1b7579f77SDag-Erling Smørgrav /* 2b7579f77SDag-Erling Smørgrav * validator/val_anchor.c - validator trust anchor storage. 3b7579f77SDag-Erling Smørgrav * 4b7579f77SDag-Erling Smørgrav * Copyright (c) 2007, NLnet Labs. All rights reserved. 5b7579f77SDag-Erling Smørgrav * 6b7579f77SDag-Erling Smørgrav * This software is open source. 7b7579f77SDag-Erling Smørgrav * 8b7579f77SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 9b7579f77SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 10b7579f77SDag-Erling Smørgrav * are met: 11b7579f77SDag-Erling Smørgrav * 12b7579f77SDag-Erling Smørgrav * Redistributions of source code must retain the above copyright notice, 13b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer. 14b7579f77SDag-Erling Smørgrav * 15b7579f77SDag-Erling Smørgrav * Redistributions in binary form must reproduce the above copyright notice, 16b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer in the documentation 17b7579f77SDag-Erling Smørgrav * and/or other materials provided with the distribution. 18b7579f77SDag-Erling Smørgrav * 19b7579f77SDag-Erling Smørgrav * Neither the name of the NLNET LABS nor the names of its contributors may 20b7579f77SDag-Erling Smørgrav * be used to endorse or promote products derived from this software without 21b7579f77SDag-Erling Smørgrav * specific prior written permission. 22b7579f77SDag-Erling Smørgrav * 23b7579f77SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 2417d15b25SDag-Erling Smørgrav * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2517d15b25SDag-Erling Smørgrav * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 2617d15b25SDag-Erling Smørgrav * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 2717d15b25SDag-Erling Smørgrav * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 2817d15b25SDag-Erling Smørgrav * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 2917d15b25SDag-Erling Smørgrav * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 3017d15b25SDag-Erling Smørgrav * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 3117d15b25SDag-Erling Smørgrav * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 3217d15b25SDag-Erling Smørgrav * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 3317d15b25SDag-Erling Smørgrav * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34b7579f77SDag-Erling Smørgrav */ 35b7579f77SDag-Erling Smørgrav 36b7579f77SDag-Erling Smørgrav /** 37b7579f77SDag-Erling Smørgrav * \file 38b7579f77SDag-Erling Smørgrav * 39b7579f77SDag-Erling Smørgrav * This file contains storage for the trust anchors for the validator. 40b7579f77SDag-Erling Smørgrav */ 41b7579f77SDag-Erling Smørgrav #include "config.h" 42b7579f77SDag-Erling Smørgrav #include <ctype.h> 43b7579f77SDag-Erling Smørgrav #include "validator/val_anchor.h" 44b7579f77SDag-Erling Smørgrav #include "validator/val_sigcrypt.h" 45b7579f77SDag-Erling Smørgrav #include "validator/autotrust.h" 46b7579f77SDag-Erling Smørgrav #include "util/data/packed_rrset.h" 47b7579f77SDag-Erling Smørgrav #include "util/data/dname.h" 48b7579f77SDag-Erling Smørgrav #include "util/log.h" 49b7579f77SDag-Erling Smørgrav #include "util/net_help.h" 50b7579f77SDag-Erling Smørgrav #include "util/config_file.h" 51*09a3aaf3SDag-Erling Smørgrav #include "sldns/sbuffer.h" 52*09a3aaf3SDag-Erling Smørgrav #include "sldns/rrdef.h" 53*09a3aaf3SDag-Erling Smørgrav #include "sldns/str2wire.h" 54b7579f77SDag-Erling Smørgrav #ifdef HAVE_GLOB_H 55b7579f77SDag-Erling Smørgrav #include <glob.h> 56b7579f77SDag-Erling Smørgrav #endif 57b7579f77SDag-Erling Smørgrav 58b7579f77SDag-Erling Smørgrav int 59b7579f77SDag-Erling Smørgrav anchor_cmp(const void* k1, const void* k2) 60b7579f77SDag-Erling Smørgrav { 61b7579f77SDag-Erling Smørgrav int m; 62b7579f77SDag-Erling Smørgrav struct trust_anchor* n1 = (struct trust_anchor*)k1; 63b7579f77SDag-Erling Smørgrav struct trust_anchor* n2 = (struct trust_anchor*)k2; 64b7579f77SDag-Erling Smørgrav /* no need to ntohs(class) because sort order is irrelevant */ 65b7579f77SDag-Erling Smørgrav if(n1->dclass != n2->dclass) { 66b7579f77SDag-Erling Smørgrav if(n1->dclass < n2->dclass) 67b7579f77SDag-Erling Smørgrav return -1; 68b7579f77SDag-Erling Smørgrav return 1; 69b7579f77SDag-Erling Smørgrav } 70b7579f77SDag-Erling Smørgrav return dname_lab_cmp(n1->name, n1->namelabs, n2->name, n2->namelabs, 71b7579f77SDag-Erling Smørgrav &m); 72b7579f77SDag-Erling Smørgrav } 73b7579f77SDag-Erling Smørgrav 74b7579f77SDag-Erling Smørgrav struct val_anchors* 75b7579f77SDag-Erling Smørgrav anchors_create(void) 76b7579f77SDag-Erling Smørgrav { 77b7579f77SDag-Erling Smørgrav struct val_anchors* a = (struct val_anchors*)calloc(1, sizeof(*a)); 78b7579f77SDag-Erling Smørgrav if(!a) 79b7579f77SDag-Erling Smørgrav return NULL; 80b7579f77SDag-Erling Smørgrav a->tree = rbtree_create(anchor_cmp); 81b7579f77SDag-Erling Smørgrav if(!a->tree) { 82b7579f77SDag-Erling Smørgrav anchors_delete(a); 83b7579f77SDag-Erling Smørgrav return NULL; 84b7579f77SDag-Erling Smørgrav } 85b7579f77SDag-Erling Smørgrav a->autr = autr_global_create(); 86b7579f77SDag-Erling Smørgrav if(!a->autr) { 87b7579f77SDag-Erling Smørgrav anchors_delete(a); 88b7579f77SDag-Erling Smørgrav return NULL; 89b7579f77SDag-Erling Smørgrav } 90b7579f77SDag-Erling Smørgrav lock_basic_init(&a->lock); 91b7579f77SDag-Erling Smørgrav lock_protect(&a->lock, a, sizeof(*a)); 92b7579f77SDag-Erling Smørgrav lock_protect(&a->lock, a->autr, sizeof(*a->autr)); 93b7579f77SDag-Erling Smørgrav return a; 94b7579f77SDag-Erling Smørgrav } 95b7579f77SDag-Erling Smørgrav 96b7579f77SDag-Erling Smørgrav /** delete assembled rrset */ 97b7579f77SDag-Erling Smørgrav static void 98b7579f77SDag-Erling Smørgrav assembled_rrset_delete(struct ub_packed_rrset_key* pkey) 99b7579f77SDag-Erling Smørgrav { 100b7579f77SDag-Erling Smørgrav if(!pkey) return; 101b7579f77SDag-Erling Smørgrav if(pkey->entry.data) { 102b7579f77SDag-Erling Smørgrav struct packed_rrset_data* pd = (struct packed_rrset_data*) 103b7579f77SDag-Erling Smørgrav pkey->entry.data; 104b7579f77SDag-Erling Smørgrav free(pd->rr_data); 105b7579f77SDag-Erling Smørgrav free(pd->rr_ttl); 106b7579f77SDag-Erling Smørgrav free(pd->rr_len); 107b7579f77SDag-Erling Smørgrav free(pd); 108b7579f77SDag-Erling Smørgrav } 109b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 110b7579f77SDag-Erling Smørgrav free(pkey); 111b7579f77SDag-Erling Smørgrav } 112b7579f77SDag-Erling Smørgrav 113b7579f77SDag-Erling Smørgrav /** destroy locks in tree and delete autotrust anchors */ 114b7579f77SDag-Erling Smørgrav static void 115b7579f77SDag-Erling Smørgrav anchors_delfunc(rbnode_t* elem, void* ATTR_UNUSED(arg)) 116b7579f77SDag-Erling Smørgrav { 117b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = (struct trust_anchor*)elem; 118b7579f77SDag-Erling Smørgrav if(!ta) return; 119b7579f77SDag-Erling Smørgrav if(ta->autr) { 120b7579f77SDag-Erling Smørgrav autr_point_delete(ta); 121b7579f77SDag-Erling Smørgrav } else { 122b7579f77SDag-Erling Smørgrav struct ta_key* p, *np; 123b7579f77SDag-Erling Smørgrav lock_basic_destroy(&ta->lock); 124b7579f77SDag-Erling Smørgrav free(ta->name); 125b7579f77SDag-Erling Smørgrav p = ta->keylist; 126b7579f77SDag-Erling Smørgrav while(p) { 127b7579f77SDag-Erling Smørgrav np = p->next; 128b7579f77SDag-Erling Smørgrav free(p->data); 129b7579f77SDag-Erling Smørgrav free(p); 130b7579f77SDag-Erling Smørgrav p = np; 131b7579f77SDag-Erling Smørgrav } 132b7579f77SDag-Erling Smørgrav assembled_rrset_delete(ta->ds_rrset); 133b7579f77SDag-Erling Smørgrav assembled_rrset_delete(ta->dnskey_rrset); 134b7579f77SDag-Erling Smørgrav free(ta); 135b7579f77SDag-Erling Smørgrav } 136b7579f77SDag-Erling Smørgrav } 137b7579f77SDag-Erling Smørgrav 138b7579f77SDag-Erling Smørgrav void 139b7579f77SDag-Erling Smørgrav anchors_delete(struct val_anchors* anchors) 140b7579f77SDag-Erling Smørgrav { 141b7579f77SDag-Erling Smørgrav if(!anchors) 142b7579f77SDag-Erling Smørgrav return; 143b7579f77SDag-Erling Smørgrav lock_unprotect(&anchors->lock, anchors->autr); 144b7579f77SDag-Erling Smørgrav lock_unprotect(&anchors->lock, anchors); 145b7579f77SDag-Erling Smørgrav lock_basic_destroy(&anchors->lock); 146b7579f77SDag-Erling Smørgrav if(anchors->tree) 147b7579f77SDag-Erling Smørgrav traverse_postorder(anchors->tree, anchors_delfunc, NULL); 148b7579f77SDag-Erling Smørgrav free(anchors->tree); 149b7579f77SDag-Erling Smørgrav autr_global_delete(anchors->autr); 150b7579f77SDag-Erling Smørgrav free(anchors); 151b7579f77SDag-Erling Smørgrav } 152b7579f77SDag-Erling Smørgrav 153b7579f77SDag-Erling Smørgrav void 154b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(struct val_anchors* anchors) 155b7579f77SDag-Erling Smørgrav { 156b7579f77SDag-Erling Smørgrav struct trust_anchor* node, *prev = NULL, *p; 157b7579f77SDag-Erling Smørgrav int m; 158b7579f77SDag-Erling Smørgrav /* nobody else can grab locks because we hold the main lock. 159b7579f77SDag-Erling Smørgrav * Thus the previous items, after unlocked, are not deleted */ 160b7579f77SDag-Erling Smørgrav RBTREE_FOR(node, struct trust_anchor*, anchors->tree) { 161b7579f77SDag-Erling Smørgrav lock_basic_lock(&node->lock); 162b7579f77SDag-Erling Smørgrav node->parent = NULL; 163b7579f77SDag-Erling Smørgrav if(!prev || prev->dclass != node->dclass) { 164b7579f77SDag-Erling Smørgrav prev = node; 165b7579f77SDag-Erling Smørgrav lock_basic_unlock(&node->lock); 166b7579f77SDag-Erling Smørgrav continue; 167b7579f77SDag-Erling Smørgrav } 168b7579f77SDag-Erling Smørgrav (void)dname_lab_cmp(prev->name, prev->namelabs, node->name, 169b7579f77SDag-Erling Smørgrav node->namelabs, &m); /* we know prev is smaller */ 170b7579f77SDag-Erling Smørgrav /* sort order like: . com. bla.com. zwb.com. net. */ 171b7579f77SDag-Erling Smørgrav /* find the previous, or parent-parent-parent */ 172b7579f77SDag-Erling Smørgrav for(p = prev; p; p = p->parent) 173b7579f77SDag-Erling Smørgrav /* looking for name with few labels, a parent */ 174b7579f77SDag-Erling Smørgrav if(p->namelabs <= m) { 175b7579f77SDag-Erling Smørgrav /* ==: since prev matched m, this is closest*/ 176b7579f77SDag-Erling Smørgrav /* <: prev matches more, but is not a parent, 177b7579f77SDag-Erling Smørgrav * this one is a (grand)parent */ 178b7579f77SDag-Erling Smørgrav node->parent = p; 179b7579f77SDag-Erling Smørgrav break; 180b7579f77SDag-Erling Smørgrav } 181b7579f77SDag-Erling Smørgrav lock_basic_unlock(&node->lock); 182b7579f77SDag-Erling Smørgrav prev = node; 183b7579f77SDag-Erling Smørgrav } 184b7579f77SDag-Erling Smørgrav } 185b7579f77SDag-Erling Smørgrav 186b7579f77SDag-Erling Smørgrav /** initialise parent pointers in the tree */ 187b7579f77SDag-Erling Smørgrav static void 188b7579f77SDag-Erling Smørgrav init_parents(struct val_anchors* anchors) 189b7579f77SDag-Erling Smørgrav { 190b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 191b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 192b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 193b7579f77SDag-Erling Smørgrav } 194b7579f77SDag-Erling Smørgrav 195b7579f77SDag-Erling Smørgrav struct trust_anchor* 196b7579f77SDag-Erling Smørgrav anchor_find(struct val_anchors* anchors, uint8_t* name, int namelabs, 197b7579f77SDag-Erling Smørgrav size_t namelen, uint16_t dclass) 198b7579f77SDag-Erling Smørgrav { 199b7579f77SDag-Erling Smørgrav struct trust_anchor key; 200b7579f77SDag-Erling Smørgrav rbnode_t* n; 201b7579f77SDag-Erling Smørgrav if(!name) return NULL; 202b7579f77SDag-Erling Smørgrav key.node.key = &key; 203b7579f77SDag-Erling Smørgrav key.name = name; 204b7579f77SDag-Erling Smørgrav key.namelabs = namelabs; 205b7579f77SDag-Erling Smørgrav key.namelen = namelen; 206b7579f77SDag-Erling Smørgrav key.dclass = dclass; 207b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 208b7579f77SDag-Erling Smørgrav n = rbtree_search(anchors->tree, &key); 209b7579f77SDag-Erling Smørgrav if(n) { 210b7579f77SDag-Erling Smørgrav lock_basic_lock(&((struct trust_anchor*)n->key)->lock); 211b7579f77SDag-Erling Smørgrav } 212b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 213b7579f77SDag-Erling Smørgrav if(!n) 214b7579f77SDag-Erling Smørgrav return NULL; 215b7579f77SDag-Erling Smørgrav return (struct trust_anchor*)n->key; 216b7579f77SDag-Erling Smørgrav } 217b7579f77SDag-Erling Smørgrav 218b7579f77SDag-Erling Smørgrav /** create new trust anchor object */ 219b7579f77SDag-Erling Smørgrav static struct trust_anchor* 220b7579f77SDag-Erling Smørgrav anchor_new_ta(struct val_anchors* anchors, uint8_t* name, int namelabs, 221b7579f77SDag-Erling Smørgrav size_t namelen, uint16_t dclass, int lockit) 222b7579f77SDag-Erling Smørgrav { 223b7579f77SDag-Erling Smørgrav #ifdef UNBOUND_DEBUG 224b7579f77SDag-Erling Smørgrav rbnode_t* r; 225b7579f77SDag-Erling Smørgrav #endif 226b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = (struct trust_anchor*)malloc( 227b7579f77SDag-Erling Smørgrav sizeof(struct trust_anchor)); 228b7579f77SDag-Erling Smørgrav if(!ta) 229b7579f77SDag-Erling Smørgrav return NULL; 230b7579f77SDag-Erling Smørgrav memset(ta, 0, sizeof(*ta)); 231b7579f77SDag-Erling Smørgrav ta->node.key = ta; 232b7579f77SDag-Erling Smørgrav ta->name = memdup(name, namelen); 233b7579f77SDag-Erling Smørgrav if(!ta->name) { 234b7579f77SDag-Erling Smørgrav free(ta); 235b7579f77SDag-Erling Smørgrav return NULL; 236b7579f77SDag-Erling Smørgrav } 237b7579f77SDag-Erling Smørgrav ta->namelabs = namelabs; 238b7579f77SDag-Erling Smørgrav ta->namelen = namelen; 239b7579f77SDag-Erling Smørgrav ta->dclass = dclass; 240b7579f77SDag-Erling Smørgrav lock_basic_init(&ta->lock); 241b7579f77SDag-Erling Smørgrav if(lockit) { 242b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 243b7579f77SDag-Erling Smørgrav } 244b7579f77SDag-Erling Smørgrav #ifdef UNBOUND_DEBUG 245b7579f77SDag-Erling Smørgrav r = 24617d15b25SDag-Erling Smørgrav #else 24717d15b25SDag-Erling Smørgrav (void) 248b7579f77SDag-Erling Smørgrav #endif 249b7579f77SDag-Erling Smørgrav rbtree_insert(anchors->tree, &ta->node); 250b7579f77SDag-Erling Smørgrav if(lockit) { 251b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 252b7579f77SDag-Erling Smørgrav } 253b7579f77SDag-Erling Smørgrav log_assert(r != NULL); 254b7579f77SDag-Erling Smørgrav return ta; 255b7579f77SDag-Erling Smørgrav } 256b7579f77SDag-Erling Smørgrav 257b7579f77SDag-Erling Smørgrav /** find trustanchor key by exact data match */ 258b7579f77SDag-Erling Smørgrav static struct ta_key* 259b7579f77SDag-Erling Smørgrav anchor_find_key(struct trust_anchor* ta, uint8_t* rdata, size_t rdata_len, 260b7579f77SDag-Erling Smørgrav uint16_t type) 261b7579f77SDag-Erling Smørgrav { 262b7579f77SDag-Erling Smørgrav struct ta_key* k; 263b7579f77SDag-Erling Smørgrav for(k = ta->keylist; k; k = k->next) { 264b7579f77SDag-Erling Smørgrav if(k->type == type && k->len == rdata_len && 265b7579f77SDag-Erling Smørgrav memcmp(k->data, rdata, rdata_len) == 0) 266b7579f77SDag-Erling Smørgrav return k; 267b7579f77SDag-Erling Smørgrav } 268b7579f77SDag-Erling Smørgrav return NULL; 269b7579f77SDag-Erling Smørgrav } 270b7579f77SDag-Erling Smørgrav 271b7579f77SDag-Erling Smørgrav /** create new trustanchor key */ 272b7579f77SDag-Erling Smørgrav static struct ta_key* 273b7579f77SDag-Erling Smørgrav anchor_new_ta_key(uint8_t* rdata, size_t rdata_len, uint16_t type) 274b7579f77SDag-Erling Smørgrav { 275b7579f77SDag-Erling Smørgrav struct ta_key* k = (struct ta_key*)malloc(sizeof(*k)); 276b7579f77SDag-Erling Smørgrav if(!k) 277b7579f77SDag-Erling Smørgrav return NULL; 278b7579f77SDag-Erling Smørgrav memset(k, 0, sizeof(*k)); 279b7579f77SDag-Erling Smørgrav k->data = memdup(rdata, rdata_len); 280b7579f77SDag-Erling Smørgrav if(!k->data) { 281b7579f77SDag-Erling Smørgrav free(k); 282b7579f77SDag-Erling Smørgrav return NULL; 283b7579f77SDag-Erling Smørgrav } 284b7579f77SDag-Erling Smørgrav k->len = rdata_len; 285b7579f77SDag-Erling Smørgrav k->type = type; 286b7579f77SDag-Erling Smørgrav return k; 287b7579f77SDag-Erling Smørgrav } 288b7579f77SDag-Erling Smørgrav 289b7579f77SDag-Erling Smørgrav /** 290b7579f77SDag-Erling Smørgrav * This routine adds a new RR to a trust anchor. The trust anchor may not 291b7579f77SDag-Erling Smørgrav * exist yet, and is created if not. The RR can be DS or DNSKEY. 292b7579f77SDag-Erling Smørgrav * This routine will also remove duplicates; storing them only once. 293b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 294b7579f77SDag-Erling Smørgrav * @param name: name of trust anchor (wireformat) 295b7579f77SDag-Erling Smørgrav * @param type: type or RR 296b7579f77SDag-Erling Smørgrav * @param dclass: class of RR 297b7579f77SDag-Erling Smørgrav * @param rdata: rdata wireformat, starting with rdlength. 298b7579f77SDag-Erling Smørgrav * If NULL, nothing is stored, but an entry is created. 299b7579f77SDag-Erling Smørgrav * @param rdata_len: length of rdata including rdlength. 300b7579f77SDag-Erling Smørgrav * @return: NULL on error, else the trust anchor. 301b7579f77SDag-Erling Smørgrav */ 302b7579f77SDag-Erling Smørgrav static struct trust_anchor* 303b7579f77SDag-Erling Smørgrav anchor_store_new_key(struct val_anchors* anchors, uint8_t* name, uint16_t type, 304b7579f77SDag-Erling Smørgrav uint16_t dclass, uint8_t* rdata, size_t rdata_len) 305b7579f77SDag-Erling Smørgrav { 306b7579f77SDag-Erling Smørgrav struct ta_key* k; 307b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 308b7579f77SDag-Erling Smørgrav int namelabs; 309b7579f77SDag-Erling Smørgrav size_t namelen; 310b7579f77SDag-Erling Smørgrav namelabs = dname_count_size_labels(name, &namelen); 311b7579f77SDag-Erling Smørgrav if(type != LDNS_RR_TYPE_DS && type != LDNS_RR_TYPE_DNSKEY) { 312b7579f77SDag-Erling Smørgrav log_err("Bad type for trust anchor"); 313b7579f77SDag-Erling Smørgrav return 0; 314b7579f77SDag-Erling Smørgrav } 315b7579f77SDag-Erling Smørgrav /* lookup or create trustanchor */ 316b7579f77SDag-Erling Smørgrav ta = anchor_find(anchors, name, namelabs, namelen, dclass); 317b7579f77SDag-Erling Smørgrav if(!ta) { 318b7579f77SDag-Erling Smørgrav ta = anchor_new_ta(anchors, name, namelabs, namelen, dclass, 1); 319b7579f77SDag-Erling Smørgrav if(!ta) 320b7579f77SDag-Erling Smørgrav return NULL; 321b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 322b7579f77SDag-Erling Smørgrav } 323b7579f77SDag-Erling Smørgrav if(!rdata) { 324b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 325b7579f77SDag-Erling Smørgrav return ta; 326b7579f77SDag-Erling Smørgrav } 327b7579f77SDag-Erling Smørgrav /* look for duplicates */ 328b7579f77SDag-Erling Smørgrav if(anchor_find_key(ta, rdata, rdata_len, type)) { 329b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 330b7579f77SDag-Erling Smørgrav return ta; 331b7579f77SDag-Erling Smørgrav } 332b7579f77SDag-Erling Smørgrav k = anchor_new_ta_key(rdata, rdata_len, type); 333b7579f77SDag-Erling Smørgrav if(!k) { 334b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 335b7579f77SDag-Erling Smørgrav return NULL; 336b7579f77SDag-Erling Smørgrav } 337b7579f77SDag-Erling Smørgrav /* add new key */ 338b7579f77SDag-Erling Smørgrav if(type == LDNS_RR_TYPE_DS) 339b7579f77SDag-Erling Smørgrav ta->numDS++; 340b7579f77SDag-Erling Smørgrav else ta->numDNSKEY++; 341b7579f77SDag-Erling Smørgrav k->next = ta->keylist; 342b7579f77SDag-Erling Smørgrav ta->keylist = k; 343b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 344b7579f77SDag-Erling Smørgrav return ta; 345b7579f77SDag-Erling Smørgrav } 346b7579f77SDag-Erling Smørgrav 347b7579f77SDag-Erling Smørgrav /** 348b7579f77SDag-Erling Smørgrav * Add new RR. It converts ldns RR to wire format. 349b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 35017d15b25SDag-Erling Smørgrav * @param rr: the wirerr. 35117d15b25SDag-Erling Smørgrav * @param rl: length of rr. 35217d15b25SDag-Erling Smørgrav * @param dl: length of dname. 353b7579f77SDag-Erling Smørgrav * @return NULL on error, else the trust anchor. 354b7579f77SDag-Erling Smørgrav */ 355b7579f77SDag-Erling Smørgrav static struct trust_anchor* 35617d15b25SDag-Erling Smørgrav anchor_store_new_rr(struct val_anchors* anchors, uint8_t* rr, size_t rl, 35717d15b25SDag-Erling Smørgrav size_t dl) 358b7579f77SDag-Erling Smørgrav { 359b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 36017d15b25SDag-Erling Smørgrav if(!(ta=anchor_store_new_key(anchors, rr, 36117d15b25SDag-Erling Smørgrav sldns_wirerr_get_type(rr, rl, dl), 36217d15b25SDag-Erling Smørgrav sldns_wirerr_get_class(rr, rl, dl), 36317d15b25SDag-Erling Smørgrav sldns_wirerr_get_rdatawl(rr, rl, dl), 36417d15b25SDag-Erling Smørgrav sldns_wirerr_get_rdatalen(rr, rl, dl)+2))) { 365b7579f77SDag-Erling Smørgrav return NULL; 366b7579f77SDag-Erling Smørgrav } 367b7579f77SDag-Erling Smørgrav log_nametypeclass(VERB_QUERY, "adding trusted key", 36817d15b25SDag-Erling Smørgrav rr, sldns_wirerr_get_type(rr, rl, dl), 36917d15b25SDag-Erling Smørgrav sldns_wirerr_get_class(rr, rl, dl)); 370b7579f77SDag-Erling Smørgrav return ta; 371b7579f77SDag-Erling Smørgrav } 372b7579f77SDag-Erling Smørgrav 373b7579f77SDag-Erling Smørgrav /** 374b7579f77SDag-Erling Smørgrav * Insert insecure anchor 375b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 376b7579f77SDag-Erling Smørgrav * @param str: the domain name. 377b7579f77SDag-Erling Smørgrav * @return NULL on error, Else last trust anchor point 378b7579f77SDag-Erling Smørgrav */ 379b7579f77SDag-Erling Smørgrav static struct trust_anchor* 380b7579f77SDag-Erling Smørgrav anchor_insert_insecure(struct val_anchors* anchors, const char* str) 381b7579f77SDag-Erling Smørgrav { 382b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 38317d15b25SDag-Erling Smørgrav size_t dname_len = 0; 38417d15b25SDag-Erling Smørgrav uint8_t* nm = sldns_str2wire_dname(str, &dname_len); 385b7579f77SDag-Erling Smørgrav if(!nm) { 386b7579f77SDag-Erling Smørgrav log_err("parse error in domain name '%s'", str); 387b7579f77SDag-Erling Smørgrav return NULL; 388b7579f77SDag-Erling Smørgrav } 38917d15b25SDag-Erling Smørgrav ta = anchor_store_new_key(anchors, nm, LDNS_RR_TYPE_DS, 390b7579f77SDag-Erling Smørgrav LDNS_RR_CLASS_IN, NULL, 0); 39117d15b25SDag-Erling Smørgrav free(nm); 392b7579f77SDag-Erling Smørgrav return ta; 393b7579f77SDag-Erling Smørgrav } 394b7579f77SDag-Erling Smørgrav 395b7579f77SDag-Erling Smørgrav struct trust_anchor* 39617d15b25SDag-Erling Smørgrav anchor_store_str(struct val_anchors* anchors, sldns_buffer* buffer, 397b7579f77SDag-Erling Smørgrav const char* str) 398b7579f77SDag-Erling Smørgrav { 399b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 40017d15b25SDag-Erling Smørgrav uint8_t* rr = sldns_buffer_begin(buffer); 40117d15b25SDag-Erling Smørgrav size_t len = sldns_buffer_capacity(buffer), dname_len = 0; 40217d15b25SDag-Erling Smørgrav int status = sldns_str2wire_rr_buf(str, rr, &len, &dname_len, 40317d15b25SDag-Erling Smørgrav 0, NULL, 0, NULL, 0); 40417d15b25SDag-Erling Smørgrav if(status != 0) { 40517d15b25SDag-Erling Smørgrav log_err("error parsing trust anchor %s: at %d: %s", 40617d15b25SDag-Erling Smørgrav str, LDNS_WIREPARSE_OFFSET(status), 40717d15b25SDag-Erling Smørgrav sldns_get_errorstr_parse(status)); 408b7579f77SDag-Erling Smørgrav return NULL; 409b7579f77SDag-Erling Smørgrav } 41017d15b25SDag-Erling Smørgrav if(!(ta=anchor_store_new_rr(anchors, rr, len, dname_len))) { 411b7579f77SDag-Erling Smørgrav log_err("out of memory"); 412b7579f77SDag-Erling Smørgrav return NULL; 413b7579f77SDag-Erling Smørgrav } 414b7579f77SDag-Erling Smørgrav return ta; 415b7579f77SDag-Erling Smørgrav } 416b7579f77SDag-Erling Smørgrav 417b7579f77SDag-Erling Smørgrav /** 418b7579f77SDag-Erling Smørgrav * Read a file with trust anchors 419b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 420b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 421b7579f77SDag-Erling Smørgrav * @param fname: string. 422b7579f77SDag-Erling Smørgrav * @param onlyone: only one trust anchor allowed in file. 423b7579f77SDag-Erling Smørgrav * @return NULL on error. Else last trust-anchor point. 424b7579f77SDag-Erling Smørgrav */ 425b7579f77SDag-Erling Smørgrav static struct trust_anchor* 42617d15b25SDag-Erling Smørgrav anchor_read_file(struct val_anchors* anchors, sldns_buffer* buffer, 427b7579f77SDag-Erling Smørgrav const char* fname, int onlyone) 428b7579f77SDag-Erling Smørgrav { 429b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = NULL, *tanew; 43017d15b25SDag-Erling Smørgrav struct sldns_file_parse_state pst; 43117d15b25SDag-Erling Smørgrav int status; 43217d15b25SDag-Erling Smørgrav size_t len, dname_len; 43317d15b25SDag-Erling Smørgrav uint8_t* rr = sldns_buffer_begin(buffer); 434b7579f77SDag-Erling Smørgrav int ok = 1; 435b7579f77SDag-Erling Smørgrav FILE* in = fopen(fname, "r"); 436b7579f77SDag-Erling Smørgrav if(!in) { 437b7579f77SDag-Erling Smørgrav log_err("error opening file %s: %s", fname, strerror(errno)); 438b7579f77SDag-Erling Smørgrav return 0; 439b7579f77SDag-Erling Smørgrav } 44017d15b25SDag-Erling Smørgrav memset(&pst, 0, sizeof(pst)); 44117d15b25SDag-Erling Smørgrav pst.default_ttl = 3600; 44217d15b25SDag-Erling Smørgrav pst.lineno = 1; 443b7579f77SDag-Erling Smørgrav while(!feof(in)) { 44417d15b25SDag-Erling Smørgrav len = sldns_buffer_capacity(buffer); 44517d15b25SDag-Erling Smørgrav dname_len = 0; 44617d15b25SDag-Erling Smørgrav status = sldns_fp2wire_rr_buf(in, rr, &len, &dname_len, &pst); 44717d15b25SDag-Erling Smørgrav if(len == 0) /* empty, $TTL, $ORIGIN */ 448b7579f77SDag-Erling Smørgrav continue; 44917d15b25SDag-Erling Smørgrav if(status != 0) { 45017d15b25SDag-Erling Smørgrav log_err("parse error in %s:%d:%d : %s", fname, 45117d15b25SDag-Erling Smørgrav pst.lineno, LDNS_WIREPARSE_OFFSET(status), 45217d15b25SDag-Erling Smørgrav sldns_get_errorstr_parse(status)); 453b7579f77SDag-Erling Smørgrav ok = 0; 454b7579f77SDag-Erling Smørgrav break; 455b7579f77SDag-Erling Smørgrav } 45617d15b25SDag-Erling Smørgrav if(sldns_wirerr_get_type(rr, len, dname_len) != 45717d15b25SDag-Erling Smørgrav LDNS_RR_TYPE_DS && sldns_wirerr_get_type(rr, len, 45817d15b25SDag-Erling Smørgrav dname_len) != LDNS_RR_TYPE_DNSKEY) { 459b7579f77SDag-Erling Smørgrav continue; 460b7579f77SDag-Erling Smørgrav } 46117d15b25SDag-Erling Smørgrav if(!(tanew=anchor_store_new_rr(anchors, rr, len, dname_len))) { 46217d15b25SDag-Erling Smørgrav log_err("mem error at %s line %d", fname, pst.lineno); 463b7579f77SDag-Erling Smørgrav ok = 0; 464b7579f77SDag-Erling Smørgrav break; 465b7579f77SDag-Erling Smørgrav } 466b7579f77SDag-Erling Smørgrav if(onlyone && ta && ta != tanew) { 467b7579f77SDag-Erling Smørgrav log_err("error at %s line %d: no multiple anchor " 468b7579f77SDag-Erling Smørgrav "domains allowed (you can have multiple " 469b7579f77SDag-Erling Smørgrav "keys, but they must have the same name).", 47017d15b25SDag-Erling Smørgrav fname, pst.lineno); 471b7579f77SDag-Erling Smørgrav ok = 0; 472b7579f77SDag-Erling Smørgrav break; 473b7579f77SDag-Erling Smørgrav } 474b7579f77SDag-Erling Smørgrav ta = tanew; 475b7579f77SDag-Erling Smørgrav } 476b7579f77SDag-Erling Smørgrav fclose(in); 477b7579f77SDag-Erling Smørgrav if(!ok) return NULL; 478b7579f77SDag-Erling Smørgrav /* empty file is OK when multiple anchors are allowed */ 479b7579f77SDag-Erling Smørgrav if(!onlyone && !ta) return (struct trust_anchor*)1; 480b7579f77SDag-Erling Smørgrav return ta; 481b7579f77SDag-Erling Smørgrav } 482b7579f77SDag-Erling Smørgrav 483b7579f77SDag-Erling Smørgrav /** skip file to end of line */ 484b7579f77SDag-Erling Smørgrav static void 485b7579f77SDag-Erling Smørgrav skip_to_eol(FILE* in) 486b7579f77SDag-Erling Smørgrav { 487b7579f77SDag-Erling Smørgrav int c; 488b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 489b7579f77SDag-Erling Smørgrav if(c == '\n') 490b7579f77SDag-Erling Smørgrav return; 491b7579f77SDag-Erling Smørgrav } 492b7579f77SDag-Erling Smørgrav } 493b7579f77SDag-Erling Smørgrav 494b7579f77SDag-Erling Smørgrav /** true for special characters in bind configs */ 495b7579f77SDag-Erling Smørgrav static int 496b7579f77SDag-Erling Smørgrav is_bind_special(int c) 497b7579f77SDag-Erling Smørgrav { 498b7579f77SDag-Erling Smørgrav switch(c) { 499b7579f77SDag-Erling Smørgrav case '{': 500b7579f77SDag-Erling Smørgrav case '}': 501b7579f77SDag-Erling Smørgrav case '"': 502b7579f77SDag-Erling Smørgrav case ';': 503b7579f77SDag-Erling Smørgrav return 1; 504b7579f77SDag-Erling Smørgrav } 505b7579f77SDag-Erling Smørgrav return 0; 506b7579f77SDag-Erling Smørgrav } 507b7579f77SDag-Erling Smørgrav 508b7579f77SDag-Erling Smørgrav /** 509b7579f77SDag-Erling Smørgrav * Read a keyword skipping bind comments; spaces, specials, restkeywords. 510b7579f77SDag-Erling Smørgrav * The file is split into the following tokens: 511b7579f77SDag-Erling Smørgrav * * special characters, on their own, rdlen=1, { } doublequote ; 512b7579f77SDag-Erling Smørgrav * * whitespace becomes a single ' ' or tab. Newlines become spaces. 513b7579f77SDag-Erling Smørgrav * * other words ('keywords') 514b7579f77SDag-Erling Smørgrav * * comments are skipped if desired 515b7579f77SDag-Erling Smørgrav * / / C++ style comment to end of line 516b7579f77SDag-Erling Smørgrav * # to end of line 517b7579f77SDag-Erling Smørgrav * / * C style comment * / 518b7579f77SDag-Erling Smørgrav * @param in: file to read from. 519b7579f77SDag-Erling Smørgrav * @param buf: buffer, what is read is stored after current buffer position. 520b7579f77SDag-Erling Smørgrav * Space is left in the buffer to write a terminating 0. 521b7579f77SDag-Erling Smørgrav * @param line: line number is increased per line, for error reports. 522b7579f77SDag-Erling Smørgrav * @param comments: if 0, comments are not possible and become text. 523b7579f77SDag-Erling Smørgrav * if 1, comments are skipped entirely. 524b7579f77SDag-Erling Smørgrav * In BIND files, this is when reading quoted strings, for example 525b7579f77SDag-Erling Smørgrav * " base 64 text with / / in there " 526b7579f77SDag-Erling Smørgrav * @return the number of character written to the buffer. 527b7579f77SDag-Erling Smørgrav * 0 on end of file. 528b7579f77SDag-Erling Smørgrav */ 529b7579f77SDag-Erling Smørgrav static int 53017d15b25SDag-Erling Smørgrav readkeyword_bindfile(FILE* in, sldns_buffer* buf, int* line, int comments) 531b7579f77SDag-Erling Smørgrav { 532b7579f77SDag-Erling Smørgrav int c; 533b7579f77SDag-Erling Smørgrav int numdone = 0; 534b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 535b7579f77SDag-Erling Smørgrav if(comments && c == '#') { /* # blabla */ 536b7579f77SDag-Erling Smørgrav skip_to_eol(in); 537b7579f77SDag-Erling Smørgrav (*line)++; 538b7579f77SDag-Erling Smørgrav continue; 539b7579f77SDag-Erling Smørgrav } else if(comments && c=='/' && numdone>0 && /* /_/ bla*/ 54017d15b25SDag-Erling Smørgrav sldns_buffer_read_u8_at(buf, 54117d15b25SDag-Erling Smørgrav sldns_buffer_position(buf)-1) == '/') { 54217d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 543b7579f77SDag-Erling Smørgrav numdone--; 544b7579f77SDag-Erling Smørgrav skip_to_eol(in); 545b7579f77SDag-Erling Smørgrav (*line)++; 546b7579f77SDag-Erling Smørgrav continue; 547b7579f77SDag-Erling Smørgrav } else if(comments && c=='*' && numdone>0 && /* /_* bla *_/ */ 54817d15b25SDag-Erling Smørgrav sldns_buffer_read_u8_at(buf, 54917d15b25SDag-Erling Smørgrav sldns_buffer_position(buf)-1) == '/') { 55017d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 551b7579f77SDag-Erling Smørgrav numdone--; 552b7579f77SDag-Erling Smørgrav /* skip to end of comment */ 553b7579f77SDag-Erling Smørgrav while(c != EOF && (c=getc(in)) != EOF ) { 554b7579f77SDag-Erling Smørgrav if(c == '*') { 555b7579f77SDag-Erling Smørgrav if((c=getc(in)) == '/') 556b7579f77SDag-Erling Smørgrav break; 557b7579f77SDag-Erling Smørgrav } 558b7579f77SDag-Erling Smørgrav if(c == '\n') 559b7579f77SDag-Erling Smørgrav (*line)++; 560b7579f77SDag-Erling Smørgrav } 561b7579f77SDag-Erling Smørgrav continue; 562b7579f77SDag-Erling Smørgrav } 563b7579f77SDag-Erling Smørgrav /* not a comment, complete the keyword */ 564b7579f77SDag-Erling Smørgrav if(numdone > 0) { 565b7579f77SDag-Erling Smørgrav /* check same type */ 566ff825849SDag-Erling Smørgrav if(isspace((unsigned char)c)) { 567b7579f77SDag-Erling Smørgrav ungetc(c, in); 568b7579f77SDag-Erling Smørgrav return numdone; 569b7579f77SDag-Erling Smørgrav } 570b7579f77SDag-Erling Smørgrav if(is_bind_special(c)) { 571b7579f77SDag-Erling Smørgrav ungetc(c, in); 572b7579f77SDag-Erling Smørgrav return numdone; 573b7579f77SDag-Erling Smørgrav } 574b7579f77SDag-Erling Smørgrav } 575b7579f77SDag-Erling Smørgrav if(c == '\n') { 576b7579f77SDag-Erling Smørgrav c = ' '; 577b7579f77SDag-Erling Smørgrav (*line)++; 578b7579f77SDag-Erling Smørgrav } 579b7579f77SDag-Erling Smørgrav /* space for 1 char + 0 string terminator */ 58017d15b25SDag-Erling Smørgrav if(sldns_buffer_remaining(buf) < 2) { 581b7579f77SDag-Erling Smørgrav fatal_exit("trusted-keys, %d, string too long", *line); 582b7579f77SDag-Erling Smørgrav } 58317d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, (uint8_t)c); 584b7579f77SDag-Erling Smørgrav numdone++; 585ff825849SDag-Erling Smørgrav if(isspace((unsigned char)c)) { 586b7579f77SDag-Erling Smørgrav /* collate whitespace into ' ' */ 587b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 588b7579f77SDag-Erling Smørgrav if(c == '\n') 589b7579f77SDag-Erling Smørgrav (*line)++; 590ff825849SDag-Erling Smørgrav if(!isspace((unsigned char)c)) { 591b7579f77SDag-Erling Smørgrav ungetc(c, in); 592b7579f77SDag-Erling Smørgrav break; 593b7579f77SDag-Erling Smørgrav } 594b7579f77SDag-Erling Smørgrav } 595b7579f77SDag-Erling Smørgrav return numdone; 596b7579f77SDag-Erling Smørgrav } 597b7579f77SDag-Erling Smørgrav if(is_bind_special(c)) 598b7579f77SDag-Erling Smørgrav return numdone; 599b7579f77SDag-Erling Smørgrav } 600b7579f77SDag-Erling Smørgrav return numdone; 601b7579f77SDag-Erling Smørgrav } 602b7579f77SDag-Erling Smørgrav 603b7579f77SDag-Erling Smørgrav /** skip through file to { or ; */ 604b7579f77SDag-Erling Smørgrav static int 60517d15b25SDag-Erling Smørgrav skip_to_special(FILE* in, sldns_buffer* buf, int* line, int spec) 606b7579f77SDag-Erling Smørgrav { 607b7579f77SDag-Erling Smørgrav int rdlen; 60817d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 609b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buf, line, 1))) { 610ff825849SDag-Erling Smørgrav if(rdlen == 1 && isspace((unsigned char)*sldns_buffer_begin(buf))) { 61117d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 612b7579f77SDag-Erling Smørgrav continue; 613b7579f77SDag-Erling Smørgrav } 61417d15b25SDag-Erling Smørgrav if(rdlen != 1 || *sldns_buffer_begin(buf) != (uint8_t)spec) { 61517d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 616b7579f77SDag-Erling Smørgrav log_err("trusted-keys, line %d, expected %c", 617b7579f77SDag-Erling Smørgrav *line, spec); 618b7579f77SDag-Erling Smørgrav return 0; 619b7579f77SDag-Erling Smørgrav } 620b7579f77SDag-Erling Smørgrav return 1; 621b7579f77SDag-Erling Smørgrav } 622b7579f77SDag-Erling Smørgrav log_err("trusted-keys, line %d, expected %c got EOF", *line, spec); 623b7579f77SDag-Erling Smørgrav return 0; 624b7579f77SDag-Erling Smørgrav } 625b7579f77SDag-Erling Smørgrav 626b7579f77SDag-Erling Smørgrav /** 627b7579f77SDag-Erling Smørgrav * read contents of trusted-keys{ ... ; clauses and insert keys into storage. 628b7579f77SDag-Erling Smørgrav * @param anchors: where to store keys 629b7579f77SDag-Erling Smørgrav * @param buf: buffer to use 630b7579f77SDag-Erling Smørgrav * @param line: line number in file 631b7579f77SDag-Erling Smørgrav * @param in: file to read from. 632b7579f77SDag-Erling Smørgrav * @return 0 on error. 633b7579f77SDag-Erling Smørgrav */ 634b7579f77SDag-Erling Smørgrav static int 63517d15b25SDag-Erling Smørgrav process_bind_contents(struct val_anchors* anchors, sldns_buffer* buf, 636b7579f77SDag-Erling Smørgrav int* line, FILE* in) 637b7579f77SDag-Erling Smørgrav { 638b7579f77SDag-Erling Smørgrav /* loop over contents, collate strings before ; */ 639b7579f77SDag-Erling Smørgrav /* contents is (numbered): 0 1 2 3 4 5 6 7 8 */ 640b7579f77SDag-Erling Smørgrav /* name. 257 3 5 base64 base64 */ 641b7579f77SDag-Erling Smørgrav /* quoted value: 0 "111" 0 0 0 0 0 0 0 */ 642b7579f77SDag-Erling Smørgrav /* comments value: 1 "000" 1 1 1 "0 0 0 0" 1 */ 643b7579f77SDag-Erling Smørgrav int contnum = 0; 644b7579f77SDag-Erling Smørgrav int quoted = 0; 645b7579f77SDag-Erling Smørgrav int comments = 1; 646b7579f77SDag-Erling Smørgrav int rdlen; 647b7579f77SDag-Erling Smørgrav char* str = 0; 64817d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 649b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buf, line, comments))) { 65017d15b25SDag-Erling Smørgrav if(rdlen == 1 && sldns_buffer_position(buf) == 1 651ff825849SDag-Erling Smørgrav && isspace((unsigned char)*sldns_buffer_begin(buf))) { 652b7579f77SDag-Erling Smørgrav /* starting whitespace is removed */ 65317d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 654b7579f77SDag-Erling Smørgrav continue; 65517d15b25SDag-Erling Smørgrav } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '"') { 656b7579f77SDag-Erling Smørgrav /* remove " from the string */ 657b7579f77SDag-Erling Smørgrav if(contnum == 0) { 658b7579f77SDag-Erling Smørgrav quoted = 1; 659b7579f77SDag-Erling Smørgrav comments = 0; 660b7579f77SDag-Erling Smørgrav } 66117d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 662b7579f77SDag-Erling Smørgrav if(contnum > 0 && quoted) { 66317d15b25SDag-Erling Smørgrav if(sldns_buffer_remaining(buf) < 8+1) { 664b7579f77SDag-Erling Smørgrav log_err("line %d, too long", *line); 665b7579f77SDag-Erling Smørgrav return 0; 666b7579f77SDag-Erling Smørgrav } 66717d15b25SDag-Erling Smørgrav sldns_buffer_write(buf, " DNSKEY ", 8); 668b7579f77SDag-Erling Smørgrav quoted = 0; 669b7579f77SDag-Erling Smørgrav comments = 1; 670b7579f77SDag-Erling Smørgrav } else if(contnum > 0) 671b7579f77SDag-Erling Smørgrav comments = !comments; 672b7579f77SDag-Erling Smørgrav continue; 67317d15b25SDag-Erling Smørgrav } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == ';') { 674b7579f77SDag-Erling Smørgrav 675b7579f77SDag-Erling Smørgrav if(contnum < 5) { 67617d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 677b7579f77SDag-Erling Smørgrav log_err("line %d, bad key", *line); 678b7579f77SDag-Erling Smørgrav return 0; 679b7579f77SDag-Erling Smørgrav } 68017d15b25SDag-Erling Smørgrav sldns_buffer_skip(buf, -1); 68117d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 68217d15b25SDag-Erling Smørgrav str = strdup((char*)sldns_buffer_begin(buf)); 683b7579f77SDag-Erling Smørgrav if(!str) { 684b7579f77SDag-Erling Smørgrav log_err("line %d, allocation failure", *line); 685b7579f77SDag-Erling Smørgrav return 0; 686b7579f77SDag-Erling Smørgrav } 687b7579f77SDag-Erling Smørgrav if(!anchor_store_str(anchors, buf, str)) { 688b7579f77SDag-Erling Smørgrav log_err("line %d, bad key", *line); 689b7579f77SDag-Erling Smørgrav free(str); 690b7579f77SDag-Erling Smørgrav return 0; 691b7579f77SDag-Erling Smørgrav } 692b7579f77SDag-Erling Smørgrav free(str); 69317d15b25SDag-Erling Smørgrav sldns_buffer_clear(buf); 694b7579f77SDag-Erling Smørgrav contnum = 0; 695b7579f77SDag-Erling Smørgrav quoted = 0; 696b7579f77SDag-Erling Smørgrav comments = 1; 697b7579f77SDag-Erling Smørgrav continue; 69817d15b25SDag-Erling Smørgrav } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '}') { 699b7579f77SDag-Erling Smørgrav if(contnum > 0) { 70017d15b25SDag-Erling Smørgrav sldns_buffer_write_u8(buf, 0); 701b7579f77SDag-Erling Smørgrav log_err("line %d, bad key before }", *line); 702b7579f77SDag-Erling Smørgrav return 0; 703b7579f77SDag-Erling Smørgrav } 704b7579f77SDag-Erling Smørgrav return 1; 705b7579f77SDag-Erling Smørgrav } else if(rdlen == 1 && 706ff825849SDag-Erling Smørgrav isspace((unsigned char)sldns_buffer_current(buf)[-1])) { 707b7579f77SDag-Erling Smørgrav /* leave whitespace here */ 708b7579f77SDag-Erling Smørgrav } else { 709b7579f77SDag-Erling Smørgrav /* not space or whatnot, so actual content */ 710b7579f77SDag-Erling Smørgrav contnum ++; 711b7579f77SDag-Erling Smørgrav if(contnum == 1 && !quoted) { 71217d15b25SDag-Erling Smørgrav if(sldns_buffer_remaining(buf) < 8+1) { 713b7579f77SDag-Erling Smørgrav log_err("line %d, too long", *line); 714b7579f77SDag-Erling Smørgrav return 0; 715b7579f77SDag-Erling Smørgrav } 71617d15b25SDag-Erling Smørgrav sldns_buffer_write(buf, " DNSKEY ", 8); 717b7579f77SDag-Erling Smørgrav } 718b7579f77SDag-Erling Smørgrav } 719b7579f77SDag-Erling Smørgrav } 720b7579f77SDag-Erling Smørgrav 721b7579f77SDag-Erling Smørgrav log_err("line %d, EOF before }", *line); 722b7579f77SDag-Erling Smørgrav return 0; 723b7579f77SDag-Erling Smørgrav } 724b7579f77SDag-Erling Smørgrav 725b7579f77SDag-Erling Smørgrav /** 726b7579f77SDag-Erling Smørgrav * Read a BIND9 like file with trust anchors in named.conf format. 727b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 728b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 729b7579f77SDag-Erling Smørgrav * @param fname: string. 730b7579f77SDag-Erling Smørgrav * @return false on error. 731b7579f77SDag-Erling Smørgrav */ 732b7579f77SDag-Erling Smørgrav static int 73317d15b25SDag-Erling Smørgrav anchor_read_bind_file(struct val_anchors* anchors, sldns_buffer* buffer, 734b7579f77SDag-Erling Smørgrav const char* fname) 735b7579f77SDag-Erling Smørgrav { 736b7579f77SDag-Erling Smørgrav int line_nr = 1; 737b7579f77SDag-Erling Smørgrav FILE* in = fopen(fname, "r"); 738b7579f77SDag-Erling Smørgrav int rdlen = 0; 739b7579f77SDag-Erling Smørgrav if(!in) { 740b7579f77SDag-Erling Smørgrav log_err("error opening file %s: %s", fname, strerror(errno)); 741b7579f77SDag-Erling Smørgrav return 0; 742b7579f77SDag-Erling Smørgrav } 743b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname); 744b7579f77SDag-Erling Smørgrav /* scan for trusted-keys keyword, ignore everything else */ 74517d15b25SDag-Erling Smørgrav sldns_buffer_clear(buffer); 746b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buffer, &line_nr, 1)) != 0) { 74717d15b25SDag-Erling Smørgrav if(rdlen != 12 || strncmp((char*)sldns_buffer_begin(buffer), 748b7579f77SDag-Erling Smørgrav "trusted-keys", 12) != 0) { 74917d15b25SDag-Erling Smørgrav sldns_buffer_clear(buffer); 750b7579f77SDag-Erling Smørgrav /* ignore everything but trusted-keys */ 751b7579f77SDag-Erling Smørgrav continue; 752b7579f77SDag-Erling Smørgrav } 753b7579f77SDag-Erling Smørgrav if(!skip_to_special(in, buffer, &line_nr, '{')) { 754b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 755b7579f77SDag-Erling Smørgrav fclose(in); 756b7579f77SDag-Erling Smørgrav return 0; 757b7579f77SDag-Erling Smørgrav } 758b7579f77SDag-Erling Smørgrav /* process contents */ 759b7579f77SDag-Erling Smørgrav if(!process_bind_contents(anchors, buffer, &line_nr, in)) { 760b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 761b7579f77SDag-Erling Smørgrav fclose(in); 762b7579f77SDag-Erling Smørgrav return 0; 763b7579f77SDag-Erling Smørgrav } 764b7579f77SDag-Erling Smørgrav if(!skip_to_special(in, buffer, &line_nr, ';')) { 765b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 766b7579f77SDag-Erling Smørgrav fclose(in); 767b7579f77SDag-Erling Smørgrav return 0; 768b7579f77SDag-Erling Smørgrav } 76917d15b25SDag-Erling Smørgrav sldns_buffer_clear(buffer); 770b7579f77SDag-Erling Smørgrav } 771b7579f77SDag-Erling Smørgrav fclose(in); 772b7579f77SDag-Erling Smørgrav return 1; 773b7579f77SDag-Erling Smørgrav } 774b7579f77SDag-Erling Smørgrav 775b7579f77SDag-Erling Smørgrav /** 776b7579f77SDag-Erling Smørgrav * Read a BIND9 like files with trust anchors in named.conf format. 777b7579f77SDag-Erling Smørgrav * Performs wildcard processing of name. 778b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 779b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 780b7579f77SDag-Erling Smørgrav * @param pat: pattern string. (can be wildcarded) 781b7579f77SDag-Erling Smørgrav * @return false on error. 782b7579f77SDag-Erling Smørgrav */ 783b7579f77SDag-Erling Smørgrav static int 78417d15b25SDag-Erling Smørgrav anchor_read_bind_file_wild(struct val_anchors* anchors, sldns_buffer* buffer, 785b7579f77SDag-Erling Smørgrav const char* pat) 786b7579f77SDag-Erling Smørgrav { 787b7579f77SDag-Erling Smørgrav #ifdef HAVE_GLOB 788b7579f77SDag-Erling Smørgrav glob_t g; 789b7579f77SDag-Erling Smørgrav size_t i; 790b7579f77SDag-Erling Smørgrav int r, flags; 791b7579f77SDag-Erling Smørgrav if(!strchr(pat, '*') && !strchr(pat, '?') && !strchr(pat, '[') && 792b7579f77SDag-Erling Smørgrav !strchr(pat, '{') && !strchr(pat, '~')) { 793b7579f77SDag-Erling Smørgrav return anchor_read_bind_file(anchors, buffer, pat); 794b7579f77SDag-Erling Smørgrav } 795b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "wildcard found, processing %s", pat); 796b7579f77SDag-Erling Smørgrav flags = 0 797b7579f77SDag-Erling Smørgrav #ifdef GLOB_ERR 798b7579f77SDag-Erling Smørgrav | GLOB_ERR 799b7579f77SDag-Erling Smørgrav #endif 800b7579f77SDag-Erling Smørgrav #ifdef GLOB_NOSORT 801b7579f77SDag-Erling Smørgrav | GLOB_NOSORT 802b7579f77SDag-Erling Smørgrav #endif 803b7579f77SDag-Erling Smørgrav #ifdef GLOB_BRACE 804b7579f77SDag-Erling Smørgrav | GLOB_BRACE 805b7579f77SDag-Erling Smørgrav #endif 806b7579f77SDag-Erling Smørgrav #ifdef GLOB_TILDE 807b7579f77SDag-Erling Smørgrav | GLOB_TILDE 808b7579f77SDag-Erling Smørgrav #endif 809b7579f77SDag-Erling Smørgrav ; 810b7579f77SDag-Erling Smørgrav memset(&g, 0, sizeof(g)); 811b7579f77SDag-Erling Smørgrav r = glob(pat, flags, NULL, &g); 812b7579f77SDag-Erling Smørgrav if(r) { 813b7579f77SDag-Erling Smørgrav /* some error */ 814b7579f77SDag-Erling Smørgrav if(r == GLOB_NOMATCH) { 815b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "trusted-keys-file: " 816b7579f77SDag-Erling Smørgrav "no matches for %s", pat); 817b7579f77SDag-Erling Smørgrav return 1; 818b7579f77SDag-Erling Smørgrav } else if(r == GLOB_NOSPACE) { 819b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: " 820b7579f77SDag-Erling Smørgrav "pattern out of memory", pat); 821b7579f77SDag-Erling Smørgrav } else if(r == GLOB_ABORTED) { 822b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: expansion " 823b7579f77SDag-Erling Smørgrav "aborted (%s)", pat, strerror(errno)); 824b7579f77SDag-Erling Smørgrav } else { 825b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: expansion " 826b7579f77SDag-Erling Smørgrav "failed (%s)", pat, strerror(errno)); 827b7579f77SDag-Erling Smørgrav } 8288ed2b524SDag-Erling Smørgrav /* ignore globs that yield no files */ 8298ed2b524SDag-Erling Smørgrav return 1; 830b7579f77SDag-Erling Smørgrav } 831b7579f77SDag-Erling Smørgrav /* process files found, if any */ 832b7579f77SDag-Erling Smørgrav for(i=0; i<(size_t)g.gl_pathc; i++) { 833b7579f77SDag-Erling Smørgrav if(!anchor_read_bind_file(anchors, buffer, g.gl_pathv[i])) { 834b7579f77SDag-Erling Smørgrav log_err("error reading wildcard " 835b7579f77SDag-Erling Smørgrav "trusted-keys-file: %s", g.gl_pathv[i]); 836b7579f77SDag-Erling Smørgrav globfree(&g); 837b7579f77SDag-Erling Smørgrav return 0; 838b7579f77SDag-Erling Smørgrav } 839b7579f77SDag-Erling Smørgrav } 840b7579f77SDag-Erling Smørgrav globfree(&g); 841b7579f77SDag-Erling Smørgrav return 1; 842b7579f77SDag-Erling Smørgrav #else /* not HAVE_GLOB */ 843b7579f77SDag-Erling Smørgrav return anchor_read_bind_file(anchors, buffer, pat); 844b7579f77SDag-Erling Smørgrav #endif /* HAVE_GLOB */ 845b7579f77SDag-Erling Smørgrav } 846b7579f77SDag-Erling Smørgrav 847b7579f77SDag-Erling Smørgrav /** 848b7579f77SDag-Erling Smørgrav * Assemble an rrset structure for the type 849b7579f77SDag-Erling Smørgrav * @param ta: trust anchor. 850b7579f77SDag-Erling Smørgrav * @param num: number of items to fetch from list. 851b7579f77SDag-Erling Smørgrav * @param type: fetch only items of this type. 852b7579f77SDag-Erling Smørgrav * @return rrset or NULL on error. 853b7579f77SDag-Erling Smørgrav */ 854b7579f77SDag-Erling Smørgrav static struct ub_packed_rrset_key* 855b7579f77SDag-Erling Smørgrav assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) 856b7579f77SDag-Erling Smørgrav { 857b7579f77SDag-Erling Smørgrav struct ub_packed_rrset_key* pkey = (struct ub_packed_rrset_key*) 858b7579f77SDag-Erling Smørgrav malloc(sizeof(*pkey)); 859b7579f77SDag-Erling Smørgrav struct packed_rrset_data* pd; 860b7579f77SDag-Erling Smørgrav struct ta_key* tk; 861b7579f77SDag-Erling Smørgrav size_t i; 862b7579f77SDag-Erling Smørgrav if(!pkey) 863b7579f77SDag-Erling Smørgrav return NULL; 864b7579f77SDag-Erling Smørgrav memset(pkey, 0, sizeof(*pkey)); 865b7579f77SDag-Erling Smørgrav pkey->rk.dname = memdup(ta->name, ta->namelen); 866b7579f77SDag-Erling Smørgrav if(!pkey->rk.dname) { 867b7579f77SDag-Erling Smørgrav free(pkey); 868b7579f77SDag-Erling Smørgrav return NULL; 869b7579f77SDag-Erling Smørgrav } 870b7579f77SDag-Erling Smørgrav 871b7579f77SDag-Erling Smørgrav pkey->rk.dname_len = ta->namelen; 872b7579f77SDag-Erling Smørgrav pkey->rk.type = htons(type); 873b7579f77SDag-Erling Smørgrav pkey->rk.rrset_class = htons(ta->dclass); 874b7579f77SDag-Erling Smørgrav /* The rrset is build in an uncompressed way. This means it 875b7579f77SDag-Erling Smørgrav * cannot be copied in the normal way. */ 876b7579f77SDag-Erling Smørgrav pd = (struct packed_rrset_data*)malloc(sizeof(*pd)); 877b7579f77SDag-Erling Smørgrav if(!pd) { 878b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 879b7579f77SDag-Erling Smørgrav free(pkey); 880b7579f77SDag-Erling Smørgrav return NULL; 881b7579f77SDag-Erling Smørgrav } 882b7579f77SDag-Erling Smørgrav memset(pd, 0, sizeof(*pd)); 883b7579f77SDag-Erling Smørgrav pd->count = num; 884b7579f77SDag-Erling Smørgrav pd->trust = rrset_trust_ultimate; 885*09a3aaf3SDag-Erling Smørgrav pd->rr_len = (size_t*)reallocarray(NULL, num, sizeof(size_t)); 886b7579f77SDag-Erling Smørgrav if(!pd->rr_len) { 887b7579f77SDag-Erling Smørgrav free(pd); 888b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 889b7579f77SDag-Erling Smørgrav free(pkey); 890b7579f77SDag-Erling Smørgrav return NULL; 891b7579f77SDag-Erling Smørgrav } 892*09a3aaf3SDag-Erling Smørgrav pd->rr_ttl = (time_t*)reallocarray(NULL, num, sizeof(time_t)); 893b7579f77SDag-Erling Smørgrav if(!pd->rr_ttl) { 894b7579f77SDag-Erling Smørgrav free(pd->rr_len); 895b7579f77SDag-Erling Smørgrav free(pd); 896b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 897b7579f77SDag-Erling Smørgrav free(pkey); 898b7579f77SDag-Erling Smørgrav return NULL; 899b7579f77SDag-Erling Smørgrav } 900*09a3aaf3SDag-Erling Smørgrav pd->rr_data = (uint8_t**)reallocarray(NULL, num, sizeof(uint8_t*)); 901b7579f77SDag-Erling Smørgrav if(!pd->rr_data) { 902b7579f77SDag-Erling Smørgrav free(pd->rr_ttl); 903b7579f77SDag-Erling Smørgrav free(pd->rr_len); 904b7579f77SDag-Erling Smørgrav free(pd); 905b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 906b7579f77SDag-Erling Smørgrav free(pkey); 907b7579f77SDag-Erling Smørgrav return NULL; 908b7579f77SDag-Erling Smørgrav } 909b7579f77SDag-Erling Smørgrav /* fill in rrs */ 910b7579f77SDag-Erling Smørgrav i=0; 911b7579f77SDag-Erling Smørgrav for(tk = ta->keylist; tk; tk = tk->next) { 912b7579f77SDag-Erling Smørgrav if(tk->type != type) 913b7579f77SDag-Erling Smørgrav continue; 914b7579f77SDag-Erling Smørgrav pd->rr_len[i] = tk->len; 915b7579f77SDag-Erling Smørgrav /* reuse data ptr to allocation in talist */ 916b7579f77SDag-Erling Smørgrav pd->rr_data[i] = tk->data; 917b7579f77SDag-Erling Smørgrav pd->rr_ttl[i] = 0; 918b7579f77SDag-Erling Smørgrav i++; 919b7579f77SDag-Erling Smørgrav } 920b7579f77SDag-Erling Smørgrav pkey->entry.data = (void*)pd; 921b7579f77SDag-Erling Smørgrav return pkey; 922b7579f77SDag-Erling Smørgrav } 923b7579f77SDag-Erling Smørgrav 924b7579f77SDag-Erling Smørgrav /** 925b7579f77SDag-Erling Smørgrav * Assemble structures for the trust DS and DNSKEY rrsets. 926b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 927b7579f77SDag-Erling Smørgrav * @return: false on error. 928b7579f77SDag-Erling Smørgrav */ 929b7579f77SDag-Erling Smørgrav static int 930b7579f77SDag-Erling Smørgrav anchors_assemble(struct trust_anchor* ta) 931b7579f77SDag-Erling Smørgrav { 932b7579f77SDag-Erling Smørgrav if(ta->numDS > 0) { 933b7579f77SDag-Erling Smørgrav ta->ds_rrset = assemble_it(ta, ta->numDS, LDNS_RR_TYPE_DS); 934b7579f77SDag-Erling Smørgrav if(!ta->ds_rrset) 935b7579f77SDag-Erling Smørgrav return 0; 936b7579f77SDag-Erling Smørgrav } 937b7579f77SDag-Erling Smørgrav if(ta->numDNSKEY > 0) { 938b7579f77SDag-Erling Smørgrav ta->dnskey_rrset = assemble_it(ta, ta->numDNSKEY, 939b7579f77SDag-Erling Smørgrav LDNS_RR_TYPE_DNSKEY); 940b7579f77SDag-Erling Smørgrav if(!ta->dnskey_rrset) 941b7579f77SDag-Erling Smørgrav return 0; 942b7579f77SDag-Erling Smørgrav } 943b7579f77SDag-Erling Smørgrav return 1; 944b7579f77SDag-Erling Smørgrav } 945b7579f77SDag-Erling Smørgrav 946b7579f77SDag-Erling Smørgrav /** 947b7579f77SDag-Erling Smørgrav * Check DS algos for support, warn if not. 948b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 949b7579f77SDag-Erling Smørgrav * @return number of DS anchors with unsupported algorithms. 950b7579f77SDag-Erling Smørgrav */ 951b7579f77SDag-Erling Smørgrav static size_t 952b7579f77SDag-Erling Smørgrav anchors_ds_unsupported(struct trust_anchor* ta) 953b7579f77SDag-Erling Smørgrav { 954b7579f77SDag-Erling Smørgrav size_t i, num = 0; 955b7579f77SDag-Erling Smørgrav for(i=0; i<ta->numDS; i++) { 956b7579f77SDag-Erling Smørgrav if(!ds_digest_algo_is_supported(ta->ds_rrset, i) || 957b7579f77SDag-Erling Smørgrav !ds_key_algo_is_supported(ta->ds_rrset, i)) 958b7579f77SDag-Erling Smørgrav num++; 959b7579f77SDag-Erling Smørgrav } 960b7579f77SDag-Erling Smørgrav return num; 961b7579f77SDag-Erling Smørgrav } 962b7579f77SDag-Erling Smørgrav 963b7579f77SDag-Erling Smørgrav /** 964b7579f77SDag-Erling Smørgrav * Check DNSKEY algos for support, warn if not. 965b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 966b7579f77SDag-Erling Smørgrav * @return number of DNSKEY anchors with unsupported algorithms. 967b7579f77SDag-Erling Smørgrav */ 968b7579f77SDag-Erling Smørgrav static size_t 969b7579f77SDag-Erling Smørgrav anchors_dnskey_unsupported(struct trust_anchor* ta) 970b7579f77SDag-Erling Smørgrav { 971b7579f77SDag-Erling Smørgrav size_t i, num = 0; 972b7579f77SDag-Erling Smørgrav for(i=0; i<ta->numDNSKEY; i++) { 973b7579f77SDag-Erling Smørgrav if(!dnskey_algo_is_supported(ta->dnskey_rrset, i)) 974b7579f77SDag-Erling Smørgrav num++; 975b7579f77SDag-Erling Smørgrav } 976b7579f77SDag-Erling Smørgrav return num; 977b7579f77SDag-Erling Smørgrav } 978b7579f77SDag-Erling Smørgrav 979b7579f77SDag-Erling Smørgrav /** 980b7579f77SDag-Erling Smørgrav * Assemble the rrsets in the anchors, ready for use by validator. 981b7579f77SDag-Erling Smørgrav * @param anchors: trust anchor storage. 982b7579f77SDag-Erling Smørgrav * @return: false on error. 983b7579f77SDag-Erling Smørgrav */ 984b7579f77SDag-Erling Smørgrav static int 985b7579f77SDag-Erling Smørgrav anchors_assemble_rrsets(struct val_anchors* anchors) 986b7579f77SDag-Erling Smørgrav { 987b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 988b7579f77SDag-Erling Smørgrav struct trust_anchor* next; 989b7579f77SDag-Erling Smørgrav size_t nods, nokey; 990b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 991b7579f77SDag-Erling Smørgrav ta=(struct trust_anchor*)rbtree_first(anchors->tree); 992b7579f77SDag-Erling Smørgrav while((rbnode_t*)ta != RBTREE_NULL) { 993b7579f77SDag-Erling Smørgrav next = (struct trust_anchor*)rbtree_next(&ta->node); 994b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 995b7579f77SDag-Erling Smørgrav if(ta->autr || (ta->numDS == 0 && ta->numDNSKEY == 0)) { 996b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 997b7579f77SDag-Erling Smørgrav ta = next; /* skip */ 998b7579f77SDag-Erling Smørgrav continue; 999b7579f77SDag-Erling Smørgrav } 1000b7579f77SDag-Erling Smørgrav if(!anchors_assemble(ta)) { 1001b7579f77SDag-Erling Smørgrav log_err("out of memory"); 1002b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1003b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1004b7579f77SDag-Erling Smørgrav return 0; 1005b7579f77SDag-Erling Smørgrav } 1006b7579f77SDag-Erling Smørgrav nods = anchors_ds_unsupported(ta); 1007b7579f77SDag-Erling Smørgrav nokey = anchors_dnskey_unsupported(ta); 1008b7579f77SDag-Erling Smørgrav if(nods) { 1009b7579f77SDag-Erling Smørgrav log_nametypeclass(0, "warning: unsupported " 1010b7579f77SDag-Erling Smørgrav "algorithm for trust anchor", 1011b7579f77SDag-Erling Smørgrav ta->name, LDNS_RR_TYPE_DS, ta->dclass); 1012b7579f77SDag-Erling Smørgrav } 1013b7579f77SDag-Erling Smørgrav if(nokey) { 1014b7579f77SDag-Erling Smørgrav log_nametypeclass(0, "warning: unsupported " 1015b7579f77SDag-Erling Smørgrav "algorithm for trust anchor", 1016b7579f77SDag-Erling Smørgrav ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 1017b7579f77SDag-Erling Smørgrav } 1018b7579f77SDag-Erling Smørgrav if(nods == ta->numDS && nokey == ta->numDNSKEY) { 1019b7579f77SDag-Erling Smørgrav char b[257]; 1020b7579f77SDag-Erling Smørgrav dname_str(ta->name, b); 1021b7579f77SDag-Erling Smørgrav log_warn("trust anchor %s has no supported algorithms," 1022b7579f77SDag-Erling Smørgrav " the anchor is ignored (check if you need to" 1023*09a3aaf3SDag-Erling Smørgrav " upgrade unbound and " 1024*09a3aaf3SDag-Erling Smørgrav #ifdef HAVE_LIBRESSL 1025*09a3aaf3SDag-Erling Smørgrav "libressl" 1026*09a3aaf3SDag-Erling Smørgrav #else 1027*09a3aaf3SDag-Erling Smørgrav "openssl" 1028*09a3aaf3SDag-Erling Smørgrav #endif 1029*09a3aaf3SDag-Erling Smørgrav ")", b); 1030b7579f77SDag-Erling Smørgrav (void)rbtree_delete(anchors->tree, &ta->node); 1031b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1032b7579f77SDag-Erling Smørgrav anchors_delfunc(&ta->node, NULL); 1033b7579f77SDag-Erling Smørgrav ta = next; 1034b7579f77SDag-Erling Smørgrav continue; 1035b7579f77SDag-Erling Smørgrav } 1036b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1037b7579f77SDag-Erling Smørgrav ta = next; 1038b7579f77SDag-Erling Smørgrav } 1039b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1040b7579f77SDag-Erling Smørgrav return 1; 1041b7579f77SDag-Erling Smørgrav } 1042b7579f77SDag-Erling Smørgrav 1043b7579f77SDag-Erling Smørgrav int 1044b7579f77SDag-Erling Smørgrav anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) 1045b7579f77SDag-Erling Smørgrav { 1046b7579f77SDag-Erling Smørgrav struct config_strlist* f; 1047b7579f77SDag-Erling Smørgrav char* nm; 104817d15b25SDag-Erling Smørgrav sldns_buffer* parsebuf = sldns_buffer_new(65535); 1049b7579f77SDag-Erling Smørgrav for(f = cfg->domain_insecure; f; f = f->next) { 1050b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1051b7579f77SDag-Erling Smørgrav continue; 1052b7579f77SDag-Erling Smørgrav if(!anchor_insert_insecure(anchors, f->str)) { 1053b7579f77SDag-Erling Smørgrav log_err("error in domain-insecure: %s", f->str); 105417d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1055b7579f77SDag-Erling Smørgrav return 0; 1056b7579f77SDag-Erling Smørgrav } 1057b7579f77SDag-Erling Smørgrav } 1058b7579f77SDag-Erling Smørgrav for(f = cfg->trust_anchor_file_list; f; f = f->next) { 1059b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1060b7579f77SDag-Erling Smørgrav continue; 1061b7579f77SDag-Erling Smørgrav nm = f->str; 1062b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1063b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1064b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1065b7579f77SDag-Erling Smørgrav if(!anchor_read_file(anchors, parsebuf, nm, 0)) { 1066b7579f77SDag-Erling Smørgrav log_err("error reading trust-anchor-file: %s", f->str); 106717d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1068b7579f77SDag-Erling Smørgrav return 0; 1069b7579f77SDag-Erling Smørgrav } 1070b7579f77SDag-Erling Smørgrav } 1071b7579f77SDag-Erling Smørgrav for(f = cfg->trusted_keys_file_list; f; f = f->next) { 1072b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1073b7579f77SDag-Erling Smørgrav continue; 1074b7579f77SDag-Erling Smørgrav nm = f->str; 1075b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1076b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1077b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1078b7579f77SDag-Erling Smørgrav if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) { 1079b7579f77SDag-Erling Smørgrav log_err("error reading trusted-keys-file: %s", f->str); 108017d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1081b7579f77SDag-Erling Smørgrav return 0; 1082b7579f77SDag-Erling Smørgrav } 1083b7579f77SDag-Erling Smørgrav } 1084b7579f77SDag-Erling Smørgrav for(f = cfg->trust_anchor_list; f; f = f->next) { 1085b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1086b7579f77SDag-Erling Smørgrav continue; 1087b7579f77SDag-Erling Smørgrav if(!anchor_store_str(anchors, parsebuf, f->str)) { 1088b7579f77SDag-Erling Smørgrav log_err("error in trust-anchor: \"%s\"", f->str); 108917d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1090b7579f77SDag-Erling Smørgrav return 0; 1091b7579f77SDag-Erling Smørgrav } 1092b7579f77SDag-Erling Smørgrav } 1093b7579f77SDag-Erling Smørgrav if(cfg->dlv_anchor_file && cfg->dlv_anchor_file[0] != 0) { 1094b7579f77SDag-Erling Smørgrav struct trust_anchor* dlva; 1095b7579f77SDag-Erling Smørgrav nm = cfg->dlv_anchor_file; 1096b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1097b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1098b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1099b7579f77SDag-Erling Smørgrav if(!(dlva = anchor_read_file(anchors, parsebuf, 1100b7579f77SDag-Erling Smørgrav nm, 1))) { 1101b7579f77SDag-Erling Smørgrav log_err("error reading dlv-anchor-file: %s", 1102b7579f77SDag-Erling Smørgrav cfg->dlv_anchor_file); 110317d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1104b7579f77SDag-Erling Smørgrav return 0; 1105b7579f77SDag-Erling Smørgrav } 1106b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1107b7579f77SDag-Erling Smørgrav anchors->dlv_anchor = dlva; 1108b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1109b7579f77SDag-Erling Smørgrav } 1110b7579f77SDag-Erling Smørgrav for(f = cfg->dlv_anchor_list; f; f = f->next) { 1111b7579f77SDag-Erling Smørgrav struct trust_anchor* dlva; 1112b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1113b7579f77SDag-Erling Smørgrav continue; 1114b7579f77SDag-Erling Smørgrav if(!(dlva = anchor_store_str( 1115b7579f77SDag-Erling Smørgrav anchors, parsebuf, f->str))) { 1116b7579f77SDag-Erling Smørgrav log_err("error in dlv-anchor: \"%s\"", f->str); 111717d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1118b7579f77SDag-Erling Smørgrav return 0; 1119b7579f77SDag-Erling Smørgrav } 1120b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1121b7579f77SDag-Erling Smørgrav anchors->dlv_anchor = dlva; 1122b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1123b7579f77SDag-Erling Smørgrav } 1124b7579f77SDag-Erling Smørgrav /* do autr last, so that it sees what anchors are filled by other 1125b7579f77SDag-Erling Smørgrav * means can can print errors about double config for the name */ 1126b7579f77SDag-Erling Smørgrav for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) { 1127b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1128b7579f77SDag-Erling Smørgrav continue; 1129b7579f77SDag-Erling Smørgrav nm = f->str; 1130b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1131b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1132b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1133b7579f77SDag-Erling Smørgrav if(!autr_read_file(anchors, nm)) { 1134b7579f77SDag-Erling Smørgrav log_err("error reading auto-trust-anchor-file: %s", 1135b7579f77SDag-Erling Smørgrav f->str); 113617d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1137b7579f77SDag-Erling Smørgrav return 0; 1138b7579f77SDag-Erling Smørgrav } 1139b7579f77SDag-Erling Smørgrav } 1140b7579f77SDag-Erling Smørgrav /* first assemble, since it may delete useless anchors */ 1141b7579f77SDag-Erling Smørgrav anchors_assemble_rrsets(anchors); 1142b7579f77SDag-Erling Smørgrav init_parents(anchors); 114317d15b25SDag-Erling Smørgrav sldns_buffer_free(parsebuf); 1144b7579f77SDag-Erling Smørgrav if(verbosity >= VERB_ALGO) autr_debug_print(anchors); 1145b7579f77SDag-Erling Smørgrav return 1; 1146b7579f77SDag-Erling Smørgrav } 1147b7579f77SDag-Erling Smørgrav 1148b7579f77SDag-Erling Smørgrav struct trust_anchor* 1149b7579f77SDag-Erling Smørgrav anchors_lookup(struct val_anchors* anchors, 1150b7579f77SDag-Erling Smørgrav uint8_t* qname, size_t qname_len, uint16_t qclass) 1151b7579f77SDag-Erling Smørgrav { 1152b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1153b7579f77SDag-Erling Smørgrav struct trust_anchor* result; 1154b7579f77SDag-Erling Smørgrav rbnode_t* res = NULL; 1155b7579f77SDag-Erling Smørgrav key.node.key = &key; 1156b7579f77SDag-Erling Smørgrav key.name = qname; 1157b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_labels(qname); 1158b7579f77SDag-Erling Smørgrav key.namelen = qname_len; 1159b7579f77SDag-Erling Smørgrav key.dclass = qclass; 1160b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1161b7579f77SDag-Erling Smørgrav if(rbtree_find_less_equal(anchors->tree, &key, &res)) { 1162b7579f77SDag-Erling Smørgrav /* exact */ 1163b7579f77SDag-Erling Smørgrav result = (struct trust_anchor*)res; 1164b7579f77SDag-Erling Smørgrav } else { 1165b7579f77SDag-Erling Smørgrav /* smaller element (or no element) */ 1166b7579f77SDag-Erling Smørgrav int m; 1167b7579f77SDag-Erling Smørgrav result = (struct trust_anchor*)res; 1168b7579f77SDag-Erling Smørgrav if(!result || result->dclass != qclass) { 1169b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1170b7579f77SDag-Erling Smørgrav return NULL; 1171b7579f77SDag-Erling Smørgrav } 1172b7579f77SDag-Erling Smørgrav /* count number of labels matched */ 1173b7579f77SDag-Erling Smørgrav (void)dname_lab_cmp(result->name, result->namelabs, key.name, 1174b7579f77SDag-Erling Smørgrav key.namelabs, &m); 1175b7579f77SDag-Erling Smørgrav while(result) { /* go up until qname is subdomain of stub */ 1176b7579f77SDag-Erling Smørgrav if(result->namelabs <= m) 1177b7579f77SDag-Erling Smørgrav break; 1178b7579f77SDag-Erling Smørgrav result = result->parent; 1179b7579f77SDag-Erling Smørgrav } 1180b7579f77SDag-Erling Smørgrav } 1181b7579f77SDag-Erling Smørgrav if(result) { 1182b7579f77SDag-Erling Smørgrav lock_basic_lock(&result->lock); 1183b7579f77SDag-Erling Smørgrav } 1184b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1185b7579f77SDag-Erling Smørgrav return result; 1186b7579f77SDag-Erling Smørgrav } 1187b7579f77SDag-Erling Smørgrav 1188b7579f77SDag-Erling Smørgrav size_t 1189b7579f77SDag-Erling Smørgrav anchors_get_mem(struct val_anchors* anchors) 1190b7579f77SDag-Erling Smørgrav { 1191b7579f77SDag-Erling Smørgrav struct trust_anchor *ta; 1192b7579f77SDag-Erling Smørgrav size_t s = sizeof(*anchors); 119317d15b25SDag-Erling Smørgrav if(!anchors) 119417d15b25SDag-Erling Smørgrav return 0; 1195b7579f77SDag-Erling Smørgrav RBTREE_FOR(ta, struct trust_anchor*, anchors->tree) { 1196b7579f77SDag-Erling Smørgrav s += sizeof(*ta) + ta->namelen; 1197b7579f77SDag-Erling Smørgrav /* keys and so on */ 1198b7579f77SDag-Erling Smørgrav } 1199b7579f77SDag-Erling Smørgrav return s; 1200b7579f77SDag-Erling Smørgrav } 1201b7579f77SDag-Erling Smørgrav 1202b7579f77SDag-Erling Smørgrav int 1203b7579f77SDag-Erling Smørgrav anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm) 1204b7579f77SDag-Erling Smørgrav { 1205b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1206b7579f77SDag-Erling Smørgrav key.node.key = &key; 1207b7579f77SDag-Erling Smørgrav key.name = nm; 1208b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_size_labels(nm, &key.namelen); 1209b7579f77SDag-Erling Smørgrav key.dclass = c; 1210b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1211b7579f77SDag-Erling Smørgrav if(rbtree_search(anchors->tree, &key)) { 1212b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1213b7579f77SDag-Erling Smørgrav /* nothing to do, already an anchor or insecure point */ 1214b7579f77SDag-Erling Smørgrav return 1; 1215b7579f77SDag-Erling Smørgrav } 1216b7579f77SDag-Erling Smørgrav if(!anchor_new_ta(anchors, nm, key.namelabs, key.namelen, c, 0)) { 1217b7579f77SDag-Erling Smørgrav log_err("out of memory"); 1218b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1219b7579f77SDag-Erling Smørgrav return 0; 1220b7579f77SDag-Erling Smørgrav } 1221b7579f77SDag-Erling Smørgrav /* no other contents in new ta, because it is insecure point */ 1222b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 1223b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1224b7579f77SDag-Erling Smørgrav return 1; 1225b7579f77SDag-Erling Smørgrav } 1226b7579f77SDag-Erling Smørgrav 1227b7579f77SDag-Erling Smørgrav void 1228b7579f77SDag-Erling Smørgrav anchors_delete_insecure(struct val_anchors* anchors, uint16_t c, 1229b7579f77SDag-Erling Smørgrav uint8_t* nm) 1230b7579f77SDag-Erling Smørgrav { 1231b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1232b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 1233b7579f77SDag-Erling Smørgrav key.node.key = &key; 1234b7579f77SDag-Erling Smørgrav key.name = nm; 1235b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_size_labels(nm, &key.namelen); 1236b7579f77SDag-Erling Smørgrav key.dclass = c; 1237b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1238b7579f77SDag-Erling Smørgrav if(!(ta=(struct trust_anchor*)rbtree_search(anchors->tree, &key))) { 1239b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1240b7579f77SDag-Erling Smørgrav /* nothing there */ 1241b7579f77SDag-Erling Smørgrav return; 1242b7579f77SDag-Erling Smørgrav } 1243b7579f77SDag-Erling Smørgrav /* lock it to drive away other threads that use it */ 1244b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 1245b7579f77SDag-Erling Smørgrav /* see if its really an insecure point */ 1246b7579f77SDag-Erling Smørgrav if(ta->keylist || ta->autr || ta->numDS || ta->numDNSKEY) { 12478ed2b524SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1248b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1249b7579f77SDag-Erling Smørgrav /* its not an insecure point, do not remove it */ 1250b7579f77SDag-Erling Smørgrav return; 1251b7579f77SDag-Erling Smørgrav } 1252b7579f77SDag-Erling Smørgrav 1253b7579f77SDag-Erling Smørgrav /* remove from tree */ 1254b7579f77SDag-Erling Smørgrav (void)rbtree_delete(anchors->tree, &ta->node); 1255b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 1256b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1257b7579f77SDag-Erling Smørgrav 1258b7579f77SDag-Erling Smørgrav /* actual free of data */ 1259b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1260b7579f77SDag-Erling Smørgrav anchors_delfunc(&ta->node, NULL); 1261b7579f77SDag-Erling Smørgrav } 1262b7579f77SDag-Erling Smørgrav 1263