/* * validator/val_anchor.h - validator trust anchor storage. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file contains storage for the trust anchors for the validator. */ #ifndef VALIDATOR_VAL_ANCHOR_H #define VALIDATOR_VAL_ANCHOR_H #include "util/rbtree.h" #include "util/locks.h" struct trust_anchor; struct config_file; struct ub_packed_rrset_key; struct autr_point_data; struct autr_global_data; /** * Trust anchor store. * The tree must be locked, while no other locks (from trustanchors) are held. * And then an anchor searched for. Which can be locked or deleted. Then * the tree can be unlocked again. This means you have to release the lock * on a trust anchor and look it up again to delete it. */ struct val_anchors { /** lock on trees */ lock_basic_t lock; /** * Anchors are store in this tree. Sort order is chosen, so that * dnames are in nsec-like order. A lookup on class, name will return * an exact match of the closest match, with the ancestor needed. * contents of type trust_anchor. */ rbtree_t* tree; /** The DLV trust anchor (if one is configured, else NULL) */ struct trust_anchor* dlv_anchor; /** Autotrust global data, anchors sorted by next probe time */ struct autr_global_data* autr; }; /** * Trust anchor key */ struct ta_key { /** next in list */ struct ta_key* next; /** rdata, in wireformat of the key RR. starts with rdlength. */ uint8_t* data; /** length of the rdata (including rdlength). */ size_t len; /** DNS type (host format) of the key, DS or DNSKEY */ uint16_t type; }; /** * A trust anchor in the trust anchor store. * Unique by name, class. */ struct trust_anchor { /** rbtree node, key is this structure */ rbnode_t node; /** lock on the entire anchor and its keys; for autotrust changes */ lock_basic_t lock; /** name of this trust anchor */ uint8_t* name; /** length of name */ size_t namelen; /** number of labels in name of rrset */ int namelabs; /** the ancestor in the trustanchor tree */ struct trust_anchor* parent; /** * List of DS or DNSKEY rrs that form the trust anchor. */ struct ta_key* keylist; /** Autotrust anchor point data, or NULL */ struct autr_point_data* autr; /** number of DSs in the keylist */ size_t numDS; /** number of DNSKEYs in the keylist */ size_t numDNSKEY; /** the DS RRset */ struct ub_packed_rrset_key* ds_rrset; /** The DNSKEY RRset */ struct ub_packed_rrset_key* dnskey_rrset; /** class of the trust anchor */ uint16_t dclass; }; /** * Create trust anchor storage * @return new storage or NULL on error. */ struct val_anchors* anchors_create(void); /** * Delete trust anchor storage. * @param anchors: to delete. */ void anchors_delete(struct val_anchors* anchors); /** * Process trust anchor config. * @param anchors: struct anchor storage * @param cfg: config options. * @return 0 on error. */ int anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg); /** * Recalculate parent pointers. The caller must hold the lock on the * anchors structure (say after removing an item from the rbtree). * Caller must not hold any locks on trust anchors. * After the call is complete the parent pointers are updated and an item * just removed is no longer referenced in parent pointers. * @param anchors: the structure to update. */ void anchors_init_parents_locked(struct val_anchors* anchors); /** * Given a qname/qclass combination, find the trust anchor closest above it. * Or return NULL if none exists. * * @param anchors: struct anchor storage * @param qname: query name, uncompressed wireformat. * @param qname_len: length of qname. * @param qclass: class to query for. * @return the trust anchor or NULL if none is found. The anchor is locked. */ struct trust_anchor* anchors_lookup(struct val_anchors* anchors, uint8_t* qname, size_t qname_len, uint16_t qclass); /** * Find a trust anchor. Exact matching. * @param anchors: anchor storage. * @param name: name of trust anchor (wireformat) * @param namelabs: labels in name * @param namelen: length of name * @param dclass: class of trust anchor * @return NULL if not found. The anchor is locked. */ struct trust_anchor* anchor_find(struct val_anchors* anchors, uint8_t* name, int namelabs, size_t namelen, uint16_t dclass); /** * Store one string as trust anchor RR. * @param anchors: anchor storage. * @param buffer: parsing buffer, to generate the RR wireformat in. * @param str: string. * @return NULL on error. */ struct trust_anchor* anchor_store_str(struct val_anchors* anchors, ldns_buffer* buffer, const char* str); /** * Get memory in use by the trust anchor storage * @param anchors: anchor storage. * @return memory in use in bytes. */ size_t anchors_get_mem(struct val_anchors* anchors); /** compare two trust anchors */ int anchor_cmp(const void* k1, const void* k2); /** * Add insecure point trust anchor. For external use (locks and init_parents) * @param anchors: anchor storage. * @param c: class. * @param nm: name of insecure trust point. * @return false on alloc failure. */ int anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm); /** * Delete insecure point trust anchor. Does not remove if no such point. * For external use (locks and init_parents) * @param anchors: anchor storage. * @param c: class. * @param nm: name of insecure trust point. */ void anchors_delete_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm); #endif /* VALIDATOR_VAL_ANCHOR_H */