1b7579f77SDag-Erling Smørgrav /* 2b7579f77SDag-Erling Smørgrav * validator/val_anchor.c - validator trust anchor storage. 3b7579f77SDag-Erling Smørgrav * 4b7579f77SDag-Erling Smørgrav * Copyright (c) 2007, NLnet Labs. All rights reserved. 5b7579f77SDag-Erling Smørgrav * 6b7579f77SDag-Erling Smørgrav * This software is open source. 7b7579f77SDag-Erling Smørgrav * 8b7579f77SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 9b7579f77SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 10b7579f77SDag-Erling Smørgrav * are met: 11b7579f77SDag-Erling Smørgrav * 12b7579f77SDag-Erling Smørgrav * Redistributions of source code must retain the above copyright notice, 13b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer. 14b7579f77SDag-Erling Smørgrav * 15b7579f77SDag-Erling Smørgrav * Redistributions in binary form must reproduce the above copyright notice, 16b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer in the documentation 17b7579f77SDag-Erling Smørgrav * and/or other materials provided with the distribution. 18b7579f77SDag-Erling Smørgrav * 19b7579f77SDag-Erling Smørgrav * Neither the name of the NLNET LABS nor the names of its contributors may 20b7579f77SDag-Erling Smørgrav * be used to endorse or promote products derived from this software without 21b7579f77SDag-Erling Smørgrav * specific prior written permission. 22b7579f77SDag-Erling Smørgrav * 23b7579f77SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 2417d15b25SDag-Erling Smørgrav * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2517d15b25SDag-Erling Smørgrav * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 2617d15b25SDag-Erling Smørgrav * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 2717d15b25SDag-Erling Smørgrav * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 2817d15b25SDag-Erling Smørgrav * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 2917d15b25SDag-Erling Smørgrav * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 3017d15b25SDag-Erling Smørgrav * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 3117d15b25SDag-Erling Smørgrav * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 3217d15b25SDag-Erling Smørgrav * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 3317d15b25SDag-Erling Smørgrav * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34b7579f77SDag-Erling Smørgrav */ 35b7579f77SDag-Erling Smørgrav 36b7579f77SDag-Erling Smørgrav /** 37b7579f77SDag-Erling Smørgrav * \file 38b7579f77SDag-Erling Smørgrav * 39b7579f77SDag-Erling Smørgrav * This file contains storage for the trust anchors for the validator. 40b7579f77SDag-Erling Smørgrav */ 41b7579f77SDag-Erling Smørgrav #include "config.h" 42b7579f77SDag-Erling Smørgrav #include <ctype.h> 43b7579f77SDag-Erling Smørgrav #include "validator/val_anchor.h" 44b7579f77SDag-Erling Smørgrav #include "validator/val_sigcrypt.h" 45b7579f77SDag-Erling Smørgrav #include "validator/autotrust.h" 46b7579f77SDag-Erling Smørgrav #include "util/data/packed_rrset.h" 47b7579f77SDag-Erling Smørgrav #include "util/data/dname.h" 48b7579f77SDag-Erling Smørgrav #include "util/log.h" 49b7579f77SDag-Erling Smørgrav #include "util/net_help.h" 50b7579f77SDag-Erling Smørgrav #include "util/config_file.h" 510de4f1bfSDag-Erling Smørgrav #include "util/as112.h" 5209a3aaf3SDag-Erling Smørgrav #include "sldns/sbuffer.h" 5309a3aaf3SDag-Erling Smørgrav #include "sldns/rrdef.h" 5409a3aaf3SDag-Erling Smørgrav #include "sldns/str2wire.h" 55b7579f77SDag-Erling Smørgrav #ifdef HAVE_GLOB_H 56b7579f77SDag-Erling Smørgrav #include <glob.h> 57b7579f77SDag-Erling Smørgrav #endif 58b7579f77SDag-Erling Smørgrav 59b7579f77SDag-Erling Smørgrav int 60b7579f77SDag-Erling Smørgrav anchor_cmp(const void* k1, const void* k2) 61b7579f77SDag-Erling Smørgrav { 62b7579f77SDag-Erling Smørgrav int m; 63b7579f77SDag-Erling Smørgrav struct trust_anchor* n1 = (struct trust_anchor*)k1; 64b7579f77SDag-Erling Smørgrav struct trust_anchor* n2 = (struct trust_anchor*)k2; 65b7579f77SDag-Erling Smørgrav /* no need to ntohs(class) because sort order is irrelevant */ 66b7579f77SDag-Erling Smørgrav if(n1->dclass != n2->dclass) { 67b7579f77SDag-Erling Smørgrav if(n1->dclass < n2->dclass) 68b7579f77SDag-Erling Smørgrav return -1; 69b7579f77SDag-Erling Smørgrav return 1; 70b7579f77SDag-Erling Smørgrav } 71b7579f77SDag-Erling Smørgrav return dname_lab_cmp(n1->name, n1->namelabs, n2->name, n2->namelabs, 72b7579f77SDag-Erling Smørgrav &m); 73b7579f77SDag-Erling Smørgrav } 74b7579f77SDag-Erling Smørgrav 75b7579f77SDag-Erling Smørgrav struct val_anchors* 76b7579f77SDag-Erling Smørgrav anchors_create(void) 77b7579f77SDag-Erling Smørgrav { 78b7579f77SDag-Erling Smørgrav struct val_anchors* a = (struct val_anchors*)calloc(1, sizeof(*a)); 79b7579f77SDag-Erling Smørgrav if(!a) 80b7579f77SDag-Erling Smørgrav return NULL; 81b7579f77SDag-Erling Smørgrav a->tree = rbtree_create(anchor_cmp); 82b7579f77SDag-Erling Smørgrav if(!a->tree) { 83b7579f77SDag-Erling Smørgrav anchors_delete(a); 84b7579f77SDag-Erling Smørgrav return NULL; 85b7579f77SDag-Erling Smørgrav } 86b7579f77SDag-Erling Smørgrav a->autr = autr_global_create(); 87b7579f77SDag-Erling Smørgrav if(!a->autr) { 88b7579f77SDag-Erling Smørgrav anchors_delete(a); 89b7579f77SDag-Erling Smørgrav return NULL; 90b7579f77SDag-Erling Smørgrav } 91b7579f77SDag-Erling Smørgrav lock_basic_init(&a->lock); 92b7579f77SDag-Erling Smørgrav lock_protect(&a->lock, a, sizeof(*a)); 93b7579f77SDag-Erling Smørgrav lock_protect(&a->lock, a->autr, sizeof(*a->autr)); 94b7579f77SDag-Erling Smørgrav return a; 95b7579f77SDag-Erling Smørgrav } 96b7579f77SDag-Erling Smørgrav 97b7579f77SDag-Erling Smørgrav /** delete assembled rrset */ 98b7579f77SDag-Erling Smørgrav static void 99b7579f77SDag-Erling Smørgrav assembled_rrset_delete(struct ub_packed_rrset_key* pkey) 100b7579f77SDag-Erling Smørgrav { 101b7579f77SDag-Erling Smørgrav if(!pkey) return; 102b7579f77SDag-Erling Smørgrav if(pkey->entry.data) { 103b7579f77SDag-Erling Smørgrav struct packed_rrset_data* pd = (struct packed_rrset_data*) 104b7579f77SDag-Erling Smørgrav pkey->entry.data; 105b7579f77SDag-Erling Smørgrav free(pd->rr_data); 106b7579f77SDag-Erling Smørgrav free(pd->rr_ttl); 107b7579f77SDag-Erling Smørgrav free(pd->rr_len); 108b7579f77SDag-Erling Smørgrav free(pd); 109b7579f77SDag-Erling Smørgrav } 110b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 111b7579f77SDag-Erling Smørgrav free(pkey); 112b7579f77SDag-Erling Smørgrav } 113b7579f77SDag-Erling Smørgrav 114b7579f77SDag-Erling Smørgrav /** destroy locks in tree and delete autotrust anchors */ 115b7579f77SDag-Erling Smørgrav static void 1163005e0a3SDag-Erling Smørgrav anchors_delfunc(rbnode_type* elem, void* ATTR_UNUSED(arg)) 117b7579f77SDag-Erling Smørgrav { 118b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = (struct trust_anchor*)elem; 119b7579f77SDag-Erling Smørgrav if(!ta) return; 120b7579f77SDag-Erling Smørgrav if(ta->autr) { 121b7579f77SDag-Erling Smørgrav autr_point_delete(ta); 122b7579f77SDag-Erling Smørgrav } else { 123b7579f77SDag-Erling Smørgrav struct ta_key* p, *np; 124b7579f77SDag-Erling Smørgrav lock_basic_destroy(&ta->lock); 125b7579f77SDag-Erling Smørgrav free(ta->name); 126b7579f77SDag-Erling Smørgrav p = ta->keylist; 127b7579f77SDag-Erling Smørgrav while(p) { 128b7579f77SDag-Erling Smørgrav np = p->next; 129b7579f77SDag-Erling Smørgrav free(p->data); 130b7579f77SDag-Erling Smørgrav free(p); 131b7579f77SDag-Erling Smørgrav p = np; 132b7579f77SDag-Erling Smørgrav } 133b7579f77SDag-Erling Smørgrav assembled_rrset_delete(ta->ds_rrset); 134b7579f77SDag-Erling Smørgrav assembled_rrset_delete(ta->dnskey_rrset); 135b7579f77SDag-Erling Smørgrav free(ta); 136b7579f77SDag-Erling Smørgrav } 137b7579f77SDag-Erling Smørgrav } 138b7579f77SDag-Erling Smørgrav 139b7579f77SDag-Erling Smørgrav void 140b7579f77SDag-Erling Smørgrav anchors_delete(struct val_anchors* anchors) 141b7579f77SDag-Erling Smørgrav { 142b7579f77SDag-Erling Smørgrav if(!anchors) 143b7579f77SDag-Erling Smørgrav return; 144b7579f77SDag-Erling Smørgrav lock_unprotect(&anchors->lock, anchors->autr); 145b7579f77SDag-Erling Smørgrav lock_unprotect(&anchors->lock, anchors); 146b7579f77SDag-Erling Smørgrav lock_basic_destroy(&anchors->lock); 147b7579f77SDag-Erling Smørgrav if(anchors->tree) 148b7579f77SDag-Erling Smørgrav traverse_postorder(anchors->tree, anchors_delfunc, NULL); 149b7579f77SDag-Erling Smørgrav free(anchors->tree); 150b7579f77SDag-Erling Smørgrav autr_global_delete(anchors->autr); 151b7579f77SDag-Erling Smørgrav free(anchors); 152b7579f77SDag-Erling Smørgrav } 153b7579f77SDag-Erling Smørgrav 154b7579f77SDag-Erling Smørgrav void 155b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(struct val_anchors* anchors) 156b7579f77SDag-Erling Smørgrav { 157b7579f77SDag-Erling Smørgrav struct trust_anchor* node, *prev = NULL, *p; 158b7579f77SDag-Erling Smørgrav int m; 159b7579f77SDag-Erling Smørgrav /* nobody else can grab locks because we hold the main lock. 160b7579f77SDag-Erling Smørgrav * Thus the previous items, after unlocked, are not deleted */ 161b7579f77SDag-Erling Smørgrav RBTREE_FOR(node, struct trust_anchor*, anchors->tree) { 162b7579f77SDag-Erling Smørgrav lock_basic_lock(&node->lock); 163b7579f77SDag-Erling Smørgrav node->parent = NULL; 164b7579f77SDag-Erling Smørgrav if(!prev || prev->dclass != node->dclass) { 165b7579f77SDag-Erling Smørgrav prev = node; 166b7579f77SDag-Erling Smørgrav lock_basic_unlock(&node->lock); 167b7579f77SDag-Erling Smørgrav continue; 168b7579f77SDag-Erling Smørgrav } 169b7579f77SDag-Erling Smørgrav (void)dname_lab_cmp(prev->name, prev->namelabs, node->name, 170b7579f77SDag-Erling Smørgrav node->namelabs, &m); /* we know prev is smaller */ 171b7579f77SDag-Erling Smørgrav /* sort order like: . com. bla.com. zwb.com. net. */ 172b7579f77SDag-Erling Smørgrav /* find the previous, or parent-parent-parent */ 173b7579f77SDag-Erling Smørgrav for(p = prev; p; p = p->parent) 174b7579f77SDag-Erling Smørgrav /* looking for name with few labels, a parent */ 175b7579f77SDag-Erling Smørgrav if(p->namelabs <= m) { 176b7579f77SDag-Erling Smørgrav /* ==: since prev matched m, this is closest*/ 177b7579f77SDag-Erling Smørgrav /* <: prev matches more, but is not a parent, 178b7579f77SDag-Erling Smørgrav * this one is a (grand)parent */ 179b7579f77SDag-Erling Smørgrav node->parent = p; 180b7579f77SDag-Erling Smørgrav break; 181b7579f77SDag-Erling Smørgrav } 182b7579f77SDag-Erling Smørgrav lock_basic_unlock(&node->lock); 183b7579f77SDag-Erling Smørgrav prev = node; 184b7579f77SDag-Erling Smørgrav } 185b7579f77SDag-Erling Smørgrav } 186b7579f77SDag-Erling Smørgrav 187b7579f77SDag-Erling Smørgrav /** initialise parent pointers in the tree */ 188b7579f77SDag-Erling Smørgrav static void 189b7579f77SDag-Erling Smørgrav init_parents(struct val_anchors* anchors) 190b7579f77SDag-Erling Smørgrav { 191b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 192b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 193b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 194b7579f77SDag-Erling Smørgrav } 195b7579f77SDag-Erling Smørgrav 196b7579f77SDag-Erling Smørgrav struct trust_anchor* 197b7579f77SDag-Erling Smørgrav anchor_find(struct val_anchors* anchors, uint8_t* name, int namelabs, 198b7579f77SDag-Erling Smørgrav size_t namelen, uint16_t dclass) 199b7579f77SDag-Erling Smørgrav { 200b7579f77SDag-Erling Smørgrav struct trust_anchor key; 2013005e0a3SDag-Erling Smørgrav rbnode_type* n; 202b7579f77SDag-Erling Smørgrav if(!name) return NULL; 203b7579f77SDag-Erling Smørgrav key.node.key = &key; 204b7579f77SDag-Erling Smørgrav key.name = name; 205b7579f77SDag-Erling Smørgrav key.namelabs = namelabs; 206b7579f77SDag-Erling Smørgrav key.namelen = namelen; 207b7579f77SDag-Erling Smørgrav key.dclass = dclass; 208b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 209b7579f77SDag-Erling Smørgrav n = rbtree_search(anchors->tree, &key); 210b7579f77SDag-Erling Smørgrav if(n) { 211b7579f77SDag-Erling Smørgrav lock_basic_lock(&((struct trust_anchor*)n->key)->lock); 212b7579f77SDag-Erling Smørgrav } 213b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 214b7579f77SDag-Erling Smørgrav if(!n) 215b7579f77SDag-Erling Smørgrav return NULL; 216b7579f77SDag-Erling Smørgrav return (struct trust_anchor*)n->key; 217b7579f77SDag-Erling Smørgrav } 218b7579f77SDag-Erling Smørgrav 219b7579f77SDag-Erling Smørgrav /** create new trust anchor object */ 220b7579f77SDag-Erling Smørgrav static struct trust_anchor* 221b7579f77SDag-Erling Smørgrav anchor_new_ta(struct val_anchors* anchors, uint8_t* name, int namelabs, 222b7579f77SDag-Erling Smørgrav size_t namelen, uint16_t dclass, int lockit) 223b7579f77SDag-Erling Smørgrav { 224b7579f77SDag-Erling Smørgrav #ifdef UNBOUND_DEBUG 2253005e0a3SDag-Erling Smørgrav rbnode_type* r; 226b7579f77SDag-Erling Smørgrav #endif 227b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = (struct trust_anchor*)malloc( 228b7579f77SDag-Erling Smørgrav sizeof(struct trust_anchor)); 229b7579f77SDag-Erling Smørgrav if(!ta) 230b7579f77SDag-Erling Smørgrav return NULL; 231b7579f77SDag-Erling Smørgrav memset(ta, 0, sizeof(*ta)); 232b7579f77SDag-Erling Smørgrav ta->node.key = ta; 233b7579f77SDag-Erling Smørgrav ta->name = memdup(name, namelen); 234b7579f77SDag-Erling Smørgrav if(!ta->name) { 235b7579f77SDag-Erling Smørgrav free(ta); 236b7579f77SDag-Erling Smørgrav return NULL; 237b7579f77SDag-Erling Smørgrav } 238b7579f77SDag-Erling Smørgrav ta->namelabs = namelabs; 239b7579f77SDag-Erling Smørgrav ta->namelen = namelen; 240b7579f77SDag-Erling Smørgrav ta->dclass = dclass; 241b7579f77SDag-Erling Smørgrav lock_basic_init(&ta->lock); 242b7579f77SDag-Erling Smørgrav if(lockit) { 243b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 244b7579f77SDag-Erling Smørgrav } 245b7579f77SDag-Erling Smørgrav #ifdef UNBOUND_DEBUG 246b7579f77SDag-Erling Smørgrav r = 24717d15b25SDag-Erling Smørgrav #else 24817d15b25SDag-Erling Smørgrav (void) 249b7579f77SDag-Erling Smørgrav #endif 250b7579f77SDag-Erling Smørgrav rbtree_insert(anchors->tree, &ta->node); 251b7579f77SDag-Erling Smørgrav if(lockit) { 252b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 253b7579f77SDag-Erling Smørgrav } 254b7579f77SDag-Erling Smørgrav log_assert(r != NULL); 255b7579f77SDag-Erling Smørgrav return ta; 256b7579f77SDag-Erling Smørgrav } 257b7579f77SDag-Erling Smørgrav 258b7579f77SDag-Erling Smørgrav /** find trustanchor key by exact data match */ 259b7579f77SDag-Erling Smørgrav static struct ta_key* 260b7579f77SDag-Erling Smørgrav anchor_find_key(struct trust_anchor* ta, uint8_t* rdata, size_t rdata_len, 261b7579f77SDag-Erling Smørgrav uint16_t type) 262b7579f77SDag-Erling Smørgrav { 263b7579f77SDag-Erling Smørgrav struct ta_key* k; 264b7579f77SDag-Erling Smørgrav for(k = ta->keylist; k; k = k->next) { 265b7579f77SDag-Erling Smørgrav if(k->type == type && k->len == rdata_len && 266b7579f77SDag-Erling Smørgrav memcmp(k->data, rdata, rdata_len) == 0) 267b7579f77SDag-Erling Smørgrav return k; 268b7579f77SDag-Erling Smørgrav } 269b7579f77SDag-Erling Smørgrav return NULL; 270b7579f77SDag-Erling Smørgrav } 271b7579f77SDag-Erling Smørgrav 272b7579f77SDag-Erling Smørgrav /** create new trustanchor key */ 273b7579f77SDag-Erling Smørgrav static struct ta_key* 274b7579f77SDag-Erling Smørgrav anchor_new_ta_key(uint8_t* rdata, size_t rdata_len, uint16_t type) 275b7579f77SDag-Erling Smørgrav { 276b7579f77SDag-Erling Smørgrav struct ta_key* k = (struct ta_key*)malloc(sizeof(*k)); 277b7579f77SDag-Erling Smørgrav if(!k) 278b7579f77SDag-Erling Smørgrav return NULL; 279b7579f77SDag-Erling Smørgrav memset(k, 0, sizeof(*k)); 280b7579f77SDag-Erling Smørgrav k->data = memdup(rdata, rdata_len); 281b7579f77SDag-Erling Smørgrav if(!k->data) { 282b7579f77SDag-Erling Smørgrav free(k); 283b7579f77SDag-Erling Smørgrav return NULL; 284b7579f77SDag-Erling Smørgrav } 285b7579f77SDag-Erling Smørgrav k->len = rdata_len; 286b7579f77SDag-Erling Smørgrav k->type = type; 287b7579f77SDag-Erling Smørgrav return k; 288b7579f77SDag-Erling Smørgrav } 289b7579f77SDag-Erling Smørgrav 290b7579f77SDag-Erling Smørgrav /** 291b7579f77SDag-Erling Smørgrav * This routine adds a new RR to a trust anchor. The trust anchor may not 292b7579f77SDag-Erling Smørgrav * exist yet, and is created if not. The RR can be DS or DNSKEY. 293b7579f77SDag-Erling Smørgrav * This routine will also remove duplicates; storing them only once. 294b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 295b7579f77SDag-Erling Smørgrav * @param name: name of trust anchor (wireformat) 296b7579f77SDag-Erling Smørgrav * @param type: type or RR 297b7579f77SDag-Erling Smørgrav * @param dclass: class of RR 298b7579f77SDag-Erling Smørgrav * @param rdata: rdata wireformat, starting with rdlength. 299b7579f77SDag-Erling Smørgrav * If NULL, nothing is stored, but an entry is created. 300b7579f77SDag-Erling Smørgrav * @param rdata_len: length of rdata including rdlength. 301b7579f77SDag-Erling Smørgrav * @return: NULL on error, else the trust anchor. 302b7579f77SDag-Erling Smørgrav */ 303b7579f77SDag-Erling Smørgrav static struct trust_anchor* 304b7579f77SDag-Erling Smørgrav anchor_store_new_key(struct val_anchors* anchors, uint8_t* name, uint16_t type, 305b7579f77SDag-Erling Smørgrav uint16_t dclass, uint8_t* rdata, size_t rdata_len) 306b7579f77SDag-Erling Smørgrav { 307b7579f77SDag-Erling Smørgrav struct ta_key* k; 308b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 309b7579f77SDag-Erling Smørgrav int namelabs; 310b7579f77SDag-Erling Smørgrav size_t namelen; 311b7579f77SDag-Erling Smørgrav namelabs = dname_count_size_labels(name, &namelen); 312b7579f77SDag-Erling Smørgrav if(type != LDNS_RR_TYPE_DS && type != LDNS_RR_TYPE_DNSKEY) { 313b7579f77SDag-Erling Smørgrav log_err("Bad type for trust anchor"); 314b7579f77SDag-Erling Smørgrav return 0; 315b7579f77SDag-Erling Smørgrav } 316b7579f77SDag-Erling Smørgrav /* lookup or create trustanchor */ 317b7579f77SDag-Erling Smørgrav ta = anchor_find(anchors, name, namelabs, namelen, dclass); 318b7579f77SDag-Erling Smørgrav if(!ta) { 319b7579f77SDag-Erling Smørgrav ta = anchor_new_ta(anchors, name, namelabs, namelen, dclass, 1); 320b7579f77SDag-Erling Smørgrav if(!ta) 321b7579f77SDag-Erling Smørgrav return NULL; 322b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 323b7579f77SDag-Erling Smørgrav } 324b7579f77SDag-Erling Smørgrav if(!rdata) { 325b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 326b7579f77SDag-Erling Smørgrav return ta; 327b7579f77SDag-Erling Smørgrav } 328b7579f77SDag-Erling Smørgrav /* look for duplicates */ 329b7579f77SDag-Erling Smørgrav if(anchor_find_key(ta, rdata, rdata_len, type)) { 330b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 331b7579f77SDag-Erling Smørgrav return ta; 332b7579f77SDag-Erling Smørgrav } 333b7579f77SDag-Erling Smørgrav k = anchor_new_ta_key(rdata, rdata_len, type); 334b7579f77SDag-Erling Smørgrav if(!k) { 335b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 336b7579f77SDag-Erling Smørgrav return NULL; 337b7579f77SDag-Erling Smørgrav } 338b7579f77SDag-Erling Smørgrav /* add new key */ 339b7579f77SDag-Erling Smørgrav if(type == LDNS_RR_TYPE_DS) 340b7579f77SDag-Erling Smørgrav ta->numDS++; 341b7579f77SDag-Erling Smørgrav else ta->numDNSKEY++; 342b7579f77SDag-Erling Smørgrav k->next = ta->keylist; 343b7579f77SDag-Erling Smørgrav ta->keylist = k; 344b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 345b7579f77SDag-Erling Smørgrav return ta; 346b7579f77SDag-Erling Smørgrav } 347b7579f77SDag-Erling Smørgrav 348b7579f77SDag-Erling Smørgrav /** 349b7579f77SDag-Erling Smørgrav * Add new RR. It converts ldns RR to wire format. 350b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 35117d15b25SDag-Erling Smørgrav * @param rr: the wirerr. 35217d15b25SDag-Erling Smørgrav * @param rl: length of rr. 35317d15b25SDag-Erling Smørgrav * @param dl: length of dname. 354b7579f77SDag-Erling Smørgrav * @return NULL on error, else the trust anchor. 355b7579f77SDag-Erling Smørgrav */ 356b7579f77SDag-Erling Smørgrav static struct trust_anchor* 35717d15b25SDag-Erling Smørgrav anchor_store_new_rr(struct val_anchors* anchors, uint8_t* rr, size_t rl, 35817d15b25SDag-Erling Smørgrav size_t dl) 359b7579f77SDag-Erling Smørgrav { 360b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 36117d15b25SDag-Erling Smørgrav if(!(ta=anchor_store_new_key(anchors, rr, 36217d15b25SDag-Erling Smørgrav sldns_wirerr_get_type(rr, rl, dl), 36317d15b25SDag-Erling Smørgrav sldns_wirerr_get_class(rr, rl, dl), 36417d15b25SDag-Erling Smørgrav sldns_wirerr_get_rdatawl(rr, rl, dl), 36517d15b25SDag-Erling Smørgrav sldns_wirerr_get_rdatalen(rr, rl, dl)+2))) { 366b7579f77SDag-Erling Smørgrav return NULL; 367b7579f77SDag-Erling Smørgrav } 368b7579f77SDag-Erling Smørgrav log_nametypeclass(VERB_QUERY, "adding trusted key", 36917d15b25SDag-Erling Smørgrav rr, sldns_wirerr_get_type(rr, rl, dl), 37017d15b25SDag-Erling Smørgrav sldns_wirerr_get_class(rr, rl, dl)); 371b7579f77SDag-Erling Smørgrav return ta; 372b7579f77SDag-Erling Smørgrav } 373b7579f77SDag-Erling Smørgrav 374b7579f77SDag-Erling Smørgrav /** 375b7579f77SDag-Erling Smørgrav * Insert insecure anchor 376b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 377b7579f77SDag-Erling Smørgrav * @param str: the domain name. 378b7579f77SDag-Erling Smørgrav * @return NULL on error, Else last trust anchor point 379b7579f77SDag-Erling Smørgrav */ 380b7579f77SDag-Erling Smørgrav static struct trust_anchor* 381b7579f77SDag-Erling Smørgrav anchor_insert_insecure(struct val_anchors* anchors, const char* str) 382b7579f77SDag-Erling Smørgrav { 383b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 38417d15b25SDag-Erling Smørgrav size_t dname_len = 0; 38517d15b25SDag-Erling Smørgrav uint8_t* nm = sldns_str2wire_dname(str, &dname_len); 386b7579f77SDag-Erling Smørgrav if(!nm) { 387b7579f77SDag-Erling Smørgrav log_err("parse error in domain name '%s'", str); 388b7579f77SDag-Erling Smørgrav return NULL; 389b7579f77SDag-Erling Smørgrav } 39017d15b25SDag-Erling Smørgrav ta = anchor_store_new_key(anchors, nm, LDNS_RR_TYPE_DS, 391b7579f77SDag-Erling Smørgrav LDNS_RR_CLASS_IN, NULL, 0); 39217d15b25SDag-Erling Smørgrav free(nm); 393b7579f77SDag-Erling Smørgrav return ta; 394b7579f77SDag-Erling Smørgrav } 395b7579f77SDag-Erling Smørgrav 396b7579f77SDag-Erling Smørgrav struct trust_anchor* 39717d15b25SDag-Erling Smørgrav anchor_store_str(struct val_anchors* anchors, sldns_buffer* buffer, 398b7579f77SDag-Erling Smørgrav const char* str) 399b7579f77SDag-Erling Smørgrav { 400b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 40117d15b25SDag-Erling Smørgrav uint8_t* rr = sldns_buffer_begin(buffer); 40217d15b25SDag-Erling Smørgrav size_t len = sldns_buffer_capacity(buffer), dname_len = 0; 40317d15b25SDag-Erling Smørgrav int status = sldns_str2wire_rr_buf(str, rr, &len, &dname_len, 40417d15b25SDag-Erling Smørgrav 0, NULL, 0, NULL, 0); 40517d15b25SDag-Erling Smørgrav if(status != 0) { 40617d15b25SDag-Erling Smørgrav log_err("error parsing trust anchor %s: at %d: %s", 40717d15b25SDag-Erling Smørgrav str, LDNS_WIREPARSE_OFFSET(status), 40817d15b25SDag-Erling Smørgrav sldns_get_errorstr_parse(status)); 409b7579f77SDag-Erling Smørgrav return NULL; 410b7579f77SDag-Erling Smørgrav } 41117d15b25SDag-Erling Smørgrav if(!(ta=anchor_store_new_rr(anchors, rr, len, dname_len))) { 412b7579f77SDag-Erling Smørgrav log_err("out of memory"); 413b7579f77SDag-Erling Smørgrav return NULL; 414b7579f77SDag-Erling Smørgrav } 415b7579f77SDag-Erling Smørgrav return ta; 416b7579f77SDag-Erling Smørgrav } 417b7579f77SDag-Erling Smørgrav 418b7579f77SDag-Erling Smørgrav /** 419b7579f77SDag-Erling Smørgrav * Read a file with trust anchors 420b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 421b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 422b7579f77SDag-Erling Smørgrav * @param fname: string. 423b7579f77SDag-Erling Smørgrav * @param onlyone: only one trust anchor allowed in file. 424b7579f77SDag-Erling Smørgrav * @return NULL on error. Else last trust-anchor point. 425b7579f77SDag-Erling Smørgrav */ 426b7579f77SDag-Erling Smørgrav static struct trust_anchor* 42717d15b25SDag-Erling Smørgrav anchor_read_file(struct val_anchors* anchors, sldns_buffer* buffer, 428b7579f77SDag-Erling Smørgrav const char* fname, int onlyone) 429b7579f77SDag-Erling Smørgrav { 430b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = NULL, *tanew; 43117d15b25SDag-Erling Smørgrav struct sldns_file_parse_state pst; 43217d15b25SDag-Erling Smørgrav int status; 43317d15b25SDag-Erling Smørgrav size_t len, dname_len; 43417d15b25SDag-Erling Smørgrav uint8_t* rr = sldns_buffer_begin(buffer); 435b7579f77SDag-Erling Smørgrav int ok = 1; 436b7579f77SDag-Erling Smørgrav FILE* in = fopen(fname, "r"); 437b7579f77SDag-Erling Smørgrav if(!in) { 438b7579f77SDag-Erling Smørgrav log_err("error opening file %s: %s", fname, strerror(errno)); 439b7579f77SDag-Erling Smørgrav return 0; 440b7579f77SDag-Erling Smørgrav } 44117d15b25SDag-Erling Smørgrav memset(&pst, 0, sizeof(pst)); 44217d15b25SDag-Erling Smørgrav pst.default_ttl = 3600; 44317d15b25SDag-Erling Smørgrav pst.lineno = 1; 444b7579f77SDag-Erling Smørgrav while(!feof(in)) { 44517d15b25SDag-Erling Smørgrav len = sldns_buffer_capacity(buffer); 44617d15b25SDag-Erling Smørgrav dname_len = 0; 44717d15b25SDag-Erling Smørgrav status = sldns_fp2wire_rr_buf(in, rr, &len, &dname_len, &pst); 44817d15b25SDag-Erling Smørgrav if(len == 0) /* empty, $TTL, $ORIGIN */ 449b7579f77SDag-Erling Smørgrav continue; 45017d15b25SDag-Erling Smørgrav if(status != 0) { 45117d15b25SDag-Erling Smørgrav log_err("parse error in %s:%d:%d : %s", fname, 45217d15b25SDag-Erling Smørgrav pst.lineno, LDNS_WIREPARSE_OFFSET(status), 45317d15b25SDag-Erling Smørgrav sldns_get_errorstr_parse(status)); 454b7579f77SDag-Erling Smørgrav ok = 0; 455b7579f77SDag-Erling Smørgrav break; 456b7579f77SDag-Erling Smørgrav } 45717d15b25SDag-Erling Smørgrav if(sldns_wirerr_get_type(rr, len, dname_len) != 45817d15b25SDag-Erling Smørgrav LDNS_RR_TYPE_DS && sldns_wirerr_get_type(rr, len, 45917d15b25SDag-Erling Smørgrav dname_len) != LDNS_RR_TYPE_DNSKEY) { 460b7579f77SDag-Erling Smørgrav continue; 461b7579f77SDag-Erling Smørgrav } 46217d15b25SDag-Erling Smørgrav if(!(tanew=anchor_store_new_rr(anchors, rr, len, dname_len))) { 46317d15b25SDag-Erling Smørgrav log_err("mem error at %s line %d", fname, pst.lineno); 464b7579f77SDag-Erling Smørgrav ok = 0; 465b7579f77SDag-Erling Smørgrav break; 466b7579f77SDag-Erling Smørgrav } 467b7579f77SDag-Erling Smørgrav if(onlyone && ta && ta != tanew) { 468b7579f77SDag-Erling Smørgrav log_err("error at %s line %d: no multiple anchor " 469b7579f77SDag-Erling Smørgrav "domains allowed (you can have multiple " 470b7579f77SDag-Erling Smørgrav "keys, but they must have the same name).", 47117d15b25SDag-Erling Smørgrav fname, pst.lineno); 472b7579f77SDag-Erling Smørgrav ok = 0; 473b7579f77SDag-Erling Smørgrav break; 474b7579f77SDag-Erling Smørgrav } 475b7579f77SDag-Erling Smørgrav ta = tanew; 476b7579f77SDag-Erling Smørgrav } 477b7579f77SDag-Erling Smørgrav fclose(in); 478b7579f77SDag-Erling Smørgrav if(!ok) return NULL; 479b7579f77SDag-Erling Smørgrav /* empty file is OK when multiple anchors are allowed */ 480b7579f77SDag-Erling Smørgrav if(!onlyone && !ta) return (struct trust_anchor*)1; 481b7579f77SDag-Erling Smørgrav return ta; 482b7579f77SDag-Erling Smørgrav } 483b7579f77SDag-Erling Smørgrav 484b7579f77SDag-Erling Smørgrav /** skip file to end of line */ 485b7579f77SDag-Erling Smørgrav static void 486*be771a7bSCy Schubert skip_to_eol(FILE* in, int *c) 487b7579f77SDag-Erling Smørgrav { 488*be771a7bSCy Schubert while((*c = getc(in)) != EOF ) { 489*be771a7bSCy Schubert if(*c == '\n') 490b7579f77SDag-Erling Smørgrav return; 491b7579f77SDag-Erling Smørgrav } 492b7579f77SDag-Erling Smørgrav } 493b7579f77SDag-Erling Smørgrav 494b7579f77SDag-Erling Smørgrav /** true for special characters in bind configs */ 495b7579f77SDag-Erling Smørgrav static int 496b7579f77SDag-Erling Smørgrav is_bind_special(int c) 497b7579f77SDag-Erling Smørgrav { 498b7579f77SDag-Erling Smørgrav switch(c) { 499b7579f77SDag-Erling Smørgrav case '{': 500b7579f77SDag-Erling Smørgrav case '}': 501b7579f77SDag-Erling Smørgrav case '"': 502b7579f77SDag-Erling Smørgrav case ';': 503b7579f77SDag-Erling Smørgrav return 1; 504b7579f77SDag-Erling Smørgrav } 505b7579f77SDag-Erling Smørgrav return 0; 506b7579f77SDag-Erling Smørgrav } 507b7579f77SDag-Erling Smørgrav 508b7579f77SDag-Erling Smørgrav /** 509b7579f77SDag-Erling Smørgrav * Read a keyword skipping bind comments; spaces, specials, restkeywords. 510b7579f77SDag-Erling Smørgrav * The file is split into the following tokens: 511b7579f77SDag-Erling Smørgrav * * special characters, on their own, rdlen=1, { } doublequote ; 512b7579f77SDag-Erling Smørgrav * * whitespace becomes a single ' ' or tab. Newlines become spaces. 513b7579f77SDag-Erling Smørgrav * * other words ('keywords') 514b7579f77SDag-Erling Smørgrav * * comments are skipped if desired 515b7579f77SDag-Erling Smørgrav * / / C++ style comment to end of line 516b7579f77SDag-Erling Smørgrav * # to end of line 517b7579f77SDag-Erling Smørgrav * / * C style comment * / 518b7579f77SDag-Erling Smørgrav * @param in: file to read from. 519b7579f77SDag-Erling Smørgrav * @param buf: buffer, what is read is stored after current buffer position. 520b7579f77SDag-Erling Smørgrav * Space is left in the buffer to write a terminating 0. 521b7579f77SDag-Erling Smørgrav * @param line: line number is increased per line, for error reports. 522b7579f77SDag-Erling Smørgrav * @param comments: if 0, comments are not possible and become text. 523b7579f77SDag-Erling Smørgrav * if 1, comments are skipped entirely. 524b7579f77SDag-Erling Smørgrav * In BIND files, this is when reading quoted strings, for example 525b7579f77SDag-Erling Smørgrav * " base 64 text with / / in there " 526b7579f77SDag-Erling Smørgrav * @return the number of character written to the buffer. 527b7579f77SDag-Erling Smørgrav * 0 on end of file. 528b7579f77SDag-Erling Smørgrav */ 529b7579f77SDag-Erling Smørgrav static int 53017d15b25SDag-Erling Smørgrav readkeyword_bindfile(FILE* in, sldns_buffer* buf, int* line, int comments) 531b7579f77SDag-Erling Smørgrav { 532b7579f77SDag-Erling Smørgrav int c; 533b7579f77SDag-Erling Smørgrav int numdone = 0; 534b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 535b7579f77SDag-Erling Smørgrav if(comments && c == '#') { /* # blabla */ 536*be771a7bSCy Schubert skip_to_eol(in, &c); 537*be771a7bSCy Schubert if(c == EOF) return 0; 538b7579f77SDag-Erling Smørgrav (*line)++; 539b7579f77SDag-Erling Smørgrav continue; 540b7579f77SDag-Erling Smørgrav } else if(comments && c=='/' && numdone>0 && /* /_/ bla*/ 54117d15b25SDag-Erling Smørgrav sldns_buffer_read_u8_at(buf, 54217d15b25SDag-Erling Smørgrav sldns_buffer_position(buf)-1) == '/') { 54317d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 544b7579f77SDag-Erling Smørgrav numdone--; 545*be771a7bSCy Schubert skip_to_eol(in, &c); 546*be771a7bSCy Schubert if(c == EOF) return 0; 547b7579f77SDag-Erling Smørgrav (*line)++; 548b7579f77SDag-Erling Smørgrav continue; 549b7579f77SDag-Erling Smørgrav } else if(comments && c=='*' && numdone>0 && /* /_* bla *_/ */ 55017d15b25SDag-Erling Smørgrav sldns_buffer_read_u8_at(buf, 55117d15b25SDag-Erling Smørgrav sldns_buffer_position(buf)-1) == '/') { 55217d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 553b7579f77SDag-Erling Smørgrav numdone--; 554b7579f77SDag-Erling Smørgrav /* skip to end of comment */ 555b7579f77SDag-Erling Smørgrav while(c != EOF && (c=getc(in)) != EOF ) { 556b7579f77SDag-Erling Smørgrav if(c == '*') { 557b7579f77SDag-Erling Smørgrav if((c=getc(in)) == '/') 558b7579f77SDag-Erling Smørgrav break; 559b7579f77SDag-Erling Smørgrav } 560b7579f77SDag-Erling Smørgrav if(c == '\n') 561b7579f77SDag-Erling Smørgrav (*line)++; 562b7579f77SDag-Erling Smørgrav } 563*be771a7bSCy Schubert if(c == EOF) return 0; 564b7579f77SDag-Erling Smørgrav continue; 565b7579f77SDag-Erling Smørgrav } 566b7579f77SDag-Erling Smørgrav /* not a comment, complete the keyword */ 567b7579f77SDag-Erling Smørgrav if(numdone > 0) { 568b7579f77SDag-Erling Smørgrav /* check same type */ 569ff825849SDag-Erling Smørgrav if(isspace((unsigned char)c)) { 570b7579f77SDag-Erling Smørgrav ungetc(c, in); 571b7579f77SDag-Erling Smørgrav return numdone; 572b7579f77SDag-Erling Smørgrav } 573b7579f77SDag-Erling Smørgrav if(is_bind_special(c)) { 574b7579f77SDag-Erling Smørgrav ungetc(c, in); 575b7579f77SDag-Erling Smørgrav return numdone; 576b7579f77SDag-Erling Smørgrav } 577b7579f77SDag-Erling Smørgrav } 578b7579f77SDag-Erling Smørgrav if(c == '\n') { 579b7579f77SDag-Erling Smørgrav c = ' '; 580b7579f77SDag-Erling Smørgrav (*line)++; 581b7579f77SDag-Erling Smørgrav } 582b7579f77SDag-Erling Smørgrav /* space for 1 char + 0 string terminator */ 58317d15b25SDag-Erling Smørgrav if(sldns_buffer_remaining(buf) < 2) { 584b7579f77SDag-Erling Smørgrav fatal_exit("trusted-keys, %d, string too long", *line); 585b7579f77SDag-Erling Smørgrav } 58617d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, (uint8_t)c); 587b7579f77SDag-Erling Smørgrav numdone++; 588ff825849SDag-Erling Smørgrav if(isspace((unsigned char)c)) { 589b7579f77SDag-Erling Smørgrav /* collate whitespace into ' ' */ 590b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 591b7579f77SDag-Erling Smørgrav if(c == '\n') 592b7579f77SDag-Erling Smørgrav (*line)++; 593ff825849SDag-Erling Smørgrav if(!isspace((unsigned char)c)) { 594b7579f77SDag-Erling Smørgrav ungetc(c, in); 595b7579f77SDag-Erling Smørgrav break; 596b7579f77SDag-Erling Smørgrav } 597b7579f77SDag-Erling Smørgrav } 598*be771a7bSCy Schubert if(c == EOF) return 0; 599b7579f77SDag-Erling Smørgrav return numdone; 600b7579f77SDag-Erling Smørgrav } 601b7579f77SDag-Erling Smørgrav if(is_bind_special(c)) 602b7579f77SDag-Erling Smørgrav return numdone; 603b7579f77SDag-Erling Smørgrav } 604b7579f77SDag-Erling Smørgrav return numdone; 605b7579f77SDag-Erling Smørgrav } 606b7579f77SDag-Erling Smørgrav 607b7579f77SDag-Erling Smørgrav /** skip through file to { or ; */ 608b7579f77SDag-Erling Smørgrav static int 60917d15b25SDag-Erling Smørgrav skip_to_special(FILE* in, sldns_buffer* buf, int* line, int spec) 610b7579f77SDag-Erling Smørgrav { 611b7579f77SDag-Erling Smørgrav int rdlen; 61217d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 613b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buf, line, 1))) { 614ff825849SDag-Erling Smørgrav if(rdlen == 1 && isspace((unsigned char)*sldns_buffer_begin(buf))) { 61517d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 616b7579f77SDag-Erling Smørgrav continue; 617b7579f77SDag-Erling Smørgrav } 61817d15b25SDag-Erling Smørgrav if(rdlen != 1 || *sldns_buffer_begin(buf) != (uint8_t)spec) { 61917d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 620b7579f77SDag-Erling Smørgrav log_err("trusted-keys, line %d, expected %c", 621b7579f77SDag-Erling Smørgrav *line, spec); 622b7579f77SDag-Erling Smørgrav return 0; 623b7579f77SDag-Erling Smørgrav } 624b7579f77SDag-Erling Smørgrav return 1; 625b7579f77SDag-Erling Smørgrav } 626b7579f77SDag-Erling Smørgrav log_err("trusted-keys, line %d, expected %c got EOF", *line, spec); 627b7579f77SDag-Erling Smørgrav return 0; 628b7579f77SDag-Erling Smørgrav } 629b7579f77SDag-Erling Smørgrav 630b7579f77SDag-Erling Smørgrav /** 631b7579f77SDag-Erling Smørgrav * read contents of trusted-keys{ ... ; clauses and insert keys into storage. 632b7579f77SDag-Erling Smørgrav * @param anchors: where to store keys 633b7579f77SDag-Erling Smørgrav * @param buf: buffer to use 634b7579f77SDag-Erling Smørgrav * @param line: line number in file 635b7579f77SDag-Erling Smørgrav * @param in: file to read from. 636b7579f77SDag-Erling Smørgrav * @return 0 on error. 637b7579f77SDag-Erling Smørgrav */ 638b7579f77SDag-Erling Smørgrav static int 63917d15b25SDag-Erling Smørgrav process_bind_contents(struct val_anchors* anchors, sldns_buffer* buf, 640b7579f77SDag-Erling Smørgrav int* line, FILE* in) 641b7579f77SDag-Erling Smørgrav { 642b7579f77SDag-Erling Smørgrav /* loop over contents, collate strings before ; */ 643b7579f77SDag-Erling Smørgrav /* contents is (numbered): 0 1 2 3 4 5 6 7 8 */ 644b7579f77SDag-Erling Smørgrav /* name. 257 3 5 base64 base64 */ 645b7579f77SDag-Erling Smørgrav /* quoted value: 0 "111" 0 0 0 0 0 0 0 */ 646b7579f77SDag-Erling Smørgrav /* comments value: 1 "000" 1 1 1 "0 0 0 0" 1 */ 647b7579f77SDag-Erling Smørgrav int contnum = 0; 648b7579f77SDag-Erling Smørgrav int quoted = 0; 649b7579f77SDag-Erling Smørgrav int comments = 1; 650b7579f77SDag-Erling Smørgrav int rdlen; 651b7579f77SDag-Erling Smørgrav char* str = 0; 65217d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 653b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buf, line, comments))) { 65417d15b25SDag-Erling Smørgrav if(rdlen == 1 && sldns_buffer_position(buf) == 1 655ff825849SDag-Erling Smørgrav && isspace((unsigned char)*sldns_buffer_begin(buf))) { 656b7579f77SDag-Erling Smørgrav /* starting whitespace is removed */ 65717d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 658b7579f77SDag-Erling Smørgrav continue; 65917d15b25SDag-Erling Smørgrav } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '"') { 660b7579f77SDag-Erling Smørgrav /* remove " from the string */ 661b7579f77SDag-Erling Smørgrav if(contnum == 0) { 662b7579f77SDag-Erling Smørgrav quoted = 1; 663b7579f77SDag-Erling Smørgrav comments = 0; 664b7579f77SDag-Erling Smørgrav } 66517d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 666b7579f77SDag-Erling Smørgrav if(contnum > 0 && quoted) { 66717d15b25SDag-Erling Smørgrav if(sldns_buffer_remaining(buf) < 8+1) { 668b7579f77SDag-Erling Smørgrav log_err("line %d, too long", *line); 669b7579f77SDag-Erling Smørgrav return 0; 670b7579f77SDag-Erling Smørgrav } 67117d15b25SDag-Erling Smørgrav sldns_buffer_write(buf, " DNSKEY ", 8); 672b7579f77SDag-Erling Smørgrav quoted = 0; 673b7579f77SDag-Erling Smørgrav comments = 1; 674b7579f77SDag-Erling Smørgrav } else if(contnum > 0) 675b7579f77SDag-Erling Smørgrav comments = !comments; 676b7579f77SDag-Erling Smørgrav continue; 67717d15b25SDag-Erling Smørgrav } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == ';') { 678b7579f77SDag-Erling Smørgrav 679b7579f77SDag-Erling Smørgrav if(contnum < 5) { 68017d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 681b7579f77SDag-Erling Smørgrav log_err("line %d, bad key", *line); 682b7579f77SDag-Erling Smørgrav return 0; 683b7579f77SDag-Erling Smørgrav } 68417d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 68517d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 68617d15b25SDag-Erling Smørgrav str = strdup((char*)sldns_buffer_begin(buf)); 687b7579f77SDag-Erling Smørgrav if(!str) { 688b7579f77SDag-Erling Smørgrav log_err("line %d, allocation failure", *line); 689b7579f77SDag-Erling Smørgrav return 0; 690b7579f77SDag-Erling Smørgrav } 691b7579f77SDag-Erling Smørgrav if(!anchor_store_str(anchors, buf, str)) { 692b7579f77SDag-Erling Smørgrav log_err("line %d, bad key", *line); 693b7579f77SDag-Erling Smørgrav free(str); 694b7579f77SDag-Erling Smørgrav return 0; 695b7579f77SDag-Erling Smørgrav } 696b7579f77SDag-Erling Smørgrav free(str); 69717d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 698b7579f77SDag-Erling Smørgrav contnum = 0; 699b7579f77SDag-Erling Smørgrav quoted = 0; 700b7579f77SDag-Erling Smørgrav comments = 1; 701b7579f77SDag-Erling Smørgrav continue; 70217d15b25SDag-Erling Smørgrav } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '}') { 703b7579f77SDag-Erling Smørgrav if(contnum > 0) { 70417d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 705b7579f77SDag-Erling Smørgrav log_err("line %d, bad key before }", *line); 706b7579f77SDag-Erling Smørgrav return 0; 707b7579f77SDag-Erling Smørgrav } 708b7579f77SDag-Erling Smørgrav return 1; 709b7579f77SDag-Erling Smørgrav } else if(rdlen == 1 && 710ff825849SDag-Erling Smørgrav isspace((unsigned char)sldns_buffer_current(buf)[-1])) { 711b7579f77SDag-Erling Smørgrav /* leave whitespace here */ 712b7579f77SDag-Erling Smørgrav } else { 713b7579f77SDag-Erling Smørgrav /* not space or whatnot, so actual content */ 714b7579f77SDag-Erling Smørgrav contnum ++; 715b7579f77SDag-Erling Smørgrav if(contnum == 1 && !quoted) { 71617d15b25SDag-Erling Smørgrav if(sldns_buffer_remaining(buf) < 8+1) { 717b7579f77SDag-Erling Smørgrav log_err("line %d, too long", *line); 718b7579f77SDag-Erling Smørgrav return 0; 719b7579f77SDag-Erling Smørgrav } 72017d15b25SDag-Erling Smørgrav sldns_buffer_write(buf, " DNSKEY ", 8); 721b7579f77SDag-Erling Smørgrav } 722b7579f77SDag-Erling Smørgrav } 723b7579f77SDag-Erling Smørgrav } 724b7579f77SDag-Erling Smørgrav 725b7579f77SDag-Erling Smørgrav log_err("line %d, EOF before }", *line); 726b7579f77SDag-Erling Smørgrav return 0; 727b7579f77SDag-Erling Smørgrav } 728b7579f77SDag-Erling Smørgrav 729b7579f77SDag-Erling Smørgrav /** 730b7579f77SDag-Erling Smørgrav * Read a BIND9 like file with trust anchors in named.conf format. 731b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 732b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 733b7579f77SDag-Erling Smørgrav * @param fname: string. 734b7579f77SDag-Erling Smørgrav * @return false on error. 735b7579f77SDag-Erling Smørgrav */ 736b7579f77SDag-Erling Smørgrav static int 73717d15b25SDag-Erling Smørgrav anchor_read_bind_file(struct val_anchors* anchors, sldns_buffer* buffer, 738b7579f77SDag-Erling Smørgrav const char* fname) 739b7579f77SDag-Erling Smørgrav { 740b7579f77SDag-Erling Smørgrav int line_nr = 1; 741b7579f77SDag-Erling Smørgrav FILE* in = fopen(fname, "r"); 742b7579f77SDag-Erling Smørgrav int rdlen = 0; 743b7579f77SDag-Erling Smørgrav if(!in) { 744b7579f77SDag-Erling Smørgrav log_err("error opening file %s: %s", fname, strerror(errno)); 745b7579f77SDag-Erling Smørgrav return 0; 746b7579f77SDag-Erling Smørgrav } 747b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname); 748b7579f77SDag-Erling Smørgrav /* scan for trusted-keys keyword, ignore everything else */ 74917d15b25SDag-Erling Smørgrav sldns_buffer_clear(buffer); 750b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buffer, &line_nr, 1)) != 0) { 75117d15b25SDag-Erling Smørgrav if(rdlen != 12 || strncmp((char*)sldns_buffer_begin(buffer), 752b7579f77SDag-Erling Smørgrav "trusted-keys", 12) != 0) { 75317d15b25SDag-Erling Smørgrav sldns_buffer_clear(buffer); 754b7579f77SDag-Erling Smørgrav /* ignore everything but trusted-keys */ 755b7579f77SDag-Erling Smørgrav continue; 756b7579f77SDag-Erling Smørgrav } 757b7579f77SDag-Erling Smørgrav if(!skip_to_special(in, buffer, &line_nr, '{')) { 758b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 759b7579f77SDag-Erling Smørgrav fclose(in); 760b7579f77SDag-Erling Smørgrav return 0; 761b7579f77SDag-Erling Smørgrav } 762b7579f77SDag-Erling Smørgrav /* process contents */ 763b7579f77SDag-Erling Smørgrav if(!process_bind_contents(anchors, buffer, &line_nr, in)) { 764b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 765b7579f77SDag-Erling Smørgrav fclose(in); 766b7579f77SDag-Erling Smørgrav return 0; 767b7579f77SDag-Erling Smørgrav } 768b7579f77SDag-Erling Smørgrav if(!skip_to_special(in, buffer, &line_nr, ';')) { 769b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 770b7579f77SDag-Erling Smørgrav fclose(in); 771b7579f77SDag-Erling Smørgrav return 0; 772b7579f77SDag-Erling Smørgrav } 77317d15b25SDag-Erling Smørgrav sldns_buffer_clear(buffer); 774b7579f77SDag-Erling Smørgrav } 775b7579f77SDag-Erling Smørgrav fclose(in); 776b7579f77SDag-Erling Smørgrav return 1; 777b7579f77SDag-Erling Smørgrav } 778b7579f77SDag-Erling Smørgrav 779b7579f77SDag-Erling Smørgrav /** 780b7579f77SDag-Erling Smørgrav * Read a BIND9 like files with trust anchors in named.conf format. 781b7579f77SDag-Erling Smørgrav * Performs wildcard processing of name. 782b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 783b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 784b7579f77SDag-Erling Smørgrav * @param pat: pattern string. (can be wildcarded) 785b7579f77SDag-Erling Smørgrav * @return false on error. 786b7579f77SDag-Erling Smørgrav */ 787b7579f77SDag-Erling Smørgrav static int 78817d15b25SDag-Erling Smørgrav anchor_read_bind_file_wild(struct val_anchors* anchors, sldns_buffer* buffer, 789b7579f77SDag-Erling Smørgrav const char* pat) 790b7579f77SDag-Erling Smørgrav { 791b7579f77SDag-Erling Smørgrav #ifdef HAVE_GLOB 792b7579f77SDag-Erling Smørgrav glob_t g; 793b7579f77SDag-Erling Smørgrav size_t i; 794b7579f77SDag-Erling Smørgrav int r, flags; 795b7579f77SDag-Erling Smørgrav if(!strchr(pat, '*') && !strchr(pat, '?') && !strchr(pat, '[') && 796b7579f77SDag-Erling Smørgrav !strchr(pat, '{') && !strchr(pat, '~')) { 797b7579f77SDag-Erling Smørgrav return anchor_read_bind_file(anchors, buffer, pat); 798b7579f77SDag-Erling Smørgrav } 799b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "wildcard found, processing %s", pat); 800b7579f77SDag-Erling Smørgrav flags = 0 801b7579f77SDag-Erling Smørgrav #ifdef GLOB_ERR 802b7579f77SDag-Erling Smørgrav | GLOB_ERR 803b7579f77SDag-Erling Smørgrav #endif 804b7579f77SDag-Erling Smørgrav #ifdef GLOB_NOSORT 805b7579f77SDag-Erling Smørgrav | GLOB_NOSORT 806b7579f77SDag-Erling Smørgrav #endif 807b7579f77SDag-Erling Smørgrav #ifdef GLOB_BRACE 808b7579f77SDag-Erling Smørgrav | GLOB_BRACE 809b7579f77SDag-Erling Smørgrav #endif 810b7579f77SDag-Erling Smørgrav #ifdef GLOB_TILDE 811b7579f77SDag-Erling Smørgrav | GLOB_TILDE 812b7579f77SDag-Erling Smørgrav #endif 813b7579f77SDag-Erling Smørgrav ; 814b7579f77SDag-Erling Smørgrav memset(&g, 0, sizeof(g)); 815b7579f77SDag-Erling Smørgrav r = glob(pat, flags, NULL, &g); 816b7579f77SDag-Erling Smørgrav if(r) { 817b7579f77SDag-Erling Smørgrav /* some error */ 818b7579f77SDag-Erling Smørgrav if(r == GLOB_NOMATCH) { 819b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "trusted-keys-file: " 820b7579f77SDag-Erling Smørgrav "no matches for %s", pat); 821b7579f77SDag-Erling Smørgrav return 1; 822b7579f77SDag-Erling Smørgrav } else if(r == GLOB_NOSPACE) { 823b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: " 824b7579f77SDag-Erling Smørgrav "pattern out of memory", pat); 825b7579f77SDag-Erling Smørgrav } else if(r == GLOB_ABORTED) { 826b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: expansion " 827b7579f77SDag-Erling Smørgrav "aborted (%s)", pat, strerror(errno)); 828b7579f77SDag-Erling Smørgrav } else { 829b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: expansion " 830b7579f77SDag-Erling Smørgrav "failed (%s)", pat, strerror(errno)); 831b7579f77SDag-Erling Smørgrav } 8328ed2b524SDag-Erling Smørgrav /* ignore globs that yield no files */ 8338ed2b524SDag-Erling Smørgrav return 1; 834b7579f77SDag-Erling Smørgrav } 835b7579f77SDag-Erling Smørgrav /* process files found, if any */ 836b7579f77SDag-Erling Smørgrav for(i=0; i<(size_t)g.gl_pathc; i++) { 837b7579f77SDag-Erling Smørgrav if(!anchor_read_bind_file(anchors, buffer, g.gl_pathv[i])) { 838b7579f77SDag-Erling Smørgrav log_err("error reading wildcard " 839b7579f77SDag-Erling Smørgrav "trusted-keys-file: %s", g.gl_pathv[i]); 840b7579f77SDag-Erling Smørgrav globfree(&g); 841b7579f77SDag-Erling Smørgrav return 0; 842b7579f77SDag-Erling Smørgrav } 843b7579f77SDag-Erling Smørgrav } 844b7579f77SDag-Erling Smørgrav globfree(&g); 845b7579f77SDag-Erling Smørgrav return 1; 846b7579f77SDag-Erling Smørgrav #else /* not HAVE_GLOB */ 847b7579f77SDag-Erling Smørgrav return anchor_read_bind_file(anchors, buffer, pat); 848b7579f77SDag-Erling Smørgrav #endif /* HAVE_GLOB */ 849b7579f77SDag-Erling Smørgrav } 850b7579f77SDag-Erling Smørgrav 851b7579f77SDag-Erling Smørgrav /** 852b7579f77SDag-Erling Smørgrav * Assemble an rrset structure for the type 853b7579f77SDag-Erling Smørgrav * @param ta: trust anchor. 854b7579f77SDag-Erling Smørgrav * @param num: number of items to fetch from list. 855b7579f77SDag-Erling Smørgrav * @param type: fetch only items of this type. 856b7579f77SDag-Erling Smørgrav * @return rrset or NULL on error. 857b7579f77SDag-Erling Smørgrav */ 858b7579f77SDag-Erling Smørgrav static struct ub_packed_rrset_key* 859b7579f77SDag-Erling Smørgrav assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) 860b7579f77SDag-Erling Smørgrav { 861b7579f77SDag-Erling Smørgrav struct ub_packed_rrset_key* pkey = (struct ub_packed_rrset_key*) 862b7579f77SDag-Erling Smørgrav malloc(sizeof(*pkey)); 863b7579f77SDag-Erling Smørgrav struct packed_rrset_data* pd; 864b7579f77SDag-Erling Smørgrav struct ta_key* tk; 865b7579f77SDag-Erling Smørgrav size_t i; 866b7579f77SDag-Erling Smørgrav if(!pkey) 867b7579f77SDag-Erling Smørgrav return NULL; 868b7579f77SDag-Erling Smørgrav memset(pkey, 0, sizeof(*pkey)); 869b7579f77SDag-Erling Smørgrav pkey->rk.dname = memdup(ta->name, ta->namelen); 870b7579f77SDag-Erling Smørgrav if(!pkey->rk.dname) { 871b7579f77SDag-Erling Smørgrav free(pkey); 872b7579f77SDag-Erling Smørgrav return NULL; 873b7579f77SDag-Erling Smørgrav } 874b7579f77SDag-Erling Smørgrav 875b7579f77SDag-Erling Smørgrav pkey->rk.dname_len = ta->namelen; 876b7579f77SDag-Erling Smørgrav pkey->rk.type = htons(type); 877b7579f77SDag-Erling Smørgrav pkey->rk.rrset_class = htons(ta->dclass); 878b7579f77SDag-Erling Smørgrav /* The rrset is build in an uncompressed way. This means it 879b7579f77SDag-Erling Smørgrav * cannot be copied in the normal way. */ 880b7579f77SDag-Erling Smørgrav pd = (struct packed_rrset_data*)malloc(sizeof(*pd)); 881b7579f77SDag-Erling Smørgrav if(!pd) { 882b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 883b7579f77SDag-Erling Smørgrav free(pkey); 884b7579f77SDag-Erling Smørgrav return NULL; 885b7579f77SDag-Erling Smørgrav } 886b7579f77SDag-Erling Smørgrav memset(pd, 0, sizeof(*pd)); 887b7579f77SDag-Erling Smørgrav pd->count = num; 888b7579f77SDag-Erling Smørgrav pd->trust = rrset_trust_ultimate; 88909a3aaf3SDag-Erling Smørgrav pd->rr_len = (size_t*)reallocarray(NULL, num, sizeof(size_t)); 890b7579f77SDag-Erling Smørgrav if(!pd->rr_len) { 891b7579f77SDag-Erling Smørgrav free(pd); 892b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 893b7579f77SDag-Erling Smørgrav free(pkey); 894b7579f77SDag-Erling Smørgrav return NULL; 895b7579f77SDag-Erling Smørgrav } 89609a3aaf3SDag-Erling Smørgrav pd->rr_ttl = (time_t*)reallocarray(NULL, num, sizeof(time_t)); 897b7579f77SDag-Erling Smørgrav if(!pd->rr_ttl) { 898b7579f77SDag-Erling Smørgrav free(pd->rr_len); 899b7579f77SDag-Erling Smørgrav free(pd); 900b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 901b7579f77SDag-Erling Smørgrav free(pkey); 902b7579f77SDag-Erling Smørgrav return NULL; 903b7579f77SDag-Erling Smørgrav } 90409a3aaf3SDag-Erling Smørgrav pd->rr_data = (uint8_t**)reallocarray(NULL, num, sizeof(uint8_t*)); 905b7579f77SDag-Erling Smørgrav if(!pd->rr_data) { 906b7579f77SDag-Erling Smørgrav free(pd->rr_ttl); 907b7579f77SDag-Erling Smørgrav free(pd->rr_len); 908b7579f77SDag-Erling Smørgrav free(pd); 909b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 910b7579f77SDag-Erling Smørgrav free(pkey); 911b7579f77SDag-Erling Smørgrav return NULL; 912b7579f77SDag-Erling Smørgrav } 913b7579f77SDag-Erling Smørgrav /* fill in rrs */ 914b7579f77SDag-Erling Smørgrav i=0; 915b7579f77SDag-Erling Smørgrav for(tk = ta->keylist; tk; tk = tk->next) { 916b7579f77SDag-Erling Smørgrav if(tk->type != type) 917b7579f77SDag-Erling Smørgrav continue; 918b7579f77SDag-Erling Smørgrav pd->rr_len[i] = tk->len; 919b7579f77SDag-Erling Smørgrav /* reuse data ptr to allocation in talist */ 920b7579f77SDag-Erling Smørgrav pd->rr_data[i] = tk->data; 921b7579f77SDag-Erling Smørgrav pd->rr_ttl[i] = 0; 922b7579f77SDag-Erling Smørgrav i++; 923b7579f77SDag-Erling Smørgrav } 924b7579f77SDag-Erling Smørgrav pkey->entry.data = (void*)pd; 925b7579f77SDag-Erling Smørgrav return pkey; 926b7579f77SDag-Erling Smørgrav } 927b7579f77SDag-Erling Smørgrav 928b7579f77SDag-Erling Smørgrav /** 929b7579f77SDag-Erling Smørgrav * Assemble structures for the trust DS and DNSKEY rrsets. 930b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 931b7579f77SDag-Erling Smørgrav * @return: false on error. 932b7579f77SDag-Erling Smørgrav */ 933b7579f77SDag-Erling Smørgrav static int 934b7579f77SDag-Erling Smørgrav anchors_assemble(struct trust_anchor* ta) 935b7579f77SDag-Erling Smørgrav { 936b7579f77SDag-Erling Smørgrav if(ta->numDS > 0) { 937b7579f77SDag-Erling Smørgrav ta->ds_rrset = assemble_it(ta, ta->numDS, LDNS_RR_TYPE_DS); 938b7579f77SDag-Erling Smørgrav if(!ta->ds_rrset) 939b7579f77SDag-Erling Smørgrav return 0; 940b7579f77SDag-Erling Smørgrav } 941b7579f77SDag-Erling Smørgrav if(ta->numDNSKEY > 0) { 942b7579f77SDag-Erling Smørgrav ta->dnskey_rrset = assemble_it(ta, ta->numDNSKEY, 943b7579f77SDag-Erling Smørgrav LDNS_RR_TYPE_DNSKEY); 944b7579f77SDag-Erling Smørgrav if(!ta->dnskey_rrset) 945b7579f77SDag-Erling Smørgrav return 0; 946b7579f77SDag-Erling Smørgrav } 947b7579f77SDag-Erling Smørgrav return 1; 948b7579f77SDag-Erling Smørgrav } 949b7579f77SDag-Erling Smørgrav 950b7579f77SDag-Erling Smørgrav /** 951b7579f77SDag-Erling Smørgrav * Check DS algos for support, warn if not. 952b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 953b7579f77SDag-Erling Smørgrav * @return number of DS anchors with unsupported algorithms. 954b7579f77SDag-Erling Smørgrav */ 955b7579f77SDag-Erling Smørgrav static size_t 956b7579f77SDag-Erling Smørgrav anchors_ds_unsupported(struct trust_anchor* ta) 957b7579f77SDag-Erling Smørgrav { 958b7579f77SDag-Erling Smørgrav size_t i, num = 0; 959b7579f77SDag-Erling Smørgrav for(i=0; i<ta->numDS; i++) { 960b7579f77SDag-Erling Smørgrav if(!ds_digest_algo_is_supported(ta->ds_rrset, i) || 961b7579f77SDag-Erling Smørgrav !ds_key_algo_is_supported(ta->ds_rrset, i)) 962b7579f77SDag-Erling Smørgrav num++; 963b7579f77SDag-Erling Smørgrav } 964b7579f77SDag-Erling Smørgrav return num; 965b7579f77SDag-Erling Smørgrav } 966b7579f77SDag-Erling Smørgrav 967b7579f77SDag-Erling Smørgrav /** 968b7579f77SDag-Erling Smørgrav * Check DNSKEY algos for support, warn if not. 969b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 970b7579f77SDag-Erling Smørgrav * @return number of DNSKEY anchors with unsupported algorithms. 971b7579f77SDag-Erling Smørgrav */ 972b7579f77SDag-Erling Smørgrav static size_t 973b7579f77SDag-Erling Smørgrav anchors_dnskey_unsupported(struct trust_anchor* ta) 974b7579f77SDag-Erling Smørgrav { 975b7579f77SDag-Erling Smørgrav size_t i, num = 0; 976b7579f77SDag-Erling Smørgrav for(i=0; i<ta->numDNSKEY; i++) { 9775469a995SCy Schubert if(!dnskey_algo_is_supported(ta->dnskey_rrset, i) || 9785469a995SCy Schubert !dnskey_size_is_supported(ta->dnskey_rrset, i)) 979b7579f77SDag-Erling Smørgrav num++; 980b7579f77SDag-Erling Smørgrav } 981b7579f77SDag-Erling Smørgrav return num; 982b7579f77SDag-Erling Smørgrav } 983b7579f77SDag-Erling Smørgrav 984b7579f77SDag-Erling Smørgrav /** 985b7579f77SDag-Erling Smørgrav * Assemble the rrsets in the anchors, ready for use by validator. 986b7579f77SDag-Erling Smørgrav * @param anchors: trust anchor storage. 987b7579f77SDag-Erling Smørgrav * @return: false on error. 988b7579f77SDag-Erling Smørgrav */ 989b7579f77SDag-Erling Smørgrav static int 990b7579f77SDag-Erling Smørgrav anchors_assemble_rrsets(struct val_anchors* anchors) 991b7579f77SDag-Erling Smørgrav { 992b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 993b7579f77SDag-Erling Smørgrav struct trust_anchor* next; 994b7579f77SDag-Erling Smørgrav size_t nods, nokey; 995b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 996b7579f77SDag-Erling Smørgrav ta=(struct trust_anchor*)rbtree_first(anchors->tree); 9973005e0a3SDag-Erling Smørgrav while((rbnode_type*)ta != RBTREE_NULL) { 998b7579f77SDag-Erling Smørgrav next = (struct trust_anchor*)rbtree_next(&ta->node); 999b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 1000b7579f77SDag-Erling Smørgrav if(ta->autr || (ta->numDS == 0 && ta->numDNSKEY == 0)) { 1001b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1002b7579f77SDag-Erling Smørgrav ta = next; /* skip */ 1003b7579f77SDag-Erling Smørgrav continue; 1004b7579f77SDag-Erling Smørgrav } 1005b7579f77SDag-Erling Smørgrav if(!anchors_assemble(ta)) { 1006b7579f77SDag-Erling Smørgrav log_err("out of memory"); 1007b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1008b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1009b7579f77SDag-Erling Smørgrav return 0; 1010b7579f77SDag-Erling Smørgrav } 1011b7579f77SDag-Erling Smørgrav nods = anchors_ds_unsupported(ta); 1012b7579f77SDag-Erling Smørgrav nokey = anchors_dnskey_unsupported(ta); 1013b7579f77SDag-Erling Smørgrav if(nods) { 10140eefd307SCy Schubert log_nametypeclass(NO_VERBOSE, "warning: unsupported " 1015b7579f77SDag-Erling Smørgrav "algorithm for trust anchor", 1016b7579f77SDag-Erling Smørgrav ta->name, LDNS_RR_TYPE_DS, ta->dclass); 1017b7579f77SDag-Erling Smørgrav } 1018b7579f77SDag-Erling Smørgrav if(nokey) { 10190eefd307SCy Schubert log_nametypeclass(NO_VERBOSE, "warning: unsupported " 1020b7579f77SDag-Erling Smørgrav "algorithm for trust anchor", 1021b7579f77SDag-Erling Smørgrav ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 1022b7579f77SDag-Erling Smørgrav } 1023b7579f77SDag-Erling Smørgrav if(nods == ta->numDS && nokey == ta->numDNSKEY) { 1024*be771a7bSCy Schubert char b[LDNS_MAX_DOMAINLEN]; 1025b7579f77SDag-Erling Smørgrav dname_str(ta->name, b); 1026b7579f77SDag-Erling Smørgrav log_warn("trust anchor %s has no supported algorithms," 1027b7579f77SDag-Erling Smørgrav " the anchor is ignored (check if you need to" 102809a3aaf3SDag-Erling Smørgrav " upgrade unbound and " 102909a3aaf3SDag-Erling Smørgrav #ifdef HAVE_LIBRESSL 103009a3aaf3SDag-Erling Smørgrav "libressl" 103109a3aaf3SDag-Erling Smørgrav #else 103209a3aaf3SDag-Erling Smørgrav "openssl" 103309a3aaf3SDag-Erling Smørgrav #endif 103409a3aaf3SDag-Erling Smørgrav ")", b); 1035b7579f77SDag-Erling Smørgrav (void)rbtree_delete(anchors->tree, &ta->node); 1036b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1037b7579f77SDag-Erling Smørgrav anchors_delfunc(&ta->node, NULL); 1038b7579f77SDag-Erling Smørgrav ta = next; 1039b7579f77SDag-Erling Smørgrav continue; 1040b7579f77SDag-Erling Smørgrav } 1041b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1042b7579f77SDag-Erling Smørgrav ta = next; 1043b7579f77SDag-Erling Smørgrav } 1044b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1045b7579f77SDag-Erling Smørgrav return 1; 1046b7579f77SDag-Erling Smørgrav } 1047b7579f77SDag-Erling Smørgrav 1048b7579f77SDag-Erling Smørgrav int 1049b7579f77SDag-Erling Smørgrav anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) 1050b7579f77SDag-Erling Smørgrav { 1051b7579f77SDag-Erling Smørgrav struct config_strlist* f; 10520de4f1bfSDag-Erling Smørgrav const char** zstr; 1053b7579f77SDag-Erling Smørgrav char* nm; 105417d15b25SDag-Erling Smørgrav sldns_buffer* parsebuf = sldns_buffer_new(65535); 10555469a995SCy Schubert if(!parsebuf) { 10565469a995SCy Schubert log_err("malloc error in anchors_apply_cfg."); 10575469a995SCy Schubert return 0; 10585469a995SCy Schubert } 10590de4f1bfSDag-Erling Smørgrav if(cfg->insecure_lan_zones) { 10600de4f1bfSDag-Erling Smørgrav for(zstr = as112_zones; *zstr; zstr++) { 10610de4f1bfSDag-Erling Smørgrav if(!anchor_insert_insecure(anchors, *zstr)) { 10620de4f1bfSDag-Erling Smørgrav log_err("error in insecure-lan-zones: %s", *zstr); 10630de4f1bfSDag-Erling Smørgrav sldns_buffer_free(parsebuf); 10640de4f1bfSDag-Erling Smørgrav return 0; 10650de4f1bfSDag-Erling Smørgrav } 10660de4f1bfSDag-Erling Smørgrav } 10670de4f1bfSDag-Erling Smørgrav } 1068b7579f77SDag-Erling Smørgrav for(f = cfg->domain_insecure; f; f = f->next) { 1069b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1070b7579f77SDag-Erling Smørgrav continue; 1071b7579f77SDag-Erling Smørgrav if(!anchor_insert_insecure(anchors, f->str)) { 1072b7579f77SDag-Erling Smørgrav log_err("error in domain-insecure: %s", f->str); 107317d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1074b7579f77SDag-Erling Smørgrav return 0; 1075b7579f77SDag-Erling Smørgrav } 1076b7579f77SDag-Erling Smørgrav } 1077b7579f77SDag-Erling Smørgrav for(f = cfg->trust_anchor_file_list; f; f = f->next) { 1078b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1079b7579f77SDag-Erling Smørgrav continue; 1080b7579f77SDag-Erling Smørgrav nm = f->str; 1081b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1082b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1083b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1084b7579f77SDag-Erling Smørgrav if(!anchor_read_file(anchors, parsebuf, nm, 0)) { 1085b7579f77SDag-Erling Smørgrav log_err("error reading trust-anchor-file: %s", f->str); 108617d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1087b7579f77SDag-Erling Smørgrav return 0; 1088b7579f77SDag-Erling Smørgrav } 1089b7579f77SDag-Erling Smørgrav } 1090b7579f77SDag-Erling Smørgrav for(f = cfg->trusted_keys_file_list; f; f = f->next) { 1091b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1092b7579f77SDag-Erling Smørgrav continue; 1093b7579f77SDag-Erling Smørgrav nm = f->str; 1094b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1095b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1096b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1097b7579f77SDag-Erling Smørgrav if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) { 1098b7579f77SDag-Erling Smørgrav log_err("error reading trusted-keys-file: %s", f->str); 109917d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1100b7579f77SDag-Erling Smørgrav return 0; 1101b7579f77SDag-Erling Smørgrav } 1102b7579f77SDag-Erling Smørgrav } 1103b7579f77SDag-Erling Smørgrav for(f = cfg->trust_anchor_list; f; f = f->next) { 1104b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1105b7579f77SDag-Erling Smørgrav continue; 1106b7579f77SDag-Erling Smørgrav if(!anchor_store_str(anchors, parsebuf, f->str)) { 1107b7579f77SDag-Erling Smørgrav log_err("error in trust-anchor: \"%s\"", f->str); 110817d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1109b7579f77SDag-Erling Smørgrav return 0; 1110b7579f77SDag-Erling Smørgrav } 1111b7579f77SDag-Erling Smørgrav } 1112b7579f77SDag-Erling Smørgrav /* do autr last, so that it sees what anchors are filled by other 1113b7579f77SDag-Erling Smørgrav * means can can print errors about double config for the name */ 1114b7579f77SDag-Erling Smørgrav for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) { 1115b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1116b7579f77SDag-Erling Smørgrav continue; 1117b7579f77SDag-Erling Smørgrav nm = f->str; 1118b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1119b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1120b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1121b7579f77SDag-Erling Smørgrav if(!autr_read_file(anchors, nm)) { 1122b7579f77SDag-Erling Smørgrav log_err("error reading auto-trust-anchor-file: %s", 1123b7579f77SDag-Erling Smørgrav f->str); 112417d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1125b7579f77SDag-Erling Smørgrav return 0; 1126b7579f77SDag-Erling Smørgrav } 1127b7579f77SDag-Erling Smørgrav } 1128b7579f77SDag-Erling Smørgrav /* first assemble, since it may delete useless anchors */ 1129b7579f77SDag-Erling Smørgrav anchors_assemble_rrsets(anchors); 1130b7579f77SDag-Erling Smørgrav init_parents(anchors); 113117d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1132b7579f77SDag-Erling Smørgrav if(verbosity >= VERB_ALGO) autr_debug_print(anchors); 1133b7579f77SDag-Erling Smørgrav return 1; 1134b7579f77SDag-Erling Smørgrav } 1135b7579f77SDag-Erling Smørgrav 1136b7579f77SDag-Erling Smørgrav struct trust_anchor* 1137b7579f77SDag-Erling Smørgrav anchors_lookup(struct val_anchors* anchors, 1138b7579f77SDag-Erling Smørgrav uint8_t* qname, size_t qname_len, uint16_t qclass) 1139b7579f77SDag-Erling Smørgrav { 1140b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1141b7579f77SDag-Erling Smørgrav struct trust_anchor* result; 11423005e0a3SDag-Erling Smørgrav rbnode_type* res = NULL; 1143b7579f77SDag-Erling Smørgrav key.node.key = &key; 1144b7579f77SDag-Erling Smørgrav key.name = qname; 1145b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_labels(qname); 1146b7579f77SDag-Erling Smørgrav key.namelen = qname_len; 1147b7579f77SDag-Erling Smørgrav key.dclass = qclass; 1148b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1149b7579f77SDag-Erling Smørgrav if(rbtree_find_less_equal(anchors->tree, &key, &res)) { 1150b7579f77SDag-Erling Smørgrav /* exact */ 1151b7579f77SDag-Erling Smørgrav result = (struct trust_anchor*)res; 1152b7579f77SDag-Erling Smørgrav } else { 1153b7579f77SDag-Erling Smørgrav /* smaller element (or no element) */ 1154b7579f77SDag-Erling Smørgrav int m; 1155b7579f77SDag-Erling Smørgrav result = (struct trust_anchor*)res; 1156b7579f77SDag-Erling Smørgrav if(!result || result->dclass != qclass) { 1157b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1158b7579f77SDag-Erling Smørgrav return NULL; 1159b7579f77SDag-Erling Smørgrav } 1160b7579f77SDag-Erling Smørgrav /* count number of labels matched */ 1161b7579f77SDag-Erling Smørgrav (void)dname_lab_cmp(result->name, result->namelabs, key.name, 1162b7579f77SDag-Erling Smørgrav key.namelabs, &m); 1163b7579f77SDag-Erling Smørgrav while(result) { /* go up until qname is subdomain of stub */ 1164b7579f77SDag-Erling Smørgrav if(result->namelabs <= m) 1165b7579f77SDag-Erling Smørgrav break; 1166b7579f77SDag-Erling Smørgrav result = result->parent; 1167b7579f77SDag-Erling Smørgrav } 1168b7579f77SDag-Erling Smørgrav } 1169b7579f77SDag-Erling Smørgrav if(result) { 1170b7579f77SDag-Erling Smørgrav lock_basic_lock(&result->lock); 1171b7579f77SDag-Erling Smørgrav } 1172b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1173b7579f77SDag-Erling Smørgrav return result; 1174b7579f77SDag-Erling Smørgrav } 1175b7579f77SDag-Erling Smørgrav 1176*be771a7bSCy Schubert /** Get memory usage of assembled key rrset */ 1177*be771a7bSCy Schubert static size_t 1178*be771a7bSCy Schubert assembled_rrset_get_mem(struct ub_packed_rrset_key* pkey) 1179*be771a7bSCy Schubert { 1180*be771a7bSCy Schubert size_t s; 1181*be771a7bSCy Schubert if(!pkey) 1182*be771a7bSCy Schubert return 0; 1183*be771a7bSCy Schubert s = sizeof(*pkey) + pkey->rk.dname_len; 1184*be771a7bSCy Schubert if(pkey->entry.data) { 1185*be771a7bSCy Schubert struct packed_rrset_data* pd = (struct packed_rrset_data*) 1186*be771a7bSCy Schubert pkey->entry.data; 1187*be771a7bSCy Schubert s += sizeof(*pd) + pd->count * (sizeof(size_t)+sizeof(time_t)+ 1188*be771a7bSCy Schubert sizeof(uint8_t*)); 1189*be771a7bSCy Schubert } 1190*be771a7bSCy Schubert return s; 1191*be771a7bSCy Schubert } 1192*be771a7bSCy Schubert 1193b7579f77SDag-Erling Smørgrav size_t 1194b7579f77SDag-Erling Smørgrav anchors_get_mem(struct val_anchors* anchors) 1195b7579f77SDag-Erling Smørgrav { 1196b7579f77SDag-Erling Smørgrav struct trust_anchor *ta; 1197*be771a7bSCy Schubert struct ta_key *k; 1198*be771a7bSCy Schubert size_t s; 1199*be771a7bSCy Schubert if(!anchors) return 0; 1200*be771a7bSCy Schubert s = sizeof(*anchors); 1201*be771a7bSCy Schubert lock_basic_lock(&anchors->lock); 1202b7579f77SDag-Erling Smørgrav RBTREE_FOR(ta, struct trust_anchor*, anchors->tree) { 1203*be771a7bSCy Schubert lock_basic_lock(&ta->lock); 1204b7579f77SDag-Erling Smørgrav s += sizeof(*ta) + ta->namelen; 1205b7579f77SDag-Erling Smørgrav /* keys and so on */ 1206*be771a7bSCy Schubert for(k = ta->keylist; k; k = k->next) { 1207*be771a7bSCy Schubert s += sizeof(*k) + k->len; 1208b7579f77SDag-Erling Smørgrav } 1209*be771a7bSCy Schubert s += assembled_rrset_get_mem(ta->ds_rrset); 1210*be771a7bSCy Schubert s += assembled_rrset_get_mem(ta->dnskey_rrset); 1211*be771a7bSCy Schubert if(ta->autr) { 1212*be771a7bSCy Schubert struct autr_ta* p; 1213*be771a7bSCy Schubert s += sizeof(*ta->autr); 1214*be771a7bSCy Schubert if(ta->autr->file) 1215*be771a7bSCy Schubert s += strlen(ta->autr->file); 1216*be771a7bSCy Schubert for(p = ta->autr->keys; p; p=p->next) { 1217*be771a7bSCy Schubert s += sizeof(*p) + p->rr_len; 1218*be771a7bSCy Schubert } 1219*be771a7bSCy Schubert } 1220*be771a7bSCy Schubert lock_basic_unlock(&ta->lock); 1221*be771a7bSCy Schubert } 1222*be771a7bSCy Schubert lock_basic_unlock(&anchors->lock); 1223b7579f77SDag-Erling Smørgrav return s; 1224b7579f77SDag-Erling Smørgrav } 1225b7579f77SDag-Erling Smørgrav 1226b7579f77SDag-Erling Smørgrav int 1227b7579f77SDag-Erling Smørgrav anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm) 1228b7579f77SDag-Erling Smørgrav { 1229b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1230b7579f77SDag-Erling Smørgrav key.node.key = &key; 1231b7579f77SDag-Erling Smørgrav key.name = nm; 1232b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_size_labels(nm, &key.namelen); 1233b7579f77SDag-Erling Smørgrav key.dclass = c; 1234b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1235b7579f77SDag-Erling Smørgrav if(rbtree_search(anchors->tree, &key)) { 1236b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1237b7579f77SDag-Erling Smørgrav /* nothing to do, already an anchor or insecure point */ 1238b7579f77SDag-Erling Smørgrav return 1; 1239b7579f77SDag-Erling Smørgrav } 1240b7579f77SDag-Erling Smørgrav if(!anchor_new_ta(anchors, nm, key.namelabs, key.namelen, c, 0)) { 1241b7579f77SDag-Erling Smørgrav log_err("out of memory"); 1242b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1243b7579f77SDag-Erling Smørgrav return 0; 1244b7579f77SDag-Erling Smørgrav } 1245b7579f77SDag-Erling Smørgrav /* no other contents in new ta, because it is insecure point */ 1246b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 1247b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1248b7579f77SDag-Erling Smørgrav return 1; 1249b7579f77SDag-Erling Smørgrav } 1250b7579f77SDag-Erling Smørgrav 1251b7579f77SDag-Erling Smørgrav void 1252b7579f77SDag-Erling Smørgrav anchors_delete_insecure(struct val_anchors* anchors, uint16_t c, 1253b7579f77SDag-Erling Smørgrav uint8_t* nm) 1254b7579f77SDag-Erling Smørgrav { 1255b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1256b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 1257b7579f77SDag-Erling Smørgrav key.node.key = &key; 1258b7579f77SDag-Erling Smørgrav key.name = nm; 1259b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_size_labels(nm, &key.namelen); 1260b7579f77SDag-Erling Smørgrav key.dclass = c; 1261b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1262b7579f77SDag-Erling Smørgrav if(!(ta=(struct trust_anchor*)rbtree_search(anchors->tree, &key))) { 1263b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1264b7579f77SDag-Erling Smørgrav /* nothing there */ 1265b7579f77SDag-Erling Smørgrav return; 1266b7579f77SDag-Erling Smørgrav } 1267b7579f77SDag-Erling Smørgrav /* lock it to drive away other threads that use it */ 1268b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 1269b7579f77SDag-Erling Smørgrav /* see if its really an insecure point */ 1270b7579f77SDag-Erling Smørgrav if(ta->keylist || ta->autr || ta->numDS || ta->numDNSKEY) { 12718ed2b524SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1272b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1273b7579f77SDag-Erling Smørgrav /* its not an insecure point, do not remove it */ 1274b7579f77SDag-Erling Smørgrav return; 1275b7579f77SDag-Erling Smørgrav } 1276b7579f77SDag-Erling Smørgrav 1277b7579f77SDag-Erling Smørgrav /* remove from tree */ 1278b7579f77SDag-Erling Smørgrav (void)rbtree_delete(anchors->tree, &ta->node); 1279b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 1280b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1281b7579f77SDag-Erling Smørgrav 1282b7579f77SDag-Erling Smørgrav /* actual free of data */ 1283b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1284b7579f77SDag-Erling Smørgrav anchors_delfunc(&ta->node, NULL); 1285b7579f77SDag-Erling Smørgrav } 1286b7579f77SDag-Erling Smørgrav 128765b390aaSDag-Erling Smørgrav /** compare two keytags, return -1, 0 or 1 */ 128865b390aaSDag-Erling Smørgrav static int 128965b390aaSDag-Erling Smørgrav keytag_compare(const void* x, const void* y) 129065b390aaSDag-Erling Smørgrav { 129165b390aaSDag-Erling Smørgrav if(*(uint16_t*)x == *(uint16_t*)y) 129265b390aaSDag-Erling Smørgrav return 0; 129365b390aaSDag-Erling Smørgrav if(*(uint16_t*)x > *(uint16_t*)y) 129465b390aaSDag-Erling Smørgrav return 1; 129565b390aaSDag-Erling Smørgrav return -1; 129665b390aaSDag-Erling Smørgrav } 129765b390aaSDag-Erling Smørgrav 129865b390aaSDag-Erling Smørgrav size_t 129965b390aaSDag-Erling Smørgrav anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num) 130065b390aaSDag-Erling Smørgrav { 130165b390aaSDag-Erling Smørgrav size_t i, ret = 0; 130265b390aaSDag-Erling Smørgrav if(ta->numDS == 0 && ta->numDNSKEY == 0) 130365b390aaSDag-Erling Smørgrav return 0; /* insecure point */ 130465b390aaSDag-Erling Smørgrav if(ta->numDS != 0 && ta->ds_rrset) { 130565b390aaSDag-Erling Smørgrav struct packed_rrset_data* d=(struct packed_rrset_data*) 130665b390aaSDag-Erling Smørgrav ta->ds_rrset->entry.data; 130765b390aaSDag-Erling Smørgrav for(i=0; i<d->count; i++) { 130865b390aaSDag-Erling Smørgrav if(ret == num) continue; 130965b390aaSDag-Erling Smørgrav list[ret++] = ds_get_keytag(ta->ds_rrset, i); 131065b390aaSDag-Erling Smørgrav } 131165b390aaSDag-Erling Smørgrav } 131265b390aaSDag-Erling Smørgrav if(ta->numDNSKEY != 0 && ta->dnskey_rrset) { 131365b390aaSDag-Erling Smørgrav struct packed_rrset_data* d=(struct packed_rrset_data*) 131465b390aaSDag-Erling Smørgrav ta->dnskey_rrset->entry.data; 131565b390aaSDag-Erling Smørgrav for(i=0; i<d->count; i++) { 131665b390aaSDag-Erling Smørgrav if(ret == num) continue; 131765b390aaSDag-Erling Smørgrav list[ret++] = dnskey_calc_keytag(ta->dnskey_rrset, i); 131865b390aaSDag-Erling Smørgrav } 131965b390aaSDag-Erling Smørgrav } 132065b390aaSDag-Erling Smørgrav qsort(list, ret, sizeof(*list), keytag_compare); 132165b390aaSDag-Erling Smørgrav return ret; 132265b390aaSDag-Erling Smørgrav } 13230fb34990SDag-Erling Smørgrav 13240fb34990SDag-Erling Smørgrav int 13250fb34990SDag-Erling Smørgrav anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs, 13260fb34990SDag-Erling Smørgrav size_t namelen, uint16_t dclass, uint16_t keytag) 13270fb34990SDag-Erling Smørgrav { 13280fb34990SDag-Erling Smørgrav uint16_t* taglist; 13290fb34990SDag-Erling Smørgrav uint16_t* tl; 13300fb34990SDag-Erling Smørgrav size_t numtag, i; 13310fb34990SDag-Erling Smørgrav struct trust_anchor* anchor = anchor_find(anchors, 13320fb34990SDag-Erling Smørgrav name, namelabs, namelen, dclass); 13330fb34990SDag-Erling Smørgrav if(!anchor) 13340fb34990SDag-Erling Smørgrav return 0; 13350fb34990SDag-Erling Smørgrav if(!anchor->numDS && !anchor->numDNSKEY) { 13360fb34990SDag-Erling Smørgrav lock_basic_unlock(&anchor->lock); 13370fb34990SDag-Erling Smørgrav return 0; 13380fb34990SDag-Erling Smørgrav } 13390fb34990SDag-Erling Smørgrav 13400fb34990SDag-Erling Smørgrav taglist = calloc(anchor->numDS + anchor->numDNSKEY, sizeof(*taglist)); 13410fb34990SDag-Erling Smørgrav if(!taglist) { 13420fb34990SDag-Erling Smørgrav lock_basic_unlock(&anchor->lock); 13430fb34990SDag-Erling Smørgrav return 0; 13440fb34990SDag-Erling Smørgrav } 13450fb34990SDag-Erling Smørgrav 13460fb34990SDag-Erling Smørgrav numtag = anchor_list_keytags(anchor, taglist, 13470fb34990SDag-Erling Smørgrav anchor->numDS+anchor->numDNSKEY); 13480fb34990SDag-Erling Smørgrav lock_basic_unlock(&anchor->lock); 13490fb34990SDag-Erling Smørgrav if(!numtag) { 13500fb34990SDag-Erling Smørgrav free(taglist); 13510fb34990SDag-Erling Smørgrav return 0; 13520fb34990SDag-Erling Smørgrav } 13530fb34990SDag-Erling Smørgrav tl = taglist; 13540fb34990SDag-Erling Smørgrav for(i=0; i<numtag; i++) { 13550fb34990SDag-Erling Smørgrav if(*tl == keytag) { 13560fb34990SDag-Erling Smørgrav free(taglist); 13570fb34990SDag-Erling Smørgrav return 1; 13580fb34990SDag-Erling Smørgrav } 13590fb34990SDag-Erling Smørgrav tl++; 13600fb34990SDag-Erling Smørgrav } 13610fb34990SDag-Erling Smørgrav free(taglist); 13620fb34990SDag-Erling Smørgrav return 0; 13630fb34990SDag-Erling Smørgrav } 1364103ba509SCy Schubert 1365103ba509SCy Schubert struct trust_anchor* 1366103ba509SCy Schubert anchors_find_any_noninsecure(struct val_anchors* anchors) 1367103ba509SCy Schubert { 1368103ba509SCy Schubert struct trust_anchor* ta, *next; 1369103ba509SCy Schubert lock_basic_lock(&anchors->lock); 1370103ba509SCy Schubert ta=(struct trust_anchor*)rbtree_first(anchors->tree); 1371103ba509SCy Schubert while((rbnode_type*)ta != RBTREE_NULL) { 1372103ba509SCy Schubert next = (struct trust_anchor*)rbtree_next(&ta->node); 1373103ba509SCy Schubert lock_basic_lock(&ta->lock); 1374103ba509SCy Schubert if(ta->numDS != 0 || ta->numDNSKEY != 0) { 1375103ba509SCy Schubert /* not an insecurepoint */ 1376103ba509SCy Schubert lock_basic_unlock(&anchors->lock); 1377103ba509SCy Schubert return ta; 1378103ba509SCy Schubert } 1379103ba509SCy Schubert lock_basic_unlock(&ta->lock); 1380103ba509SCy Schubert ta = next; 1381103ba509SCy Schubert } 1382103ba509SCy Schubert lock_basic_unlock(&anchors->lock); 1383103ba509SCy Schubert return NULL; 1384103ba509SCy Schubert } 1385*be771a7bSCy Schubert 1386*be771a7bSCy Schubert void 1387*be771a7bSCy Schubert anchors_swap_tree(struct val_anchors* anchors, struct val_anchors* data) 1388*be771a7bSCy Schubert { 1389*be771a7bSCy Schubert rbtree_type* oldtree; 1390*be771a7bSCy Schubert rbtree_type oldprobe; 1391*be771a7bSCy Schubert 1392*be771a7bSCy Schubert if(!anchors || !data) 1393*be771a7bSCy Schubert return; /* If anchors is NULL, there is no validation. */ 1394*be771a7bSCy Schubert 1395*be771a7bSCy Schubert oldtree = anchors->tree; 1396*be771a7bSCy Schubert oldprobe = anchors->autr->probe; 1397*be771a7bSCy Schubert 1398*be771a7bSCy Schubert anchors->tree = data->tree; 1399*be771a7bSCy Schubert anchors->autr->probe = data->autr->probe; 1400*be771a7bSCy Schubert 1401*be771a7bSCy Schubert data->tree = oldtree; 1402*be771a7bSCy Schubert data->autr->probe = oldprobe; 1403*be771a7bSCy Schubert } 1404