULL)
655 dst_key_free(&node->key);
656 isc_refcount_destroy(&node->refcount);
657 isc_mem_put(mctx, node, sizeof(dns_keynode_t));
663 dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **keynode) {
664 dns_keynode_t *next = NULL, *node = *keynode;
665 REQUIRE(VALID_KEYNODE(node));
666 while (node != NULL) {
668 dns_keynode_detach(mctx, &node);