2 * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: keytable.c,v 1.41 2010/06/25 23:46:51 tbox Exp $ */
25 #include <isc/print.h>
26 #include <isc/rwlock.h>
27 #include <isc/string.h> /* Required for HP/UX (and others?) */
30 #include <dns/keytable.h>
31 #include <dns/fixedname.h>
33 #include <dns/result.h>
36 free_keynode(void *node, void *arg) {
37 dns_keynode_t *keynode = node;
38 isc_mem_t *mctx = arg;
40 dns_keynode_detachall(mctx, &keynode);
44 dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
45 dns_keytable_t *keytable;
52 REQUIRE(keytablep != NULL && *keytablep == NULL);
54 keytable = isc_mem_get(mctx, sizeof(*keytable));
56 return (ISC_R_NOMEMORY);
58 keytable->table = NULL;
59 result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
60 if (result != ISC_R_SUCCESS)
61 goto cleanup_keytable;
63 result = isc_mutex_init(&keytable->lock);
64 if (result != ISC_R_SUCCESS)
67 result = isc_rwlock_init(&keytable->rwlock, 0, 0);
68 if (result != ISC_R_SUCCESS)
71 keytable->mctx = NULL;
72 isc_mem_attach(mctx, &keytable->mctx);
73 keytable->active_nodes = 0;
74 keytable->references = 1;
75 keytable->magic = KEYTABLE_MAGIC;
76 *keytablep = keytable;
78 return (ISC_R_SUCCESS);
81 DESTROYLOCK(&keytable->lock);
84 dns_rbt_destroy(&keytable->table);
87 isc_mem_putanddetach(&mctx, keytable, sizeof(*keytable));
93 dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
96 * Attach *targetp to source.
99 REQUIRE(VALID_KEYTABLE(source));
100 REQUIRE(targetp != NULL && *targetp == NULL);
102 RWLOCK(&source->rwlock, isc_rwlocktype_write);
104 INSIST(source->references > 0);
105 source->references++;
106 INSIST(source->references != 0);
108 RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
114 dns_keytable_detach(dns_keytable_t **keytablep) {
115 isc_boolean_t destroy = ISC_FALSE;
116 dns_keytable_t *keytable;
119 * Detach *keytablep from its keytable.
122 REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
124 keytable = *keytablep;
126 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
128 INSIST(keytable->references > 0);
129 keytable->references--;
130 LOCK(&keytable->lock);
131 if (keytable->references == 0 && keytable->active_nodes == 0)
133 UNLOCK(&keytable->lock);
135 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
138 dns_rbt_destroy(&keytable->table);
139 isc_rwlock_destroy(&keytable->rwlock);
140 DESTROYLOCK(&keytable->lock);
142 isc_mem_putanddetach(&keytable->mctx,
143 keytable, sizeof(*keytable));
150 insert(dns_keytable_t *keytable, isc_boolean_t managed,
151 dns_name_t *keyname, dst_key_t **keyp)
154 dns_keynode_t *knode = NULL;
157 REQUIRE(keyp == NULL || *keyp != NULL);
158 REQUIRE(VALID_KEYTABLE(keytable));
160 result = dns_keynode_create(keytable->mctx, &knode);
161 if (result != ISC_R_SUCCESS)
164 knode->managed = managed;
166 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
169 result = dns_rbt_addnode(keytable->table, keyname, &node);
172 if (result == ISC_R_EXISTS) {
173 /* Key already in table? */
175 for (k = node->data; k != NULL; k = k->next) {
176 if (k->key == NULL) {
178 *keyp = NULL; /* transfer ownership */
181 if (dst_key_compare(k->key, *keyp) == ISC_TRUE)
186 result = ISC_R_SUCCESS;
187 else if (*keyp != NULL)
191 if (result == ISC_R_SUCCESS) {
193 knode->next = node->data;
198 if (result == ISC_R_SUCCESS) {
203 /* Key was already there? That's the same as a success */
204 if (result == ISC_R_EXISTS)
205 result = ISC_R_SUCCESS;
207 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
210 dns_keynode_detach(keytable->mctx, &knode);
216 dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
219 REQUIRE(keyp != NULL && *keyp != NULL);
220 return (insert(keytable, managed, dst_key_name(*keyp), keyp));
224 dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name) {
225 return (insert(keytable, ISC_TRUE, name, NULL));
229 dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname) {
231 dns_rbtnode_t *node = NULL;
233 REQUIRE(VALID_KEYTABLE(keytable));
234 REQUIRE(keyname != NULL);
236 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
237 result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
238 DNS_RBTFIND_NOOPTIONS, NULL, NULL);
239 if (result == ISC_R_SUCCESS) {
240 if (node->data != NULL)
241 result = dns_rbt_deletenode(keytable->table,
244 result = ISC_R_NOTFOUND;
245 } else if (result == DNS_R_PARTIALMATCH)
246 result = ISC_R_NOTFOUND;
247 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
253 dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey) {
256 dns_rbtnode_t *node = NULL;
257 dns_keynode_t *knode = NULL, **kprev = NULL;
259 REQUIRE(VALID_KEYTABLE(keytable));
260 REQUIRE(dstkey != NULL);
262 keyname = dst_key_name(dstkey);
264 RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
265 result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
266 DNS_RBTFIND_NOOPTIONS, NULL, NULL);
268 if (result == DNS_R_PARTIALMATCH)
269 result = ISC_R_NOTFOUND;
270 if (result != ISC_R_SUCCESS)
273 if (node->data == NULL) {
274 result = ISC_R_NOTFOUND;
279 if (knode->next == NULL && knode->key != NULL &&
280 dst_key_compare(knode->key, dstkey) == ISC_TRUE)
282 result = dns_rbt_deletenode(keytable->table, node, ISC_FALSE);
286 kprev = (dns_keynode_t **) &node->data;
287 while (knode != NULL) {
288 if (knode->key != NULL &&
289 dst_key_compare(knode->key, dstkey) == ISC_TRUE)
291 kprev = &knode->next;
296 if (knode->key != NULL)
297 dst_key_free(&knode->key);
299 * This is equivalent to:
300 * dns_keynode_attach(knode->next, &tmp);
301 * dns_keynode_detach(kprev);
302 * dns_keynode_attach(tmp, &kprev);
303 * dns_keynode_detach(&tmp);
305 *kprev = knode->next;
307 dns_keynode_detach(keytable->mctx, &knode);
309 result = DNS_R_PARTIALMATCH;
311 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
316 dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
317 dns_keynode_t **keynodep)
320 dns_rbtnode_t *node = NULL;
322 REQUIRE(VALID_KEYTABLE(keytable));
323 REQUIRE(keyname != NULL);
324 REQUIRE(keynodep != NULL && *keynodep == NULL);
326 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
327 result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
328 DNS_RBTFIND_NOOPTIONS, NULL, NULL);
329 if (result == ISC_R_SUCCESS) {
330 if (node->data != NULL) {
331 LOCK(&keytable->lock);
332 keytable->active_nodes++;
333 UNLOCK(&keytable->lock);
334 dns_keynode_attach(node->data, keynodep);
336 result = ISC_R_NOTFOUND;
337 } else if (result == DNS_R_PARTIALMATCH)
338 result = ISC_R_NOTFOUND;
339 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
345 dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
346 dns_keynode_t **nextnodep)
349 * Return the next key after 'keynode', regardless of
353 REQUIRE(VALID_KEYTABLE(keytable));
354 REQUIRE(VALID_KEYNODE(keynode));
355 REQUIRE(nextnodep != NULL && *nextnodep == NULL);
357 if (keynode->next == NULL)
358 return (ISC_R_NOTFOUND);
360 dns_keynode_attach(keynode->next, nextnodep);
361 LOCK(&keytable->lock);
362 keytable->active_nodes++;
363 UNLOCK(&keytable->lock);
365 return (ISC_R_SUCCESS);
369 dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
370 dns_secalg_t algorithm, dns_keytag_t tag,
371 dns_keynode_t **keynodep)
374 dns_keynode_t *knode;
378 * Search for a key named 'name', matching 'algorithm' and 'tag' in
382 REQUIRE(VALID_KEYTABLE(keytable));
383 REQUIRE(dns_name_isabsolute(name));
384 REQUIRE(keynodep != NULL && *keynodep == NULL);
386 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
389 * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
390 * as that indicates that 'name' was not found.
392 * DNS_R_PARTIALMATCH indicates that the name was found but we
393 * didn't get a match on algorithm and key id arguments.
397 result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
399 if (result == ISC_R_SUCCESS) {
400 INSIST(data != NULL);
401 for (knode = data; knode != NULL; knode = knode->next) {
402 if (knode->key == NULL) {
406 if (algorithm == dst_key_alg(knode->key)
407 && tag == dst_key_id(knode->key))
411 LOCK(&keytable->lock);
412 keytable->active_nodes++;
413 UNLOCK(&keytable->lock);
414 dns_keynode_attach(knode, keynodep);
416 result = DNS_R_PARTIALMATCH;
417 } else if (result == DNS_R_PARTIALMATCH)
418 result = ISC_R_NOTFOUND;
420 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
426 dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
427 dns_keynode_t **nextnodep)
430 dns_keynode_t *knode;
433 * Search for the next key with the same properties as 'keynode' in
437 REQUIRE(VALID_KEYTABLE(keytable));
438 REQUIRE(VALID_KEYNODE(keynode));
439 REQUIRE(nextnodep != NULL && *nextnodep == NULL);
441 for (knode = keynode->next; knode != NULL; knode = knode->next) {
442 if (knode->key == NULL) {
446 if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
447 dst_key_id(keynode->key) == dst_key_id(knode->key))
451 LOCK(&keytable->lock);
452 keytable->active_nodes++;
453 UNLOCK(&keytable->lock);
454 result = ISC_R_SUCCESS;
455 dns_keynode_attach(knode, nextnodep);
457 result = ISC_R_NOTFOUND;
463 dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
464 dns_name_t *foundname)
470 * Search for the deepest match in 'keytable'.
473 REQUIRE(VALID_KEYTABLE(keytable));
474 REQUIRE(dns_name_isabsolute(name));
475 REQUIRE(foundname != NULL);
477 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
480 result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
482 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
483 result = ISC_R_SUCCESS;
485 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
491 dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
492 dns_keynode_t **target)
495 * Give back a keynode found via dns_keytable_findkeynode().
498 REQUIRE(VALID_KEYTABLE(keytable));
499 REQUIRE(VALID_KEYNODE(source));
500 REQUIRE(target != NULL && *target == NULL);
502 LOCK(&keytable->lock);
503 keytable->active_nodes++;
504 UNLOCK(&keytable->lock);
506 dns_keynode_attach(source, target);
510 dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
513 * Give back a keynode found via dns_keytable_findkeynode().
516 REQUIRE(VALID_KEYTABLE(keytable));
517 REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
519 LOCK(&keytable->lock);
520 INSIST(keytable->active_nodes > 0);
521 keytable->active_nodes--;
522 UNLOCK(&keytable->lock);
524 dns_keynode_detach(keytable->mctx, keynodep);
528 dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
529 isc_boolean_t *wantdnssecp)
535 * Is 'name' at or beneath a trusted key?
538 REQUIRE(VALID_KEYTABLE(keytable));
539 REQUIRE(dns_name_isabsolute(name));
540 REQUIRE(wantdnssecp != NULL);
542 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
545 result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
547 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
548 INSIST(data != NULL);
549 *wantdnssecp = ISC_TRUE;
550 result = ISC_R_SUCCESS;
551 } else if (result == ISC_R_NOTFOUND) {
552 *wantdnssecp = ISC_FALSE;
553 result = ISC_R_SUCCESS;
556 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
562 dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
565 dns_keynode_t *knode;
567 dns_rbtnodechain_t chain;
569 REQUIRE(VALID_KEYTABLE(keytable));
571 RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
572 dns_rbtnodechain_init(&chain, keytable->mctx);
573 result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
574 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
577 char pbuf[DST_KEY_FORMATSIZE];
579 dns_rbtnodechain_current(&chain, NULL, NULL, &node);
580 for (knode = node->data; knode != NULL; knode = knode->next) {
581 if (knode->key == NULL)
583 dst_key_format(knode->key, pbuf, sizeof(pbuf));
584 fprintf(fp, "%s ; %s\n", pbuf,
585 knode->managed ? "managed" : "trusted");
587 result = dns_rbtnodechain_next(&chain, NULL, NULL);
588 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
589 if (result == ISC_R_NOMORE)
590 result = ISC_R_SUCCESS;
596 dns_rbtnodechain_invalidate(&chain);
597 RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
602 dns_keynode_key(dns_keynode_t *keynode) {
605 * Get the DST key associated with keynode.
608 REQUIRE(VALID_KEYNODE(keynode));
610 return (keynode->key);
614 dns_keynode_managed(dns_keynode_t *keynode) {
616 * Is this a managed key?
618 REQUIRE(VALID_KEYNODE(keynode));
620 return (keynode->managed);
624 dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
626 dns_keynode_t *knode = NULL;
628 REQUIRE(target != NULL && *target == NULL);
630 knode = isc_mem_get(mctx, sizeof(dns_keynode_t));
632 return (ISC_R_NOMEMORY);
634 knode->magic = KEYNODE_MAGIC;
635 knode->managed = ISC_FALSE;
639 result = isc_refcount_init(&knode->refcount, 1);
640 if (result != ISC_R_SUCCESS)
644 return (ISC_R_SUCCESS);
648 dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target) {
649 REQUIRE(VALID_KEYNODE(source));
650 isc_refcount_increment(&source->refcount, NULL);
655 dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **keynode) {
657 dns_keynode_t *node = *keynode;
658 REQUIRE(VALID_KEYNODE(node));
659 isc_refcount_decrement(&node->refcount, &refs);
661 if (node->key != NULL)
662 dst_key_free(&node->key);
663 isc_refcount_destroy(&node->refcount);
664 isc_mem_put(mctx, node, sizeof(dns_keynode_t));
670 dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **keynode) {
671 dns_keynode_t *next = NULL, *node = *keynode;
672 REQUIRE(VALID_KEYNODE(node));
673 while (node != NULL) {
675 dns_keynode_detach(mctx, &node);