2 * validator/val_anchor.c - validator trust anchor storage.
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
39 * This file contains storage for the trust anchors for the validator.
43 #include <ldns/dname.h>
44 #include <ldns/host2wire.h>
45 #include "validator/val_anchor.h"
46 #include "validator/val_sigcrypt.h"
47 #include "validator/autotrust.h"
48 #include "util/data/packed_rrset.h"
49 #include "util/data/dname.h"
51 #include "util/net_help.h"
52 #include "util/config_file.h"
58 anchor_cmp(const void* k1, const void* k2)
61 struct trust_anchor* n1 = (struct trust_anchor*)k1;
62 struct trust_anchor* n2 = (struct trust_anchor*)k2;
63 /* no need to ntohs(class) because sort order is irrelevant */
64 if(n1->dclass != n2->dclass) {
65 if(n1->dclass < n2->dclass)
69 return dname_lab_cmp(n1->name, n1->namelabs, n2->name, n2->namelabs,
76 struct val_anchors* a = (struct val_anchors*)calloc(1, sizeof(*a));
79 a->tree = rbtree_create(anchor_cmp);
84 a->autr = autr_global_create();
89 lock_basic_init(&a->lock);
90 lock_protect(&a->lock, a, sizeof(*a));
91 lock_protect(&a->lock, a->autr, sizeof(*a->autr));
95 /** delete assembled rrset */
97 assembled_rrset_delete(struct ub_packed_rrset_key* pkey)
100 if(pkey->entry.data) {
101 struct packed_rrset_data* pd = (struct packed_rrset_data*)
108 free(pkey->rk.dname);
112 /** destroy locks in tree and delete autotrust anchors */
114 anchors_delfunc(rbnode_t* elem, void* ATTR_UNUSED(arg))
116 struct trust_anchor* ta = (struct trust_anchor*)elem;
119 autr_point_delete(ta);
121 struct ta_key* p, *np;
122 lock_basic_destroy(&ta->lock);
131 assembled_rrset_delete(ta->ds_rrset);
132 assembled_rrset_delete(ta->dnskey_rrset);
138 anchors_delete(struct val_anchors* anchors)
142 lock_unprotect(&anchors->lock, anchors->autr);
143 lock_unprotect(&anchors->lock, anchors);
144 lock_basic_destroy(&anchors->lock);
146 traverse_postorder(anchors->tree, anchors_delfunc, NULL);
148 autr_global_delete(anchors->autr);
153 anchors_init_parents_locked(struct val_anchors* anchors)
155 struct trust_anchor* node, *prev = NULL, *p;
157 /* nobody else can grab locks because we hold the main lock.
158 * Thus the previous items, after unlocked, are not deleted */
159 RBTREE_FOR(node, struct trust_anchor*, anchors->tree) {
160 lock_basic_lock(&node->lock);
162 if(!prev || prev->dclass != node->dclass) {
164 lock_basic_unlock(&node->lock);
167 (void)dname_lab_cmp(prev->name, prev->namelabs, node->name,
168 node->namelabs, &m); /* we know prev is smaller */
169 /* sort order like: . com. bla.com. zwb.com. net. */
170 /* find the previous, or parent-parent-parent */
171 for(p = prev; p; p = p->parent)
172 /* looking for name with few labels, a parent */
173 if(p->namelabs <= m) {
174 /* ==: since prev matched m, this is closest*/
175 /* <: prev matches more, but is not a parent,
176 * this one is a (grand)parent */
180 lock_basic_unlock(&node->lock);
185 /** initialise parent pointers in the tree */
187 init_parents(struct val_anchors* anchors)
189 lock_basic_lock(&anchors->lock);
190 anchors_init_parents_locked(anchors);
191 lock_basic_unlock(&anchors->lock);
195 anchor_find(struct val_anchors* anchors, uint8_t* name, int namelabs,
196 size_t namelen, uint16_t dclass)
198 struct trust_anchor key;
200 if(!name) return NULL;
203 key.namelabs = namelabs;
204 key.namelen = namelen;
206 lock_basic_lock(&anchors->lock);
207 n = rbtree_search(anchors->tree, &key);
209 lock_basic_lock(&((struct trust_anchor*)n->key)->lock);
211 lock_basic_unlock(&anchors->lock);
214 return (struct trust_anchor*)n->key;
217 /** create new trust anchor object */
218 static struct trust_anchor*
219 anchor_new_ta(struct val_anchors* anchors, uint8_t* name, int namelabs,
220 size_t namelen, uint16_t dclass, int lockit)
225 struct trust_anchor* ta = (struct trust_anchor*)malloc(
226 sizeof(struct trust_anchor));
229 memset(ta, 0, sizeof(*ta));
231 ta->name = memdup(name, namelen);
236 ta->namelabs = namelabs;
237 ta->namelen = namelen;
239 lock_basic_init(&ta->lock);
241 lock_basic_lock(&anchors->lock);
246 rbtree_insert(anchors->tree, &ta->node);
248 lock_basic_unlock(&anchors->lock);
250 log_assert(r != NULL);
254 /** find trustanchor key by exact data match */
255 static struct ta_key*
256 anchor_find_key(struct trust_anchor* ta, uint8_t* rdata, size_t rdata_len,
260 for(k = ta->keylist; k; k = k->next) {
261 if(k->type == type && k->len == rdata_len &&
262 memcmp(k->data, rdata, rdata_len) == 0)
268 /** create new trustanchor key */
269 static struct ta_key*
270 anchor_new_ta_key(uint8_t* rdata, size_t rdata_len, uint16_t type)
272 struct ta_key* k = (struct ta_key*)malloc(sizeof(*k));
275 memset(k, 0, sizeof(*k));
276 k->data = memdup(rdata, rdata_len);
287 * This routine adds a new RR to a trust anchor. The trust anchor may not
288 * exist yet, and is created if not. The RR can be DS or DNSKEY.
289 * This routine will also remove duplicates; storing them only once.
290 * @param anchors: anchor storage.
291 * @param name: name of trust anchor (wireformat)
292 * @param type: type or RR
293 * @param dclass: class of RR
294 * @param rdata: rdata wireformat, starting with rdlength.
295 * If NULL, nothing is stored, but an entry is created.
296 * @param rdata_len: length of rdata including rdlength.
297 * @return: NULL on error, else the trust anchor.
299 static struct trust_anchor*
300 anchor_store_new_key(struct val_anchors* anchors, uint8_t* name, uint16_t type,
301 uint16_t dclass, uint8_t* rdata, size_t rdata_len)
304 struct trust_anchor* ta;
307 namelabs = dname_count_size_labels(name, &namelen);
308 if(type != LDNS_RR_TYPE_DS && type != LDNS_RR_TYPE_DNSKEY) {
309 log_err("Bad type for trust anchor");
312 /* lookup or create trustanchor */
313 ta = anchor_find(anchors, name, namelabs, namelen, dclass);
315 ta = anchor_new_ta(anchors, name, namelabs, namelen, dclass, 1);
318 lock_basic_lock(&ta->lock);
321 lock_basic_unlock(&ta->lock);
324 /* look for duplicates */
325 if(anchor_find_key(ta, rdata, rdata_len, type)) {
326 lock_basic_unlock(&ta->lock);
329 k = anchor_new_ta_key(rdata, rdata_len, type);
331 lock_basic_unlock(&ta->lock);
335 if(type == LDNS_RR_TYPE_DS)
337 else ta->numDNSKEY++;
338 k->next = ta->keylist;
340 lock_basic_unlock(&ta->lock);
345 * Add new RR. It converts ldns RR to wire format.
346 * @param anchors: anchor storage.
347 * @param buffer: parsing buffer.
348 * @param rr: the rr (allocated by caller).
349 * @return NULL on error, else the trust anchor.
351 static struct trust_anchor*
352 anchor_store_new_rr(struct val_anchors* anchors, ldns_buffer* buffer,
355 struct trust_anchor* ta;
356 ldns_rdf* owner = ldns_rr_owner(rr);
358 ldns_buffer_clear(buffer);
359 ldns_buffer_skip(buffer, 2); /* skip rdatalen */
360 status = ldns_rr_rdata2buffer_wire(buffer, rr);
361 if(status != LDNS_STATUS_OK) {
362 log_err("error converting trustanchor to wireformat: %s",
363 ldns_get_errorstr_by_id(status));
366 ldns_buffer_flip(buffer);
367 ldns_buffer_write_u16_at(buffer, 0, ldns_buffer_limit(buffer) - 2);
369 if(!(ta=anchor_store_new_key(anchors, ldns_rdf_data(owner),
370 ldns_rr_get_type(rr), ldns_rr_get_class(rr),
371 ldns_buffer_begin(buffer), ldns_buffer_limit(buffer)))) {
374 log_nametypeclass(VERB_QUERY, "adding trusted key",
375 ldns_rdf_data(owner),
376 ldns_rr_get_type(rr), ldns_rr_get_class(rr));
381 * Insert insecure anchor
382 * @param anchors: anchor storage.
383 * @param str: the domain name.
384 * @return NULL on error, Else last trust anchor point
386 static struct trust_anchor*
387 anchor_insert_insecure(struct val_anchors* anchors, const char* str)
389 struct trust_anchor* ta;
390 ldns_rdf* nm = ldns_dname_new_frm_str(str);
392 log_err("parse error in domain name '%s'", str);
395 ta = anchor_store_new_key(anchors, ldns_rdf_data(nm), LDNS_RR_TYPE_DS,
396 LDNS_RR_CLASS_IN, NULL, 0);
397 ldns_rdf_deep_free(nm);
402 anchor_store_str(struct val_anchors* anchors, ldns_buffer* buffer,
405 struct trust_anchor* ta;
407 ldns_status status = ldns_rr_new_frm_str(&rr, str, 0, NULL, NULL);
408 if(status != LDNS_STATUS_OK) {
409 log_err("error parsing trust anchor: %s",
410 ldns_get_errorstr_by_id(status));
414 if(!(ta=anchor_store_new_rr(anchors, buffer, rr))) {
415 log_err("out of memory");
424 * Read a file with trust anchors
425 * @param anchors: anchor storage.
426 * @param buffer: parsing buffer.
427 * @param fname: string.
428 * @param onlyone: only one trust anchor allowed in file.
429 * @return NULL on error. Else last trust-anchor point.
431 static struct trust_anchor*
432 anchor_read_file(struct val_anchors* anchors, ldns_buffer* buffer,
433 const char* fname, int onlyone)
435 struct trust_anchor* ta = NULL, *tanew;
436 uint32_t default_ttl = 3600;
437 ldns_rdf* origin = NULL, *prev = NULL;
442 FILE* in = fopen(fname, "r");
444 log_err("error opening file %s: %s", fname, strerror(errno));
449 status = ldns_rr_new_frm_fp_l(&rr, in, &default_ttl, &origin,
451 if(status == LDNS_STATUS_SYNTAX_EMPTY /* empty line */
452 || status == LDNS_STATUS_SYNTAX_TTL /* $TTL */
453 || status == LDNS_STATUS_SYNTAX_ORIGIN /* $ORIGIN */)
455 if(status != LDNS_STATUS_OK) {
456 log_err("parse error in %s:%d : %s", fname, line_nr,
457 ldns_get_errorstr_by_id(status));
462 if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DS &&
463 ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY) {
467 if(!(tanew=anchor_store_new_rr(anchors, buffer, rr))) {
468 log_err("error at %s line %d", fname, line_nr);
473 if(onlyone && ta && ta != tanew) {
474 log_err("error at %s line %d: no multiple anchor "
475 "domains allowed (you can have multiple "
476 "keys, but they must have the same name).",
485 ldns_rdf_deep_free(origin);
486 ldns_rdf_deep_free(prev);
489 /* empty file is OK when multiple anchors are allowed */
490 if(!onlyone && !ta) return (struct trust_anchor*)1;
494 /** skip file to end of line */
496 skip_to_eol(FILE* in)
499 while((c = getc(in)) != EOF ) {
505 /** true for special characters in bind configs */
507 is_bind_special(int c)
520 * Read a keyword skipping bind comments; spaces, specials, restkeywords.
521 * The file is split into the following tokens:
522 * * special characters, on their own, rdlen=1, { } doublequote ;
523 * * whitespace becomes a single ' ' or tab. Newlines become spaces.
524 * * other words ('keywords')
525 * * comments are skipped if desired
526 * / / C++ style comment to end of line
528 * / * C style comment * /
529 * @param in: file to read from.
530 * @param buf: buffer, what is read is stored after current buffer position.
531 * Space is left in the buffer to write a terminating 0.
532 * @param line: line number is increased per line, for error reports.
533 * @param comments: if 0, comments are not possible and become text.
534 * if 1, comments are skipped entirely.
535 * In BIND files, this is when reading quoted strings, for example
536 * " base 64 text with / / in there "
537 * @return the number of character written to the buffer.
541 readkeyword_bindfile(FILE* in, ldns_buffer* buf, int* line, int comments)
545 while((c = getc(in)) != EOF ) {
546 if(comments && c == '#') { /* # blabla */
550 } else if(comments && c=='/' && numdone>0 && /* /_/ bla*/
551 ldns_buffer_read_u8_at(buf,
552 ldns_buffer_position(buf)-1) == '/') {
553 ldns_buffer_skip(buf, -1);
558 } else if(comments && c=='*' && numdone>0 && /* /_* bla *_/ */
559 ldns_buffer_read_u8_at(buf,
560 ldns_buffer_position(buf)-1) == '/') {
561 ldns_buffer_skip(buf, -1);
563 /* skip to end of comment */
564 while(c != EOF && (c=getc(in)) != EOF ) {
566 if((c=getc(in)) == '/')
574 /* not a comment, complete the keyword */
576 /* check same type */
581 if(is_bind_special(c)) {
590 /* space for 1 char + 0 string terminator */
591 if(ldns_buffer_remaining(buf) < 2) {
592 fatal_exit("trusted-keys, %d, string too long", *line);
594 ldns_buffer_write_u8(buf, (uint8_t)c);
597 /* collate whitespace into ' ' */
598 while((c = getc(in)) != EOF ) {
608 if(is_bind_special(c))
614 /** skip through file to { or ; */
616 skip_to_special(FILE* in, ldns_buffer* buf, int* line, int spec)
619 ldns_buffer_clear(buf);
620 while((rdlen=readkeyword_bindfile(in, buf, line, 1))) {
621 if(rdlen == 1 && isspace((int)*ldns_buffer_begin(buf))) {
622 ldns_buffer_clear(buf);
625 if(rdlen != 1 || *ldns_buffer_begin(buf) != (uint8_t)spec) {
626 ldns_buffer_write_u8(buf, 0);
627 log_err("trusted-keys, line %d, expected %c",
633 log_err("trusted-keys, line %d, expected %c got EOF", *line, spec);
638 * read contents of trusted-keys{ ... ; clauses and insert keys into storage.
639 * @param anchors: where to store keys
640 * @param buf: buffer to use
641 * @param line: line number in file
642 * @param in: file to read from.
643 * @return 0 on error.
646 process_bind_contents(struct val_anchors* anchors, ldns_buffer* buf,
649 /* loop over contents, collate strings before ; */
650 /* contents is (numbered): 0 1 2 3 4 5 6 7 8 */
651 /* name. 257 3 5 base64 base64 */
652 /* quoted value: 0 "111" 0 0 0 0 0 0 0 */
653 /* comments value: 1 "000" 1 1 1 "0 0 0 0" 1 */
659 ldns_buffer_clear(buf);
660 while((rdlen=readkeyword_bindfile(in, buf, line, comments))) {
661 if(rdlen == 1 && ldns_buffer_position(buf) == 1
662 && isspace((int)*ldns_buffer_begin(buf))) {
663 /* starting whitespace is removed */
664 ldns_buffer_clear(buf);
666 } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == '"') {
667 /* remove " from the string */
672 ldns_buffer_skip(buf, -1);
673 if(contnum > 0 && quoted) {
674 if(ldns_buffer_remaining(buf) < 8+1) {
675 log_err("line %d, too long", *line);
678 ldns_buffer_write(buf, " DNSKEY ", 8);
681 } else if(contnum > 0)
682 comments = !comments;
684 } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == ';') {
687 ldns_buffer_write_u8(buf, 0);
688 log_err("line %d, bad key", *line);
691 ldns_buffer_skip(buf, -1);
692 ldns_buffer_write_u8(buf, 0);
693 str = strdup((char*)ldns_buffer_begin(buf));
695 log_err("line %d, allocation failure", *line);
698 if(!anchor_store_str(anchors, buf, str)) {
699 log_err("line %d, bad key", *line);
704 ldns_buffer_clear(buf);
709 } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == '}') {
711 ldns_buffer_write_u8(buf, 0);
712 log_err("line %d, bad key before }", *line);
716 } else if(rdlen == 1 &&
717 isspace((int)ldns_buffer_current(buf)[-1])) {
718 /* leave whitespace here */
720 /* not space or whatnot, so actual content */
722 if(contnum == 1 && !quoted) {
723 if(ldns_buffer_remaining(buf) < 8+1) {
724 log_err("line %d, too long", *line);
727 ldns_buffer_write(buf, " DNSKEY ", 8);
732 log_err("line %d, EOF before }", *line);
737 * Read a BIND9 like file with trust anchors in named.conf format.
738 * @param anchors: anchor storage.
739 * @param buffer: parsing buffer.
740 * @param fname: string.
741 * @return false on error.
744 anchor_read_bind_file(struct val_anchors* anchors, ldns_buffer* buffer,
748 FILE* in = fopen(fname, "r");
751 log_err("error opening file %s: %s", fname, strerror(errno));
754 verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname);
755 /* scan for trusted-keys keyword, ignore everything else */
756 ldns_buffer_clear(buffer);
757 while((rdlen=readkeyword_bindfile(in, buffer, &line_nr, 1)) != 0) {
758 if(rdlen != 12 || strncmp((char*)ldns_buffer_begin(buffer),
759 "trusted-keys", 12) != 0) {
760 ldns_buffer_clear(buffer);
761 /* ignore everything but trusted-keys */
764 if(!skip_to_special(in, buffer, &line_nr, '{')) {
765 log_err("error in trusted key: \"%s\"", fname);
769 /* process contents */
770 if(!process_bind_contents(anchors, buffer, &line_nr, in)) {
771 log_err("error in trusted key: \"%s\"", fname);
775 if(!skip_to_special(in, buffer, &line_nr, ';')) {
776 log_err("error in trusted key: \"%s\"", fname);
780 ldns_buffer_clear(buffer);
787 * Read a BIND9 like files with trust anchors in named.conf format.
788 * Performs wildcard processing of name.
789 * @param anchors: anchor storage.
790 * @param buffer: parsing buffer.
791 * @param pat: pattern string. (can be wildcarded)
792 * @return false on error.
795 anchor_read_bind_file_wild(struct val_anchors* anchors, ldns_buffer* buffer,
802 if(!strchr(pat, '*') && !strchr(pat, '?') && !strchr(pat, '[') &&
803 !strchr(pat, '{') && !strchr(pat, '~')) {
804 return anchor_read_bind_file(anchors, buffer, pat);
806 verbose(VERB_QUERY, "wildcard found, processing %s", pat);
821 memset(&g, 0, sizeof(g));
822 r = glob(pat, flags, NULL, &g);
825 if(r == GLOB_NOMATCH) {
826 verbose(VERB_QUERY, "trusted-keys-file: "
827 "no matches for %s", pat);
829 } else if(r == GLOB_NOSPACE) {
830 log_err("wildcard trusted-keys-file %s: "
831 "pattern out of memory", pat);
832 } else if(r == GLOB_ABORTED) {
833 log_err("wildcard trusted-keys-file %s: expansion "
834 "aborted (%s)", pat, strerror(errno));
836 log_err("wildcard trusted-keys-file %s: expansion "
837 "failed (%s)", pat, strerror(errno));
839 /* ignore globs that yield no files */
842 /* process files found, if any */
843 for(i=0; i<(size_t)g.gl_pathc; i++) {
844 if(!anchor_read_bind_file(anchors, buffer, g.gl_pathv[i])) {
845 log_err("error reading wildcard "
846 "trusted-keys-file: %s", g.gl_pathv[i]);
853 #else /* not HAVE_GLOB */
854 return anchor_read_bind_file(anchors, buffer, pat);
855 #endif /* HAVE_GLOB */
859 * Assemble an rrset structure for the type
860 * @param ta: trust anchor.
861 * @param num: number of items to fetch from list.
862 * @param type: fetch only items of this type.
863 * @return rrset or NULL on error.
865 static struct ub_packed_rrset_key*
866 assemble_it(struct trust_anchor* ta, size_t num, uint16_t type)
868 struct ub_packed_rrset_key* pkey = (struct ub_packed_rrset_key*)
869 malloc(sizeof(*pkey));
870 struct packed_rrset_data* pd;
875 memset(pkey, 0, sizeof(*pkey));
876 pkey->rk.dname = memdup(ta->name, ta->namelen);
877 if(!pkey->rk.dname) {
882 pkey->rk.dname_len = ta->namelen;
883 pkey->rk.type = htons(type);
884 pkey->rk.rrset_class = htons(ta->dclass);
885 /* The rrset is build in an uncompressed way. This means it
886 * cannot be copied in the normal way. */
887 pd = (struct packed_rrset_data*)malloc(sizeof(*pd));
889 free(pkey->rk.dname);
893 memset(pd, 0, sizeof(*pd));
895 pd->trust = rrset_trust_ultimate;
896 pd->rr_len = (size_t*)malloc(num*sizeof(size_t));
899 free(pkey->rk.dname);
903 pd->rr_ttl = (uint32_t*)malloc(num*sizeof(uint32_t));
907 free(pkey->rk.dname);
911 pd->rr_data = (uint8_t**)malloc(num*sizeof(uint8_t*));
916 free(pkey->rk.dname);
922 for(tk = ta->keylist; tk; tk = tk->next) {
925 pd->rr_len[i] = tk->len;
926 /* reuse data ptr to allocation in talist */
927 pd->rr_data[i] = tk->data;
931 pkey->entry.data = (void*)pd;
936 * Assemble structures for the trust DS and DNSKEY rrsets.
937 * @param ta: trust anchor
938 * @return: false on error.
941 anchors_assemble(struct trust_anchor* ta)
944 ta->ds_rrset = assemble_it(ta, ta->numDS, LDNS_RR_TYPE_DS);
948 if(ta->numDNSKEY > 0) {
949 ta->dnskey_rrset = assemble_it(ta, ta->numDNSKEY,
950 LDNS_RR_TYPE_DNSKEY);
951 if(!ta->dnskey_rrset)
958 * Check DS algos for support, warn if not.
959 * @param ta: trust anchor
960 * @return number of DS anchors with unsupported algorithms.
963 anchors_ds_unsupported(struct trust_anchor* ta)
966 for(i=0; i<ta->numDS; i++) {
967 if(!ds_digest_algo_is_supported(ta->ds_rrset, i) ||
968 !ds_key_algo_is_supported(ta->ds_rrset, i))
975 * Check DNSKEY algos for support, warn if not.
976 * @param ta: trust anchor
977 * @return number of DNSKEY anchors with unsupported algorithms.
980 anchors_dnskey_unsupported(struct trust_anchor* ta)
983 for(i=0; i<ta->numDNSKEY; i++) {
984 if(!dnskey_algo_is_supported(ta->dnskey_rrset, i))
991 * Assemble the rrsets in the anchors, ready for use by validator.
992 * @param anchors: trust anchor storage.
993 * @return: false on error.
996 anchors_assemble_rrsets(struct val_anchors* anchors)
998 struct trust_anchor* ta;
999 struct trust_anchor* next;
1001 lock_basic_lock(&anchors->lock);
1002 ta=(struct trust_anchor*)rbtree_first(anchors->tree);
1003 while((rbnode_t*)ta != RBTREE_NULL) {
1004 next = (struct trust_anchor*)rbtree_next(&ta->node);
1005 lock_basic_lock(&ta->lock);
1006 if(ta->autr || (ta->numDS == 0 && ta->numDNSKEY == 0)) {
1007 lock_basic_unlock(&ta->lock);
1008 ta = next; /* skip */
1011 if(!anchors_assemble(ta)) {
1012 log_err("out of memory");
1013 lock_basic_unlock(&ta->lock);
1014 lock_basic_unlock(&anchors->lock);
1017 nods = anchors_ds_unsupported(ta);
1018 nokey = anchors_dnskey_unsupported(ta);
1020 log_nametypeclass(0, "warning: unsupported "
1021 "algorithm for trust anchor",
1022 ta->name, LDNS_RR_TYPE_DS, ta->dclass);
1025 log_nametypeclass(0, "warning: unsupported "
1026 "algorithm for trust anchor",
1027 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
1029 if(nods == ta->numDS && nokey == ta->numDNSKEY) {
1031 dname_str(ta->name, b);
1032 log_warn("trust anchor %s has no supported algorithms,"
1033 " the anchor is ignored (check if you need to"
1034 " upgrade unbound and openssl)", b);
1035 (void)rbtree_delete(anchors->tree, &ta->node);
1036 lock_basic_unlock(&ta->lock);
1037 anchors_delfunc(&ta->node, NULL);
1041 lock_basic_unlock(&ta->lock);
1044 lock_basic_unlock(&anchors->lock);
1049 anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
1051 struct config_strlist* f;
1053 ldns_buffer* parsebuf = ldns_buffer_new(65535);
1054 for(f = cfg->domain_insecure; f; f = f->next) {
1055 if(!f->str || f->str[0] == 0) /* empty "" */
1057 if(!anchor_insert_insecure(anchors, f->str)) {
1058 log_err("error in domain-insecure: %s", f->str);
1059 ldns_buffer_free(parsebuf);
1063 for(f = cfg->trust_anchor_file_list; f; f = f->next) {
1064 if(!f->str || f->str[0] == 0) /* empty "" */
1067 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
1068 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
1069 nm += strlen(cfg->chrootdir);
1070 if(!anchor_read_file(anchors, parsebuf, nm, 0)) {
1071 log_err("error reading trust-anchor-file: %s", f->str);
1072 ldns_buffer_free(parsebuf);
1076 for(f = cfg->trusted_keys_file_list; f; f = f->next) {
1077 if(!f->str || f->str[0] == 0) /* empty "" */
1080 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
1081 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
1082 nm += strlen(cfg->chrootdir);
1083 if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) {
1084 log_err("error reading trusted-keys-file: %s", f->str);
1085 ldns_buffer_free(parsebuf);
1089 for(f = cfg->trust_anchor_list; f; f = f->next) {
1090 if(!f->str || f->str[0] == 0) /* empty "" */
1092 if(!anchor_store_str(anchors, parsebuf, f->str)) {
1093 log_err("error in trust-anchor: \"%s\"", f->str);
1094 ldns_buffer_free(parsebuf);
1098 if(cfg->dlv_anchor_file && cfg->dlv_anchor_file[0] != 0) {
1099 struct trust_anchor* dlva;
1100 nm = cfg->dlv_anchor_file;
1101 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
1102 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
1103 nm += strlen(cfg->chrootdir);
1104 if(!(dlva = anchor_read_file(anchors, parsebuf,
1106 log_err("error reading dlv-anchor-file: %s",
1107 cfg->dlv_anchor_file);
1108 ldns_buffer_free(parsebuf);
1111 lock_basic_lock(&anchors->lock);
1112 anchors->dlv_anchor = dlva;
1113 lock_basic_unlock(&anchors->lock);
1115 for(f = cfg->dlv_anchor_list; f; f = f->next) {
1116 struct trust_anchor* dlva;
1117 if(!f->str || f->str[0] == 0) /* empty "" */
1119 if(!(dlva = anchor_store_str(
1120 anchors, parsebuf, f->str))) {
1121 log_err("error in dlv-anchor: \"%s\"", f->str);
1122 ldns_buffer_free(parsebuf);
1125 lock_basic_lock(&anchors->lock);
1126 anchors->dlv_anchor = dlva;
1127 lock_basic_unlock(&anchors->lock);
1129 /* do autr last, so that it sees what anchors are filled by other
1130 * means can can print errors about double config for the name */
1131 for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) {
1132 if(!f->str || f->str[0] == 0) /* empty "" */
1135 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
1136 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
1137 nm += strlen(cfg->chrootdir);
1138 if(!autr_read_file(anchors, nm)) {
1139 log_err("error reading auto-trust-anchor-file: %s",
1141 ldns_buffer_free(parsebuf);
1145 /* first assemble, since it may delete useless anchors */
1146 anchors_assemble_rrsets(anchors);
1147 init_parents(anchors);
1148 ldns_buffer_free(parsebuf);
1149 if(verbosity >= VERB_ALGO) autr_debug_print(anchors);
1153 struct trust_anchor*
1154 anchors_lookup(struct val_anchors* anchors,
1155 uint8_t* qname, size_t qname_len, uint16_t qclass)
1157 struct trust_anchor key;
1158 struct trust_anchor* result;
1159 rbnode_t* res = NULL;
1160 key.node.key = &key;
1162 key.namelabs = dname_count_labels(qname);
1163 key.namelen = qname_len;
1164 key.dclass = qclass;
1165 lock_basic_lock(&anchors->lock);
1166 if(rbtree_find_less_equal(anchors->tree, &key, &res)) {
1168 result = (struct trust_anchor*)res;
1170 /* smaller element (or no element) */
1172 result = (struct trust_anchor*)res;
1173 if(!result || result->dclass != qclass) {
1174 lock_basic_unlock(&anchors->lock);
1177 /* count number of labels matched */
1178 (void)dname_lab_cmp(result->name, result->namelabs, key.name,
1180 while(result) { /* go up until qname is subdomain of stub */
1181 if(result->namelabs <= m)
1183 result = result->parent;
1187 lock_basic_lock(&result->lock);
1189 lock_basic_unlock(&anchors->lock);
1194 anchors_get_mem(struct val_anchors* anchors)
1196 struct trust_anchor *ta;
1197 size_t s = sizeof(*anchors);
1198 RBTREE_FOR(ta, struct trust_anchor*, anchors->tree) {
1199 s += sizeof(*ta) + ta->namelen;
1200 /* keys and so on */
1206 anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm)
1208 struct trust_anchor key;
1209 key.node.key = &key;
1211 key.namelabs = dname_count_size_labels(nm, &key.namelen);
1213 lock_basic_lock(&anchors->lock);
1214 if(rbtree_search(anchors->tree, &key)) {
1215 lock_basic_unlock(&anchors->lock);
1216 /* nothing to do, already an anchor or insecure point */
1219 if(!anchor_new_ta(anchors, nm, key.namelabs, key.namelen, c, 0)) {
1220 log_err("out of memory");
1221 lock_basic_unlock(&anchors->lock);
1224 /* no other contents in new ta, because it is insecure point */
1225 anchors_init_parents_locked(anchors);
1226 lock_basic_unlock(&anchors->lock);
1231 anchors_delete_insecure(struct val_anchors* anchors, uint16_t c,
1234 struct trust_anchor key;
1235 struct trust_anchor* ta;
1236 key.node.key = &key;
1238 key.namelabs = dname_count_size_labels(nm, &key.namelen);
1240 lock_basic_lock(&anchors->lock);
1241 if(!(ta=(struct trust_anchor*)rbtree_search(anchors->tree, &key))) {
1242 lock_basic_unlock(&anchors->lock);
1246 /* lock it to drive away other threads that use it */
1247 lock_basic_lock(&ta->lock);
1248 /* see if its really an insecure point */
1249 if(ta->keylist || ta->autr || ta->numDS || ta->numDNSKEY) {
1250 lock_basic_unlock(&anchors->lock);
1251 lock_basic_unlock(&ta->lock);
1252 /* its not an insecure point, do not remove it */
1256 /* remove from tree */
1257 (void)rbtree_delete(anchors->tree, &ta->node);
1258 anchors_init_parents_locked(anchors);
1259 lock_basic_unlock(&anchors->lock);
1261 /* actual free of data */
1262 lock_basic_unlock(&ta->lock);
1263 anchors_delfunc(&ta->node, NULL);
projects / FreeBSD / stable / 10.git / blob