1b7579f77SDag-Erling Smørgrav /* 2b7579f77SDag-Erling Smørgrav * validator/val_anchor.c - validator trust anchor storage. 3b7579f77SDag-Erling Smørgrav * 4b7579f77SDag-Erling Smørgrav * Copyright (c) 2007, NLnet Labs. All rights reserved. 5b7579f77SDag-Erling Smørgrav * 6b7579f77SDag-Erling Smørgrav * This software is open source. 7b7579f77SDag-Erling Smørgrav * 8b7579f77SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 9b7579f77SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 10b7579f77SDag-Erling Smørgrav * are met: 11b7579f77SDag-Erling Smørgrav * 12b7579f77SDag-Erling Smørgrav * Redistributions of source code must retain the above copyright notice, 13b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer. 14b7579f77SDag-Erling Smørgrav * 15b7579f77SDag-Erling Smørgrav * Redistributions in binary form must reproduce the above copyright notice, 16b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer in the documentation 17b7579f77SDag-Erling Smørgrav * and/or other materials provided with the distribution. 18b7579f77SDag-Erling Smørgrav * 19b7579f77SDag-Erling Smørgrav * Neither the name of the NLNET LABS nor the names of its contributors may 20b7579f77SDag-Erling Smørgrav * be used to endorse or promote products derived from this software without 21b7579f77SDag-Erling Smørgrav * specific prior written permission. 22b7579f77SDag-Erling Smørgrav * 23b7579f77SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24b7579f77SDag-Erling Smørgrav * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 25b7579f77SDag-Erling Smørgrav * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 26b7579f77SDag-Erling Smørgrav * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE 27b7579f77SDag-Erling Smørgrav * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 28b7579f77SDag-Erling Smørgrav * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 29b7579f77SDag-Erling Smørgrav * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 30b7579f77SDag-Erling Smørgrav * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 31b7579f77SDag-Erling Smørgrav * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 32b7579f77SDag-Erling Smørgrav * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33b7579f77SDag-Erling Smørgrav * POSSIBILITY OF SUCH DAMAGE. 34b7579f77SDag-Erling Smørgrav */ 35b7579f77SDag-Erling Smørgrav 36b7579f77SDag-Erling Smørgrav /** 37b7579f77SDag-Erling Smørgrav * \file 38b7579f77SDag-Erling Smørgrav * 39b7579f77SDag-Erling Smørgrav * This file contains storage for the trust anchors for the validator. 40b7579f77SDag-Erling Smørgrav */ 41b7579f77SDag-Erling Smørgrav #include "config.h" 42b7579f77SDag-Erling Smørgrav #include <ctype.h> 43b7579f77SDag-Erling Smørgrav #include <ldns/dname.h> 44b7579f77SDag-Erling Smørgrav #include <ldns/host2wire.h> 45b7579f77SDag-Erling Smørgrav #include "validator/val_anchor.h" 46b7579f77SDag-Erling Smørgrav #include "validator/val_sigcrypt.h" 47b7579f77SDag-Erling Smørgrav #include "validator/autotrust.h" 48b7579f77SDag-Erling Smørgrav #include "util/data/packed_rrset.h" 49b7579f77SDag-Erling Smørgrav #include "util/data/dname.h" 50b7579f77SDag-Erling Smørgrav #include "util/log.h" 51b7579f77SDag-Erling Smørgrav #include "util/net_help.h" 52b7579f77SDag-Erling Smørgrav #include "util/config_file.h" 53b7579f77SDag-Erling Smørgrav #ifdef HAVE_GLOB_H 54b7579f77SDag-Erling Smørgrav #include <glob.h> 55b7579f77SDag-Erling Smørgrav #endif 56b7579f77SDag-Erling Smørgrav 57b7579f77SDag-Erling Smørgrav int 58b7579f77SDag-Erling Smørgrav anchor_cmp(const void* k1, const void* k2) 59b7579f77SDag-Erling Smørgrav { 60b7579f77SDag-Erling Smørgrav int m; 61b7579f77SDag-Erling Smørgrav struct trust_anchor* n1 = (struct trust_anchor*)k1; 62b7579f77SDag-Erling Smørgrav struct trust_anchor* n2 = (struct trust_anchor*)k2; 63b7579f77SDag-Erling Smørgrav /* no need to ntohs(class) because sort order is irrelevant */ 64b7579f77SDag-Erling Smørgrav if(n1->dclass != n2->dclass) { 65b7579f77SDag-Erling Smørgrav if(n1->dclass < n2->dclass) 66b7579f77SDag-Erling Smørgrav return -1; 67b7579f77SDag-Erling Smørgrav return 1; 68b7579f77SDag-Erling Smørgrav } 69b7579f77SDag-Erling Smørgrav return dname_lab_cmp(n1->name, n1->namelabs, n2->name, n2->namelabs, 70b7579f77SDag-Erling Smørgrav &m); 71b7579f77SDag-Erling Smørgrav } 72b7579f77SDag-Erling Smørgrav 73b7579f77SDag-Erling Smørgrav struct val_anchors* 74b7579f77SDag-Erling Smørgrav anchors_create(void) 75b7579f77SDag-Erling Smørgrav { 76b7579f77SDag-Erling Smørgrav struct val_anchors* a = (struct val_anchors*)calloc(1, sizeof(*a)); 77b7579f77SDag-Erling Smørgrav if(!a) 78b7579f77SDag-Erling Smørgrav return NULL; 79b7579f77SDag-Erling Smørgrav a->tree = rbtree_create(anchor_cmp); 80b7579f77SDag-Erling Smørgrav if(!a->tree) { 81b7579f77SDag-Erling Smørgrav anchors_delete(a); 82b7579f77SDag-Erling Smørgrav return NULL; 83b7579f77SDag-Erling Smørgrav } 84b7579f77SDag-Erling Smørgrav a->autr = autr_global_create(); 85b7579f77SDag-Erling Smørgrav if(!a->autr) { 86b7579f77SDag-Erling Smørgrav anchors_delete(a); 87b7579f77SDag-Erling Smørgrav return NULL; 88b7579f77SDag-Erling Smørgrav } 89b7579f77SDag-Erling Smørgrav lock_basic_init(&a->lock); 90b7579f77SDag-Erling Smørgrav lock_protect(&a->lock, a, sizeof(*a)); 91b7579f77SDag-Erling Smørgrav lock_protect(&a->lock, a->autr, sizeof(*a->autr)); 92b7579f77SDag-Erling Smørgrav return a; 93b7579f77SDag-Erling Smørgrav } 94b7579f77SDag-Erling Smørgrav 95b7579f77SDag-Erling Smørgrav /** delete assembled rrset */ 96b7579f77SDag-Erling Smørgrav static void 97b7579f77SDag-Erling Smørgrav assembled_rrset_delete(struct ub_packed_rrset_key* pkey) 98b7579f77SDag-Erling Smørgrav { 99b7579f77SDag-Erling Smørgrav if(!pkey) return; 100b7579f77SDag-Erling Smørgrav if(pkey->entry.data) { 101b7579f77SDag-Erling Smørgrav struct packed_rrset_data* pd = (struct packed_rrset_data*) 102b7579f77SDag-Erling Smørgrav pkey->entry.data; 103b7579f77SDag-Erling Smørgrav free(pd->rr_data); 104b7579f77SDag-Erling Smørgrav free(pd->rr_ttl); 105b7579f77SDag-Erling Smørgrav free(pd->rr_len); 106b7579f77SDag-Erling Smørgrav free(pd); 107b7579f77SDag-Erling Smørgrav } 108b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 109b7579f77SDag-Erling Smørgrav free(pkey); 110b7579f77SDag-Erling Smørgrav } 111b7579f77SDag-Erling Smørgrav 112b7579f77SDag-Erling Smørgrav /** destroy locks in tree and delete autotrust anchors */ 113b7579f77SDag-Erling Smørgrav static void 114b7579f77SDag-Erling Smørgrav anchors_delfunc(rbnode_t* elem, void* ATTR_UNUSED(arg)) 115b7579f77SDag-Erling Smørgrav { 116b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = (struct trust_anchor*)elem; 117b7579f77SDag-Erling Smørgrav if(!ta) return; 118b7579f77SDag-Erling Smørgrav if(ta->autr) { 119b7579f77SDag-Erling Smørgrav autr_point_delete(ta); 120b7579f77SDag-Erling Smørgrav } else { 121b7579f77SDag-Erling Smørgrav struct ta_key* p, *np; 122b7579f77SDag-Erling Smørgrav lock_basic_destroy(&ta->lock); 123b7579f77SDag-Erling Smørgrav free(ta->name); 124b7579f77SDag-Erling Smørgrav p = ta->keylist; 125b7579f77SDag-Erling Smørgrav while(p) { 126b7579f77SDag-Erling Smørgrav np = p->next; 127b7579f77SDag-Erling Smørgrav free(p->data); 128b7579f77SDag-Erling Smørgrav free(p); 129b7579f77SDag-Erling Smørgrav p = np; 130b7579f77SDag-Erling Smørgrav } 131b7579f77SDag-Erling Smørgrav assembled_rrset_delete(ta->ds_rrset); 132b7579f77SDag-Erling Smørgrav assembled_rrset_delete(ta->dnskey_rrset); 133b7579f77SDag-Erling Smørgrav free(ta); 134b7579f77SDag-Erling Smørgrav } 135b7579f77SDag-Erling Smørgrav } 136b7579f77SDag-Erling Smørgrav 137b7579f77SDag-Erling Smørgrav void 138b7579f77SDag-Erling Smørgrav anchors_delete(struct val_anchors* anchors) 139b7579f77SDag-Erling Smørgrav { 140b7579f77SDag-Erling Smørgrav if(!anchors) 141b7579f77SDag-Erling Smørgrav return; 142b7579f77SDag-Erling Smørgrav lock_unprotect(&anchors->lock, anchors->autr); 143b7579f77SDag-Erling Smørgrav lock_unprotect(&anchors->lock, anchors); 144b7579f77SDag-Erling Smørgrav lock_basic_destroy(&anchors->lock); 145b7579f77SDag-Erling Smørgrav if(anchors->tree) 146b7579f77SDag-Erling Smørgrav traverse_postorder(anchors->tree, anchors_delfunc, NULL); 147b7579f77SDag-Erling Smørgrav free(anchors->tree); 148b7579f77SDag-Erling Smørgrav autr_global_delete(anchors->autr); 149b7579f77SDag-Erling Smørgrav free(anchors); 150b7579f77SDag-Erling Smørgrav } 151b7579f77SDag-Erling Smørgrav 152b7579f77SDag-Erling Smørgrav void 153b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(struct val_anchors* anchors) 154b7579f77SDag-Erling Smørgrav { 155b7579f77SDag-Erling Smørgrav struct trust_anchor* node, *prev = NULL, *p; 156b7579f77SDag-Erling Smørgrav int m; 157b7579f77SDag-Erling Smørgrav /* nobody else can grab locks because we hold the main lock. 158b7579f77SDag-Erling Smørgrav * Thus the previous items, after unlocked, are not deleted */ 159b7579f77SDag-Erling Smørgrav RBTREE_FOR(node, struct trust_anchor*, anchors->tree) { 160b7579f77SDag-Erling Smørgrav lock_basic_lock(&node->lock); 161b7579f77SDag-Erling Smørgrav node->parent = NULL; 162b7579f77SDag-Erling Smørgrav if(!prev || prev->dclass != node->dclass) { 163b7579f77SDag-Erling Smørgrav prev = node; 164b7579f77SDag-Erling Smørgrav lock_basic_unlock(&node->lock); 165b7579f77SDag-Erling Smørgrav continue; 166b7579f77SDag-Erling Smørgrav } 167b7579f77SDag-Erling Smørgrav (void)dname_lab_cmp(prev->name, prev->namelabs, node->name, 168b7579f77SDag-Erling Smørgrav node->namelabs, &m); /* we know prev is smaller */ 169b7579f77SDag-Erling Smørgrav /* sort order like: . com. bla.com. zwb.com. net. */ 170b7579f77SDag-Erling Smørgrav /* find the previous, or parent-parent-parent */ 171b7579f77SDag-Erling Smørgrav for(p = prev; p; p = p->parent) 172b7579f77SDag-Erling Smørgrav /* looking for name with few labels, a parent */ 173b7579f77SDag-Erling Smørgrav if(p->namelabs <= m) { 174b7579f77SDag-Erling Smørgrav /* ==: since prev matched m, this is closest*/ 175b7579f77SDag-Erling Smørgrav /* <: prev matches more, but is not a parent, 176b7579f77SDag-Erling Smørgrav * this one is a (grand)parent */ 177b7579f77SDag-Erling Smørgrav node->parent = p; 178b7579f77SDag-Erling Smørgrav break; 179b7579f77SDag-Erling Smørgrav } 180b7579f77SDag-Erling Smørgrav lock_basic_unlock(&node->lock); 181b7579f77SDag-Erling Smørgrav prev = node; 182b7579f77SDag-Erling Smørgrav } 183b7579f77SDag-Erling Smørgrav } 184b7579f77SDag-Erling Smørgrav 185b7579f77SDag-Erling Smørgrav /** initialise parent pointers in the tree */ 186b7579f77SDag-Erling Smørgrav static void 187b7579f77SDag-Erling Smørgrav init_parents(struct val_anchors* anchors) 188b7579f77SDag-Erling Smørgrav { 189b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 190b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 191b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 192b7579f77SDag-Erling Smørgrav } 193b7579f77SDag-Erling Smørgrav 194b7579f77SDag-Erling Smørgrav struct trust_anchor* 195b7579f77SDag-Erling Smørgrav anchor_find(struct val_anchors* anchors, uint8_t* name, int namelabs, 196b7579f77SDag-Erling Smørgrav size_t namelen, uint16_t dclass) 197b7579f77SDag-Erling Smørgrav { 198b7579f77SDag-Erling Smørgrav struct trust_anchor key; 199b7579f77SDag-Erling Smørgrav rbnode_t* n; 200b7579f77SDag-Erling Smørgrav if(!name) return NULL; 201b7579f77SDag-Erling Smørgrav key.node.key = &key; 202b7579f77SDag-Erling Smørgrav key.name = name; 203b7579f77SDag-Erling Smørgrav key.namelabs = namelabs; 204b7579f77SDag-Erling Smørgrav key.namelen = namelen; 205b7579f77SDag-Erling Smørgrav key.dclass = dclass; 206b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 207b7579f77SDag-Erling Smørgrav n = rbtree_search(anchors->tree, &key); 208b7579f77SDag-Erling Smørgrav if(n) { 209b7579f77SDag-Erling Smørgrav lock_basic_lock(&((struct trust_anchor*)n->key)->lock); 210b7579f77SDag-Erling Smørgrav } 211b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 212b7579f77SDag-Erling Smørgrav if(!n) 213b7579f77SDag-Erling Smørgrav return NULL; 214b7579f77SDag-Erling Smørgrav return (struct trust_anchor*)n->key; 215b7579f77SDag-Erling Smørgrav } 216b7579f77SDag-Erling Smørgrav 217b7579f77SDag-Erling Smørgrav /** create new trust anchor object */ 218b7579f77SDag-Erling Smørgrav static struct trust_anchor* 219b7579f77SDag-Erling Smørgrav anchor_new_ta(struct val_anchors* anchors, uint8_t* name, int namelabs, 220b7579f77SDag-Erling Smørgrav size_t namelen, uint16_t dclass, int lockit) 221b7579f77SDag-Erling Smørgrav { 222b7579f77SDag-Erling Smørgrav #ifdef UNBOUND_DEBUG 223b7579f77SDag-Erling Smørgrav rbnode_t* r; 224b7579f77SDag-Erling Smørgrav #endif 225b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = (struct trust_anchor*)malloc( 226b7579f77SDag-Erling Smørgrav sizeof(struct trust_anchor)); 227b7579f77SDag-Erling Smørgrav if(!ta) 228b7579f77SDag-Erling Smørgrav return NULL; 229b7579f77SDag-Erling Smørgrav memset(ta, 0, sizeof(*ta)); 230b7579f77SDag-Erling Smørgrav ta->node.key = ta; 231b7579f77SDag-Erling Smørgrav ta->name = memdup(name, namelen); 232b7579f77SDag-Erling Smørgrav if(!ta->name) { 233b7579f77SDag-Erling Smørgrav free(ta); 234b7579f77SDag-Erling Smørgrav return NULL; 235b7579f77SDag-Erling Smørgrav } 236b7579f77SDag-Erling Smørgrav ta->namelabs = namelabs; 237b7579f77SDag-Erling Smørgrav ta->namelen = namelen; 238b7579f77SDag-Erling Smørgrav ta->dclass = dclass; 239b7579f77SDag-Erling Smørgrav lock_basic_init(&ta->lock); 240b7579f77SDag-Erling Smørgrav if(lockit) { 241b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 242b7579f77SDag-Erling Smørgrav } 243b7579f77SDag-Erling Smørgrav #ifdef UNBOUND_DEBUG 244b7579f77SDag-Erling Smørgrav r = 245b7579f77SDag-Erling Smørgrav #endif 246b7579f77SDag-Erling Smørgrav rbtree_insert(anchors->tree, &ta->node); 247b7579f77SDag-Erling Smørgrav if(lockit) { 248b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 249b7579f77SDag-Erling Smørgrav } 250b7579f77SDag-Erling Smørgrav log_assert(r != NULL); 251b7579f77SDag-Erling Smørgrav return ta; 252b7579f77SDag-Erling Smørgrav } 253b7579f77SDag-Erling Smørgrav 254b7579f77SDag-Erling Smørgrav /** find trustanchor key by exact data match */ 255b7579f77SDag-Erling Smørgrav static struct ta_key* 256b7579f77SDag-Erling Smørgrav anchor_find_key(struct trust_anchor* ta, uint8_t* rdata, size_t rdata_len, 257b7579f77SDag-Erling Smørgrav uint16_t type) 258b7579f77SDag-Erling Smørgrav { 259b7579f77SDag-Erling Smørgrav struct ta_key* k; 260b7579f77SDag-Erling Smørgrav for(k = ta->keylist; k; k = k->next) { 261b7579f77SDag-Erling Smørgrav if(k->type == type && k->len == rdata_len && 262b7579f77SDag-Erling Smørgrav memcmp(k->data, rdata, rdata_len) == 0) 263b7579f77SDag-Erling Smørgrav return k; 264b7579f77SDag-Erling Smørgrav } 265b7579f77SDag-Erling Smørgrav return NULL; 266b7579f77SDag-Erling Smørgrav } 267b7579f77SDag-Erling Smørgrav 268b7579f77SDag-Erling Smørgrav /** create new trustanchor key */ 269b7579f77SDag-Erling Smørgrav static struct ta_key* 270b7579f77SDag-Erling Smørgrav anchor_new_ta_key(uint8_t* rdata, size_t rdata_len, uint16_t type) 271b7579f77SDag-Erling Smørgrav { 272b7579f77SDag-Erling Smørgrav struct ta_key* k = (struct ta_key*)malloc(sizeof(*k)); 273b7579f77SDag-Erling Smørgrav if(!k) 274b7579f77SDag-Erling Smørgrav return NULL; 275b7579f77SDag-Erling Smørgrav memset(k, 0, sizeof(*k)); 276b7579f77SDag-Erling Smørgrav k->data = memdup(rdata, rdata_len); 277b7579f77SDag-Erling Smørgrav if(!k->data) { 278b7579f77SDag-Erling Smørgrav free(k); 279b7579f77SDag-Erling Smørgrav return NULL; 280b7579f77SDag-Erling Smørgrav } 281b7579f77SDag-Erling Smørgrav k->len = rdata_len; 282b7579f77SDag-Erling Smørgrav k->type = type; 283b7579f77SDag-Erling Smørgrav return k; 284b7579f77SDag-Erling Smørgrav } 285b7579f77SDag-Erling Smørgrav 286b7579f77SDag-Erling Smørgrav /** 287b7579f77SDag-Erling Smørgrav * This routine adds a new RR to a trust anchor. The trust anchor may not 288b7579f77SDag-Erling Smørgrav * exist yet, and is created if not. The RR can be DS or DNSKEY. 289b7579f77SDag-Erling Smørgrav * This routine will also remove duplicates; storing them only once. 290b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 291b7579f77SDag-Erling Smørgrav * @param name: name of trust anchor (wireformat) 292b7579f77SDag-Erling Smørgrav * @param type: type or RR 293b7579f77SDag-Erling Smørgrav * @param dclass: class of RR 294b7579f77SDag-Erling Smørgrav * @param rdata: rdata wireformat, starting with rdlength. 295b7579f77SDag-Erling Smørgrav * If NULL, nothing is stored, but an entry is created. 296b7579f77SDag-Erling Smørgrav * @param rdata_len: length of rdata including rdlength. 297b7579f77SDag-Erling Smørgrav * @return: NULL on error, else the trust anchor. 298b7579f77SDag-Erling Smørgrav */ 299b7579f77SDag-Erling Smørgrav static struct trust_anchor* 300b7579f77SDag-Erling Smørgrav anchor_store_new_key(struct val_anchors* anchors, uint8_t* name, uint16_t type, 301b7579f77SDag-Erling Smørgrav uint16_t dclass, uint8_t* rdata, size_t rdata_len) 302b7579f77SDag-Erling Smørgrav { 303b7579f77SDag-Erling Smørgrav struct ta_key* k; 304b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 305b7579f77SDag-Erling Smørgrav int namelabs; 306b7579f77SDag-Erling Smørgrav size_t namelen; 307b7579f77SDag-Erling Smørgrav namelabs = dname_count_size_labels(name, &namelen); 308b7579f77SDag-Erling Smørgrav if(type != LDNS_RR_TYPE_DS && type != LDNS_RR_TYPE_DNSKEY) { 309b7579f77SDag-Erling Smørgrav log_err("Bad type for trust anchor"); 310b7579f77SDag-Erling Smørgrav return 0; 311b7579f77SDag-Erling Smørgrav } 312b7579f77SDag-Erling Smørgrav /* lookup or create trustanchor */ 313b7579f77SDag-Erling Smørgrav ta = anchor_find(anchors, name, namelabs, namelen, dclass); 314b7579f77SDag-Erling Smørgrav if(!ta) { 315b7579f77SDag-Erling Smørgrav ta = anchor_new_ta(anchors, name, namelabs, namelen, dclass, 1); 316b7579f77SDag-Erling Smørgrav if(!ta) 317b7579f77SDag-Erling Smørgrav return NULL; 318b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 319b7579f77SDag-Erling Smørgrav } 320b7579f77SDag-Erling Smørgrav if(!rdata) { 321b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 322b7579f77SDag-Erling Smørgrav return ta; 323b7579f77SDag-Erling Smørgrav } 324b7579f77SDag-Erling Smørgrav /* look for duplicates */ 325b7579f77SDag-Erling Smørgrav if(anchor_find_key(ta, rdata, rdata_len, type)) { 326b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 327b7579f77SDag-Erling Smørgrav return ta; 328b7579f77SDag-Erling Smørgrav } 329b7579f77SDag-Erling Smørgrav k = anchor_new_ta_key(rdata, rdata_len, type); 330b7579f77SDag-Erling Smørgrav if(!k) { 331b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 332b7579f77SDag-Erling Smørgrav return NULL; 333b7579f77SDag-Erling Smørgrav } 334b7579f77SDag-Erling Smørgrav /* add new key */ 335b7579f77SDag-Erling Smørgrav if(type == LDNS_RR_TYPE_DS) 336b7579f77SDag-Erling Smørgrav ta->numDS++; 337b7579f77SDag-Erling Smørgrav else ta->numDNSKEY++; 338b7579f77SDag-Erling Smørgrav k->next = ta->keylist; 339b7579f77SDag-Erling Smørgrav ta->keylist = k; 340b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 341b7579f77SDag-Erling Smørgrav return ta; 342b7579f77SDag-Erling Smørgrav } 343b7579f77SDag-Erling Smørgrav 344b7579f77SDag-Erling Smørgrav /** 345b7579f77SDag-Erling Smørgrav * Add new RR. It converts ldns RR to wire format. 346b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 347b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 348b7579f77SDag-Erling Smørgrav * @param rr: the rr (allocated by caller). 349b7579f77SDag-Erling Smørgrav * @return NULL on error, else the trust anchor. 350b7579f77SDag-Erling Smørgrav */ 351b7579f77SDag-Erling Smørgrav static struct trust_anchor* 352b7579f77SDag-Erling Smørgrav anchor_store_new_rr(struct val_anchors* anchors, ldns_buffer* buffer, 353b7579f77SDag-Erling Smørgrav ldns_rr* rr) 354b7579f77SDag-Erling Smørgrav { 355b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 356b7579f77SDag-Erling Smørgrav ldns_rdf* owner = ldns_rr_owner(rr); 357b7579f77SDag-Erling Smørgrav ldns_status status; 358b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buffer); 359b7579f77SDag-Erling Smørgrav ldns_buffer_skip(buffer, 2); /* skip rdatalen */ 360b7579f77SDag-Erling Smørgrav status = ldns_rr_rdata2buffer_wire(buffer, rr); 361b7579f77SDag-Erling Smørgrav if(status != LDNS_STATUS_OK) { 362b7579f77SDag-Erling Smørgrav log_err("error converting trustanchor to wireformat: %s", 363b7579f77SDag-Erling Smørgrav ldns_get_errorstr_by_id(status)); 364b7579f77SDag-Erling Smørgrav return NULL; 365b7579f77SDag-Erling Smørgrav } 366b7579f77SDag-Erling Smørgrav ldns_buffer_flip(buffer); 367b7579f77SDag-Erling Smørgrav ldns_buffer_write_u16_at(buffer, 0, ldns_buffer_limit(buffer) - 2); 368b7579f77SDag-Erling Smørgrav 369b7579f77SDag-Erling Smørgrav if(!(ta=anchor_store_new_key(anchors, ldns_rdf_data(owner), 370b7579f77SDag-Erling Smørgrav ldns_rr_get_type(rr), ldns_rr_get_class(rr), 371b7579f77SDag-Erling Smørgrav ldns_buffer_begin(buffer), ldns_buffer_limit(buffer)))) { 372b7579f77SDag-Erling Smørgrav return NULL; 373b7579f77SDag-Erling Smørgrav } 374b7579f77SDag-Erling Smørgrav log_nametypeclass(VERB_QUERY, "adding trusted key", 375b7579f77SDag-Erling Smørgrav ldns_rdf_data(owner), 376b7579f77SDag-Erling Smørgrav ldns_rr_get_type(rr), ldns_rr_get_class(rr)); 377b7579f77SDag-Erling Smørgrav return ta; 378b7579f77SDag-Erling Smørgrav } 379b7579f77SDag-Erling Smørgrav 380b7579f77SDag-Erling Smørgrav /** 381b7579f77SDag-Erling Smørgrav * Insert insecure anchor 382b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 383b7579f77SDag-Erling Smørgrav * @param str: the domain name. 384b7579f77SDag-Erling Smørgrav * @return NULL on error, Else last trust anchor point 385b7579f77SDag-Erling Smørgrav */ 386b7579f77SDag-Erling Smørgrav static struct trust_anchor* 387b7579f77SDag-Erling Smørgrav anchor_insert_insecure(struct val_anchors* anchors, const char* str) 388b7579f77SDag-Erling Smørgrav { 389b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 390b7579f77SDag-Erling Smørgrav ldns_rdf* nm = ldns_dname_new_frm_str(str); 391b7579f77SDag-Erling Smørgrav if(!nm) { 392b7579f77SDag-Erling Smørgrav log_err("parse error in domain name '%s'", str); 393b7579f77SDag-Erling Smørgrav return NULL; 394b7579f77SDag-Erling Smørgrav } 395b7579f77SDag-Erling Smørgrav ta = anchor_store_new_key(anchors, ldns_rdf_data(nm), LDNS_RR_TYPE_DS, 396b7579f77SDag-Erling Smørgrav LDNS_RR_CLASS_IN, NULL, 0); 397b7579f77SDag-Erling Smørgrav ldns_rdf_deep_free(nm); 398b7579f77SDag-Erling Smørgrav return ta; 399b7579f77SDag-Erling Smørgrav } 400b7579f77SDag-Erling Smørgrav 401b7579f77SDag-Erling Smørgrav struct trust_anchor* 402b7579f77SDag-Erling Smørgrav anchor_store_str(struct val_anchors* anchors, ldns_buffer* buffer, 403b7579f77SDag-Erling Smørgrav const char* str) 404b7579f77SDag-Erling Smørgrav { 405b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 406b7579f77SDag-Erling Smørgrav ldns_rr* rr = NULL; 407b7579f77SDag-Erling Smørgrav ldns_status status = ldns_rr_new_frm_str(&rr, str, 0, NULL, NULL); 408b7579f77SDag-Erling Smørgrav if(status != LDNS_STATUS_OK) { 409b7579f77SDag-Erling Smørgrav log_err("error parsing trust anchor: %s", 410b7579f77SDag-Erling Smørgrav ldns_get_errorstr_by_id(status)); 411b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 412b7579f77SDag-Erling Smørgrav return NULL; 413b7579f77SDag-Erling Smørgrav } 414b7579f77SDag-Erling Smørgrav if(!(ta=anchor_store_new_rr(anchors, buffer, rr))) { 415b7579f77SDag-Erling Smørgrav log_err("out of memory"); 416b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 417b7579f77SDag-Erling Smørgrav return NULL; 418b7579f77SDag-Erling Smørgrav } 419b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 420b7579f77SDag-Erling Smørgrav return ta; 421b7579f77SDag-Erling Smørgrav } 422b7579f77SDag-Erling Smørgrav 423b7579f77SDag-Erling Smørgrav /** 424b7579f77SDag-Erling Smørgrav * Read a file with trust anchors 425b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 426b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 427b7579f77SDag-Erling Smørgrav * @param fname: string. 428b7579f77SDag-Erling Smørgrav * @param onlyone: only one trust anchor allowed in file. 429b7579f77SDag-Erling Smørgrav * @return NULL on error. Else last trust-anchor point. 430b7579f77SDag-Erling Smørgrav */ 431b7579f77SDag-Erling Smørgrav static struct trust_anchor* 432b7579f77SDag-Erling Smørgrav anchor_read_file(struct val_anchors* anchors, ldns_buffer* buffer, 433b7579f77SDag-Erling Smørgrav const char* fname, int onlyone) 434b7579f77SDag-Erling Smørgrav { 435b7579f77SDag-Erling Smørgrav struct trust_anchor* ta = NULL, *tanew; 436b7579f77SDag-Erling Smørgrav uint32_t default_ttl = 3600; 437b7579f77SDag-Erling Smørgrav ldns_rdf* origin = NULL, *prev = NULL; 438b7579f77SDag-Erling Smørgrav int line_nr = 1; 439b7579f77SDag-Erling Smørgrav ldns_status status; 440b7579f77SDag-Erling Smørgrav ldns_rr* rr; 441b7579f77SDag-Erling Smørgrav int ok = 1; 442b7579f77SDag-Erling Smørgrav FILE* in = fopen(fname, "r"); 443b7579f77SDag-Erling Smørgrav if(!in) { 444b7579f77SDag-Erling Smørgrav log_err("error opening file %s: %s", fname, strerror(errno)); 445b7579f77SDag-Erling Smørgrav return 0; 446b7579f77SDag-Erling Smørgrav } 447b7579f77SDag-Erling Smørgrav while(!feof(in)) { 448b7579f77SDag-Erling Smørgrav rr = NULL; 449b7579f77SDag-Erling Smørgrav status = ldns_rr_new_frm_fp_l(&rr, in, &default_ttl, &origin, 450b7579f77SDag-Erling Smørgrav &prev, &line_nr); 451b7579f77SDag-Erling Smørgrav if(status == LDNS_STATUS_SYNTAX_EMPTY /* empty line */ 452b7579f77SDag-Erling Smørgrav || status == LDNS_STATUS_SYNTAX_TTL /* $TTL */ 453b7579f77SDag-Erling Smørgrav || status == LDNS_STATUS_SYNTAX_ORIGIN /* $ORIGIN */) 454b7579f77SDag-Erling Smørgrav continue; 455b7579f77SDag-Erling Smørgrav if(status != LDNS_STATUS_OK) { 456b7579f77SDag-Erling Smørgrav log_err("parse error in %s:%d : %s", fname, line_nr, 457b7579f77SDag-Erling Smørgrav ldns_get_errorstr_by_id(status)); 458b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 459b7579f77SDag-Erling Smørgrav ok = 0; 460b7579f77SDag-Erling Smørgrav break; 461b7579f77SDag-Erling Smørgrav } 462b7579f77SDag-Erling Smørgrav if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DS && 463b7579f77SDag-Erling Smørgrav ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY) { 464b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 465b7579f77SDag-Erling Smørgrav continue; 466b7579f77SDag-Erling Smørgrav } 467b7579f77SDag-Erling Smørgrav if(!(tanew=anchor_store_new_rr(anchors, buffer, rr))) { 468b7579f77SDag-Erling Smørgrav log_err("error at %s line %d", fname, line_nr); 469b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 470b7579f77SDag-Erling Smørgrav ok = 0; 471b7579f77SDag-Erling Smørgrav break; 472b7579f77SDag-Erling Smørgrav } 473b7579f77SDag-Erling Smørgrav if(onlyone && ta && ta != tanew) { 474b7579f77SDag-Erling Smørgrav log_err("error at %s line %d: no multiple anchor " 475b7579f77SDag-Erling Smørgrav "domains allowed (you can have multiple " 476b7579f77SDag-Erling Smørgrav "keys, but they must have the same name).", 477b7579f77SDag-Erling Smørgrav fname, line_nr); 478b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 479b7579f77SDag-Erling Smørgrav ok = 0; 480b7579f77SDag-Erling Smørgrav break; 481b7579f77SDag-Erling Smørgrav } 482b7579f77SDag-Erling Smørgrav ta = tanew; 483b7579f77SDag-Erling Smørgrav ldns_rr_free(rr); 484b7579f77SDag-Erling Smørgrav } 485b7579f77SDag-Erling Smørgrav ldns_rdf_deep_free(origin); 486b7579f77SDag-Erling Smørgrav ldns_rdf_deep_free(prev); 487b7579f77SDag-Erling Smørgrav fclose(in); 488b7579f77SDag-Erling Smørgrav if(!ok) return NULL; 489b7579f77SDag-Erling Smørgrav /* empty file is OK when multiple anchors are allowed */ 490b7579f77SDag-Erling Smørgrav if(!onlyone && !ta) return (struct trust_anchor*)1; 491b7579f77SDag-Erling Smørgrav return ta; 492b7579f77SDag-Erling Smørgrav } 493b7579f77SDag-Erling Smørgrav 494b7579f77SDag-Erling Smørgrav /** skip file to end of line */ 495b7579f77SDag-Erling Smørgrav static void 496b7579f77SDag-Erling Smørgrav skip_to_eol(FILE* in) 497b7579f77SDag-Erling Smørgrav { 498b7579f77SDag-Erling Smørgrav int c; 499b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 500b7579f77SDag-Erling Smørgrav if(c == '\n') 501b7579f77SDag-Erling Smørgrav return; 502b7579f77SDag-Erling Smørgrav } 503b7579f77SDag-Erling Smørgrav } 504b7579f77SDag-Erling Smørgrav 505b7579f77SDag-Erling Smørgrav /** true for special characters in bind configs */ 506b7579f77SDag-Erling Smørgrav static int 507b7579f77SDag-Erling Smørgrav is_bind_special(int c) 508b7579f77SDag-Erling Smørgrav { 509b7579f77SDag-Erling Smørgrav switch(c) { 510b7579f77SDag-Erling Smørgrav case '{': 511b7579f77SDag-Erling Smørgrav case '}': 512b7579f77SDag-Erling Smørgrav case '"': 513b7579f77SDag-Erling Smørgrav case ';': 514b7579f77SDag-Erling Smørgrav return 1; 515b7579f77SDag-Erling Smørgrav } 516b7579f77SDag-Erling Smørgrav return 0; 517b7579f77SDag-Erling Smørgrav } 518b7579f77SDag-Erling Smørgrav 519b7579f77SDag-Erling Smørgrav /** 520b7579f77SDag-Erling Smørgrav * Read a keyword skipping bind comments; spaces, specials, restkeywords. 521b7579f77SDag-Erling Smørgrav * The file is split into the following tokens: 522b7579f77SDag-Erling Smørgrav * * special characters, on their own, rdlen=1, { } doublequote ; 523b7579f77SDag-Erling Smørgrav * * whitespace becomes a single ' ' or tab. Newlines become spaces. 524b7579f77SDag-Erling Smørgrav * * other words ('keywords') 525b7579f77SDag-Erling Smørgrav * * comments are skipped if desired 526b7579f77SDag-Erling Smørgrav * / / C++ style comment to end of line 527b7579f77SDag-Erling Smørgrav * # to end of line 528b7579f77SDag-Erling Smørgrav * / * C style comment * / 529b7579f77SDag-Erling Smørgrav * @param in: file to read from. 530b7579f77SDag-Erling Smørgrav * @param buf: buffer, what is read is stored after current buffer position. 531b7579f77SDag-Erling Smørgrav * Space is left in the buffer to write a terminating 0. 532b7579f77SDag-Erling Smørgrav * @param line: line number is increased per line, for error reports. 533b7579f77SDag-Erling Smørgrav * @param comments: if 0, comments are not possible and become text. 534b7579f77SDag-Erling Smørgrav * if 1, comments are skipped entirely. 535b7579f77SDag-Erling Smørgrav * In BIND files, this is when reading quoted strings, for example 536b7579f77SDag-Erling Smørgrav * " base 64 text with / / in there " 537b7579f77SDag-Erling Smørgrav * @return the number of character written to the buffer. 538b7579f77SDag-Erling Smørgrav * 0 on end of file. 539b7579f77SDag-Erling Smørgrav */ 540b7579f77SDag-Erling Smørgrav static int 541b7579f77SDag-Erling Smørgrav readkeyword_bindfile(FILE* in, ldns_buffer* buf, int* line, int comments) 542b7579f77SDag-Erling Smørgrav { 543b7579f77SDag-Erling Smørgrav int c; 544b7579f77SDag-Erling Smørgrav int numdone = 0; 545b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 546b7579f77SDag-Erling Smørgrav if(comments && c == '#') { /* # blabla */ 547b7579f77SDag-Erling Smørgrav skip_to_eol(in); 548b7579f77SDag-Erling Smørgrav (*line)++; 549b7579f77SDag-Erling Smørgrav continue; 550b7579f77SDag-Erling Smørgrav } else if(comments && c=='/' && numdone>0 && /* /_/ bla*/ 551b7579f77SDag-Erling Smørgrav ldns_buffer_read_u8_at(buf, 552b7579f77SDag-Erling Smørgrav ldns_buffer_position(buf)-1) == '/') { 553b7579f77SDag-Erling Smørgrav ldns_buffer_skip(buf, -1); 554b7579f77SDag-Erling Smørgrav numdone--; 555b7579f77SDag-Erling Smørgrav skip_to_eol(in); 556b7579f77SDag-Erling Smørgrav (*line)++; 557b7579f77SDag-Erling Smørgrav continue; 558b7579f77SDag-Erling Smørgrav } else if(comments && c=='*' && numdone>0 && /* /_* bla *_/ */ 559b7579f77SDag-Erling Smørgrav ldns_buffer_read_u8_at(buf, 560b7579f77SDag-Erling Smørgrav ldns_buffer_position(buf)-1) == '/') { 561b7579f77SDag-Erling Smørgrav ldns_buffer_skip(buf, -1); 562b7579f77SDag-Erling Smørgrav numdone--; 563b7579f77SDag-Erling Smørgrav /* skip to end of comment */ 564b7579f77SDag-Erling Smørgrav while(c != EOF && (c=getc(in)) != EOF ) { 565b7579f77SDag-Erling Smørgrav if(c == '*') { 566b7579f77SDag-Erling Smørgrav if((c=getc(in)) == '/') 567b7579f77SDag-Erling Smørgrav break; 568b7579f77SDag-Erling Smørgrav } 569b7579f77SDag-Erling Smørgrav if(c == '\n') 570b7579f77SDag-Erling Smørgrav (*line)++; 571b7579f77SDag-Erling Smørgrav } 572b7579f77SDag-Erling Smørgrav continue; 573b7579f77SDag-Erling Smørgrav } 574b7579f77SDag-Erling Smørgrav /* not a comment, complete the keyword */ 575b7579f77SDag-Erling Smørgrav if(numdone > 0) { 576b7579f77SDag-Erling Smørgrav /* check same type */ 577b7579f77SDag-Erling Smørgrav if(isspace(c)) { 578b7579f77SDag-Erling Smørgrav ungetc(c, in); 579b7579f77SDag-Erling Smørgrav return numdone; 580b7579f77SDag-Erling Smørgrav } 581b7579f77SDag-Erling Smørgrav if(is_bind_special(c)) { 582b7579f77SDag-Erling Smørgrav ungetc(c, in); 583b7579f77SDag-Erling Smørgrav return numdone; 584b7579f77SDag-Erling Smørgrav } 585b7579f77SDag-Erling Smørgrav } 586b7579f77SDag-Erling Smørgrav if(c == '\n') { 587b7579f77SDag-Erling Smørgrav c = ' '; 588b7579f77SDag-Erling Smørgrav (*line)++; 589b7579f77SDag-Erling Smørgrav } 590b7579f77SDag-Erling Smørgrav /* space for 1 char + 0 string terminator */ 591b7579f77SDag-Erling Smørgrav if(ldns_buffer_remaining(buf) < 2) { 592b7579f77SDag-Erling Smørgrav fatal_exit("trusted-keys, %d, string too long", *line); 593b7579f77SDag-Erling Smørgrav } 594b7579f77SDag-Erling Smørgrav ldns_buffer_write_u8(buf, (uint8_t)c); 595b7579f77SDag-Erling Smørgrav numdone++; 596b7579f77SDag-Erling Smørgrav if(isspace(c)) { 597b7579f77SDag-Erling Smørgrav /* collate whitespace into ' ' */ 598b7579f77SDag-Erling Smørgrav while((c = getc(in)) != EOF ) { 599b7579f77SDag-Erling Smørgrav if(c == '\n') 600b7579f77SDag-Erling Smørgrav (*line)++; 601b7579f77SDag-Erling Smørgrav if(!isspace(c)) { 602b7579f77SDag-Erling Smørgrav ungetc(c, in); 603b7579f77SDag-Erling Smørgrav break; 604b7579f77SDag-Erling Smørgrav } 605b7579f77SDag-Erling Smørgrav } 606b7579f77SDag-Erling Smørgrav return numdone; 607b7579f77SDag-Erling Smørgrav } 608b7579f77SDag-Erling Smørgrav if(is_bind_special(c)) 609b7579f77SDag-Erling Smørgrav return numdone; 610b7579f77SDag-Erling Smørgrav } 611b7579f77SDag-Erling Smørgrav return numdone; 612b7579f77SDag-Erling Smørgrav } 613b7579f77SDag-Erling Smørgrav 614b7579f77SDag-Erling Smørgrav /** skip through file to { or ; */ 615b7579f77SDag-Erling Smørgrav static int 616b7579f77SDag-Erling Smørgrav skip_to_special(FILE* in, ldns_buffer* buf, int* line, int spec) 617b7579f77SDag-Erling Smørgrav { 618b7579f77SDag-Erling Smørgrav int rdlen; 619b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buf); 620b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buf, line, 1))) { 621b7579f77SDag-Erling Smørgrav if(rdlen == 1 && isspace((int)*ldns_buffer_begin(buf))) { 622b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buf); 623b7579f77SDag-Erling Smørgrav continue; 624b7579f77SDag-Erling Smørgrav } 625b7579f77SDag-Erling Smørgrav if(rdlen != 1 || *ldns_buffer_begin(buf) != (uint8_t)spec) { 626b7579f77SDag-Erling Smørgrav ldns_buffer_write_u8(buf, 0); 627b7579f77SDag-Erling Smørgrav log_err("trusted-keys, line %d, expected %c", 628b7579f77SDag-Erling Smørgrav *line, spec); 629b7579f77SDag-Erling Smørgrav return 0; 630b7579f77SDag-Erling Smørgrav } 631b7579f77SDag-Erling Smørgrav return 1; 632b7579f77SDag-Erling Smørgrav } 633b7579f77SDag-Erling Smørgrav log_err("trusted-keys, line %d, expected %c got EOF", *line, spec); 634b7579f77SDag-Erling Smørgrav return 0; 635b7579f77SDag-Erling Smørgrav } 636b7579f77SDag-Erling Smørgrav 637b7579f77SDag-Erling Smørgrav /** 638b7579f77SDag-Erling Smørgrav * read contents of trusted-keys{ ... ; clauses and insert keys into storage. 639b7579f77SDag-Erling Smørgrav * @param anchors: where to store keys 640b7579f77SDag-Erling Smørgrav * @param buf: buffer to use 641b7579f77SDag-Erling Smørgrav * @param line: line number in file 642b7579f77SDag-Erling Smørgrav * @param in: file to read from. 643b7579f77SDag-Erling Smørgrav * @return 0 on error. 644b7579f77SDag-Erling Smørgrav */ 645b7579f77SDag-Erling Smørgrav static int 646b7579f77SDag-Erling Smørgrav process_bind_contents(struct val_anchors* anchors, ldns_buffer* buf, 647b7579f77SDag-Erling Smørgrav int* line, FILE* in) 648b7579f77SDag-Erling Smørgrav { 649b7579f77SDag-Erling Smørgrav /* loop over contents, collate strings before ; */ 650b7579f77SDag-Erling Smørgrav /* contents is (numbered): 0 1 2 3 4 5 6 7 8 */ 651b7579f77SDag-Erling Smørgrav /* name. 257 3 5 base64 base64 */ 652b7579f77SDag-Erling Smørgrav /* quoted value: 0 "111" 0 0 0 0 0 0 0 */ 653b7579f77SDag-Erling Smørgrav /* comments value: 1 "000" 1 1 1 "0 0 0 0" 1 */ 654b7579f77SDag-Erling Smørgrav int contnum = 0; 655b7579f77SDag-Erling Smørgrav int quoted = 0; 656b7579f77SDag-Erling Smørgrav int comments = 1; 657b7579f77SDag-Erling Smørgrav int rdlen; 658b7579f77SDag-Erling Smørgrav char* str = 0; 659b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buf); 660b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buf, line, comments))) { 661b7579f77SDag-Erling Smørgrav if(rdlen == 1 && ldns_buffer_position(buf) == 1 662b7579f77SDag-Erling Smørgrav && isspace((int)*ldns_buffer_begin(buf))) { 663b7579f77SDag-Erling Smørgrav /* starting whitespace is removed */ 664b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buf); 665b7579f77SDag-Erling Smørgrav continue; 666b7579f77SDag-Erling Smørgrav } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == '"') { 667b7579f77SDag-Erling Smørgrav /* remove " from the string */ 668b7579f77SDag-Erling Smørgrav if(contnum == 0) { 669b7579f77SDag-Erling Smørgrav quoted = 1; 670b7579f77SDag-Erling Smørgrav comments = 0; 671b7579f77SDag-Erling Smørgrav } 672b7579f77SDag-Erling Smørgrav ldns_buffer_skip(buf, -1); 673b7579f77SDag-Erling Smørgrav if(contnum > 0 && quoted) { 674b7579f77SDag-Erling Smørgrav if(ldns_buffer_remaining(buf) < 8+1) { 675b7579f77SDag-Erling Smørgrav log_err("line %d, too long", *line); 676b7579f77SDag-Erling Smørgrav return 0; 677b7579f77SDag-Erling Smørgrav } 678b7579f77SDag-Erling Smørgrav ldns_buffer_write(buf, " DNSKEY ", 8); 679b7579f77SDag-Erling Smørgrav quoted = 0; 680b7579f77SDag-Erling Smørgrav comments = 1; 681b7579f77SDag-Erling Smørgrav } else if(contnum > 0) 682b7579f77SDag-Erling Smørgrav comments = !comments; 683b7579f77SDag-Erling Smørgrav continue; 684b7579f77SDag-Erling Smørgrav } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == ';') { 685b7579f77SDag-Erling Smørgrav 686b7579f77SDag-Erling Smørgrav if(contnum < 5) { 687b7579f77SDag-Erling Smørgrav ldns_buffer_write_u8(buf, 0); 688b7579f77SDag-Erling Smørgrav log_err("line %d, bad key", *line); 689b7579f77SDag-Erling Smørgrav return 0; 690b7579f77SDag-Erling Smørgrav } 691b7579f77SDag-Erling Smørgrav ldns_buffer_skip(buf, -1); 692b7579f77SDag-Erling Smørgrav ldns_buffer_write_u8(buf, 0); 693b7579f77SDag-Erling Smørgrav str = strdup((char*)ldns_buffer_begin(buf)); 694b7579f77SDag-Erling Smørgrav if(!str) { 695b7579f77SDag-Erling Smørgrav log_err("line %d, allocation failure", *line); 696b7579f77SDag-Erling Smørgrav return 0; 697b7579f77SDag-Erling Smørgrav } 698b7579f77SDag-Erling Smørgrav if(!anchor_store_str(anchors, buf, str)) { 699b7579f77SDag-Erling Smørgrav log_err("line %d, bad key", *line); 700b7579f77SDag-Erling Smørgrav free(str); 701b7579f77SDag-Erling Smørgrav return 0; 702b7579f77SDag-Erling Smørgrav } 703b7579f77SDag-Erling Smørgrav free(str); 704b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buf); 705b7579f77SDag-Erling Smørgrav contnum = 0; 706b7579f77SDag-Erling Smørgrav quoted = 0; 707b7579f77SDag-Erling Smørgrav comments = 1; 708b7579f77SDag-Erling Smørgrav continue; 709b7579f77SDag-Erling Smørgrav } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == '}') { 710b7579f77SDag-Erling Smørgrav if(contnum > 0) { 711b7579f77SDag-Erling Smørgrav ldns_buffer_write_u8(buf, 0); 712b7579f77SDag-Erling Smørgrav log_err("line %d, bad key before }", *line); 713b7579f77SDag-Erling Smørgrav return 0; 714b7579f77SDag-Erling Smørgrav } 715b7579f77SDag-Erling Smørgrav return 1; 716b7579f77SDag-Erling Smørgrav } else if(rdlen == 1 && 717b7579f77SDag-Erling Smørgrav isspace((int)ldns_buffer_current(buf)[-1])) { 718b7579f77SDag-Erling Smørgrav /* leave whitespace here */ 719b7579f77SDag-Erling Smørgrav } else { 720b7579f77SDag-Erling Smørgrav /* not space or whatnot, so actual content */ 721b7579f77SDag-Erling Smørgrav contnum ++; 722b7579f77SDag-Erling Smørgrav if(contnum == 1 && !quoted) { 723b7579f77SDag-Erling Smørgrav if(ldns_buffer_remaining(buf) < 8+1) { 724b7579f77SDag-Erling Smørgrav log_err("line %d, too long", *line); 725b7579f77SDag-Erling Smørgrav return 0; 726b7579f77SDag-Erling Smørgrav } 727b7579f77SDag-Erling Smørgrav ldns_buffer_write(buf, " DNSKEY ", 8); 728b7579f77SDag-Erling Smørgrav } 729b7579f77SDag-Erling Smørgrav } 730b7579f77SDag-Erling Smørgrav } 731b7579f77SDag-Erling Smørgrav 732b7579f77SDag-Erling Smørgrav log_err("line %d, EOF before }", *line); 733b7579f77SDag-Erling Smørgrav return 0; 734b7579f77SDag-Erling Smørgrav } 735b7579f77SDag-Erling Smørgrav 736b7579f77SDag-Erling Smørgrav /** 737b7579f77SDag-Erling Smørgrav * Read a BIND9 like file with trust anchors in named.conf format. 738b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 739b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 740b7579f77SDag-Erling Smørgrav * @param fname: string. 741b7579f77SDag-Erling Smørgrav * @return false on error. 742b7579f77SDag-Erling Smørgrav */ 743b7579f77SDag-Erling Smørgrav static int 744b7579f77SDag-Erling Smørgrav anchor_read_bind_file(struct val_anchors* anchors, ldns_buffer* buffer, 745b7579f77SDag-Erling Smørgrav const char* fname) 746b7579f77SDag-Erling Smørgrav { 747b7579f77SDag-Erling Smørgrav int line_nr = 1; 748b7579f77SDag-Erling Smørgrav FILE* in = fopen(fname, "r"); 749b7579f77SDag-Erling Smørgrav int rdlen = 0; 750b7579f77SDag-Erling Smørgrav if(!in) { 751b7579f77SDag-Erling Smørgrav log_err("error opening file %s: %s", fname, strerror(errno)); 752b7579f77SDag-Erling Smørgrav return 0; 753b7579f77SDag-Erling Smørgrav } 754b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname); 755b7579f77SDag-Erling Smørgrav /* scan for trusted-keys keyword, ignore everything else */ 756b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buffer); 757b7579f77SDag-Erling Smørgrav while((rdlen=readkeyword_bindfile(in, buffer, &line_nr, 1)) != 0) { 758b7579f77SDag-Erling Smørgrav if(rdlen != 12 || strncmp((char*)ldns_buffer_begin(buffer), 759b7579f77SDag-Erling Smørgrav "trusted-keys", 12) != 0) { 760b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buffer); 761b7579f77SDag-Erling Smørgrav /* ignore everything but trusted-keys */ 762b7579f77SDag-Erling Smørgrav continue; 763b7579f77SDag-Erling Smørgrav } 764b7579f77SDag-Erling Smørgrav if(!skip_to_special(in, buffer, &line_nr, '{')) { 765b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 766b7579f77SDag-Erling Smørgrav fclose(in); 767b7579f77SDag-Erling Smørgrav return 0; 768b7579f77SDag-Erling Smørgrav } 769b7579f77SDag-Erling Smørgrav /* process contents */ 770b7579f77SDag-Erling Smørgrav if(!process_bind_contents(anchors, buffer, &line_nr, in)) { 771b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 772b7579f77SDag-Erling Smørgrav fclose(in); 773b7579f77SDag-Erling Smørgrav return 0; 774b7579f77SDag-Erling Smørgrav } 775b7579f77SDag-Erling Smørgrav if(!skip_to_special(in, buffer, &line_nr, ';')) { 776b7579f77SDag-Erling Smørgrav log_err("error in trusted key: \"%s\"", fname); 777b7579f77SDag-Erling Smørgrav fclose(in); 778b7579f77SDag-Erling Smørgrav return 0; 779b7579f77SDag-Erling Smørgrav } 780b7579f77SDag-Erling Smørgrav ldns_buffer_clear(buffer); 781b7579f77SDag-Erling Smørgrav } 782b7579f77SDag-Erling Smørgrav fclose(in); 783b7579f77SDag-Erling Smørgrav return 1; 784b7579f77SDag-Erling Smørgrav } 785b7579f77SDag-Erling Smørgrav 786b7579f77SDag-Erling Smørgrav /** 787b7579f77SDag-Erling Smørgrav * Read a BIND9 like files with trust anchors in named.conf format. 788b7579f77SDag-Erling Smørgrav * Performs wildcard processing of name. 789b7579f77SDag-Erling Smørgrav * @param anchors: anchor storage. 790b7579f77SDag-Erling Smørgrav * @param buffer: parsing buffer. 791b7579f77SDag-Erling Smørgrav * @param pat: pattern string. (can be wildcarded) 792b7579f77SDag-Erling Smørgrav * @return false on error. 793b7579f77SDag-Erling Smørgrav */ 794b7579f77SDag-Erling Smørgrav static int 795b7579f77SDag-Erling Smørgrav anchor_read_bind_file_wild(struct val_anchors* anchors, ldns_buffer* buffer, 796b7579f77SDag-Erling Smørgrav const char* pat) 797b7579f77SDag-Erling Smørgrav { 798b7579f77SDag-Erling Smørgrav #ifdef HAVE_GLOB 799b7579f77SDag-Erling Smørgrav glob_t g; 800b7579f77SDag-Erling Smørgrav size_t i; 801b7579f77SDag-Erling Smørgrav int r, flags; 802b7579f77SDag-Erling Smørgrav if(!strchr(pat, '*') && !strchr(pat, '?') && !strchr(pat, '[') && 803b7579f77SDag-Erling Smørgrav !strchr(pat, '{') && !strchr(pat, '~')) { 804b7579f77SDag-Erling Smørgrav return anchor_read_bind_file(anchors, buffer, pat); 805b7579f77SDag-Erling Smørgrav } 806b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "wildcard found, processing %s", pat); 807b7579f77SDag-Erling Smørgrav flags = 0 808b7579f77SDag-Erling Smørgrav #ifdef GLOB_ERR 809b7579f77SDag-Erling Smørgrav | GLOB_ERR 810b7579f77SDag-Erling Smørgrav #endif 811b7579f77SDag-Erling Smørgrav #ifdef GLOB_NOSORT 812b7579f77SDag-Erling Smørgrav | GLOB_NOSORT 813b7579f77SDag-Erling Smørgrav #endif 814b7579f77SDag-Erling Smørgrav #ifdef GLOB_BRACE 815b7579f77SDag-Erling Smørgrav | GLOB_BRACE 816b7579f77SDag-Erling Smørgrav #endif 817b7579f77SDag-Erling Smørgrav #ifdef GLOB_TILDE 818b7579f77SDag-Erling Smørgrav | GLOB_TILDE 819b7579f77SDag-Erling Smørgrav #endif 820b7579f77SDag-Erling Smørgrav ; 821b7579f77SDag-Erling Smørgrav memset(&g, 0, sizeof(g)); 822b7579f77SDag-Erling Smørgrav r = glob(pat, flags, NULL, &g); 823b7579f77SDag-Erling Smørgrav if(r) { 824b7579f77SDag-Erling Smørgrav /* some error */ 825b7579f77SDag-Erling Smørgrav if(r == GLOB_NOMATCH) { 826b7579f77SDag-Erling Smørgrav verbose(VERB_QUERY, "trusted-keys-file: " 827b7579f77SDag-Erling Smørgrav "no matches for %s", pat); 828b7579f77SDag-Erling Smørgrav return 1; 829b7579f77SDag-Erling Smørgrav } else if(r == GLOB_NOSPACE) { 830b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: " 831b7579f77SDag-Erling Smørgrav "pattern out of memory", pat); 832b7579f77SDag-Erling Smørgrav } else if(r == GLOB_ABORTED) { 833b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: expansion " 834b7579f77SDag-Erling Smørgrav "aborted (%s)", pat, strerror(errno)); 835b7579f77SDag-Erling Smørgrav } else { 836b7579f77SDag-Erling Smørgrav log_err("wildcard trusted-keys-file %s: expansion " 837b7579f77SDag-Erling Smørgrav "failed (%s)", pat, strerror(errno)); 838b7579f77SDag-Erling Smørgrav } 839*8ed2b524SDag-Erling Smørgrav /* ignore globs that yield no files */ 840*8ed2b524SDag-Erling Smørgrav return 1; 841b7579f77SDag-Erling Smørgrav } 842b7579f77SDag-Erling Smørgrav /* process files found, if any */ 843b7579f77SDag-Erling Smørgrav for(i=0; i<(size_t)g.gl_pathc; i++) { 844b7579f77SDag-Erling Smørgrav if(!anchor_read_bind_file(anchors, buffer, g.gl_pathv[i])) { 845b7579f77SDag-Erling Smørgrav log_err("error reading wildcard " 846b7579f77SDag-Erling Smørgrav "trusted-keys-file: %s", g.gl_pathv[i]); 847b7579f77SDag-Erling Smørgrav globfree(&g); 848b7579f77SDag-Erling Smørgrav return 0; 849b7579f77SDag-Erling Smørgrav } 850b7579f77SDag-Erling Smørgrav } 851b7579f77SDag-Erling Smørgrav globfree(&g); 852b7579f77SDag-Erling Smørgrav return 1; 853b7579f77SDag-Erling Smørgrav #else /* not HAVE_GLOB */ 854b7579f77SDag-Erling Smørgrav return anchor_read_bind_file(anchors, buffer, pat); 855b7579f77SDag-Erling Smørgrav #endif /* HAVE_GLOB */ 856b7579f77SDag-Erling Smørgrav } 857b7579f77SDag-Erling Smørgrav 858b7579f77SDag-Erling Smørgrav /** 859b7579f77SDag-Erling Smørgrav * Assemble an rrset structure for the type 860b7579f77SDag-Erling Smørgrav * @param ta: trust anchor. 861b7579f77SDag-Erling Smørgrav * @param num: number of items to fetch from list. 862b7579f77SDag-Erling Smørgrav * @param type: fetch only items of this type. 863b7579f77SDag-Erling Smørgrav * @return rrset or NULL on error. 864b7579f77SDag-Erling Smørgrav */ 865b7579f77SDag-Erling Smørgrav static struct ub_packed_rrset_key* 866b7579f77SDag-Erling Smørgrav assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) 867b7579f77SDag-Erling Smørgrav { 868b7579f77SDag-Erling Smørgrav struct ub_packed_rrset_key* pkey = (struct ub_packed_rrset_key*) 869b7579f77SDag-Erling Smørgrav malloc(sizeof(*pkey)); 870b7579f77SDag-Erling Smørgrav struct packed_rrset_data* pd; 871b7579f77SDag-Erling Smørgrav struct ta_key* tk; 872b7579f77SDag-Erling Smørgrav size_t i; 873b7579f77SDag-Erling Smørgrav if(!pkey) 874b7579f77SDag-Erling Smørgrav return NULL; 875b7579f77SDag-Erling Smørgrav memset(pkey, 0, sizeof(*pkey)); 876b7579f77SDag-Erling Smørgrav pkey->rk.dname = memdup(ta->name, ta->namelen); 877b7579f77SDag-Erling Smørgrav if(!pkey->rk.dname) { 878b7579f77SDag-Erling Smørgrav free(pkey); 879b7579f77SDag-Erling Smørgrav return NULL; 880b7579f77SDag-Erling Smørgrav } 881b7579f77SDag-Erling Smørgrav 882b7579f77SDag-Erling Smørgrav pkey->rk.dname_len = ta->namelen; 883b7579f77SDag-Erling Smørgrav pkey->rk.type = htons(type); 884b7579f77SDag-Erling Smørgrav pkey->rk.rrset_class = htons(ta->dclass); 885b7579f77SDag-Erling Smørgrav /* The rrset is build in an uncompressed way. This means it 886b7579f77SDag-Erling Smørgrav * cannot be copied in the normal way. */ 887b7579f77SDag-Erling Smørgrav pd = (struct packed_rrset_data*)malloc(sizeof(*pd)); 888b7579f77SDag-Erling Smørgrav if(!pd) { 889b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 890b7579f77SDag-Erling Smørgrav free(pkey); 891b7579f77SDag-Erling Smørgrav return NULL; 892b7579f77SDag-Erling Smørgrav } 893b7579f77SDag-Erling Smørgrav memset(pd, 0, sizeof(*pd)); 894b7579f77SDag-Erling Smørgrav pd->count = num; 895b7579f77SDag-Erling Smørgrav pd->trust = rrset_trust_ultimate; 896b7579f77SDag-Erling Smørgrav pd->rr_len = (size_t*)malloc(num*sizeof(size_t)); 897b7579f77SDag-Erling Smørgrav if(!pd->rr_len) { 898b7579f77SDag-Erling Smørgrav free(pd); 899b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 900b7579f77SDag-Erling Smørgrav free(pkey); 901b7579f77SDag-Erling Smørgrav return NULL; 902b7579f77SDag-Erling Smørgrav } 903b7579f77SDag-Erling Smørgrav pd->rr_ttl = (uint32_t*)malloc(num*sizeof(uint32_t)); 904b7579f77SDag-Erling Smørgrav if(!pd->rr_ttl) { 905b7579f77SDag-Erling Smørgrav free(pd->rr_len); 906b7579f77SDag-Erling Smørgrav free(pd); 907b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 908b7579f77SDag-Erling Smørgrav free(pkey); 909b7579f77SDag-Erling Smørgrav return NULL; 910b7579f77SDag-Erling Smørgrav } 911b7579f77SDag-Erling Smørgrav pd->rr_data = (uint8_t**)malloc(num*sizeof(uint8_t*)); 912b7579f77SDag-Erling Smørgrav if(!pd->rr_data) { 913b7579f77SDag-Erling Smørgrav free(pd->rr_ttl); 914b7579f77SDag-Erling Smørgrav free(pd->rr_len); 915b7579f77SDag-Erling Smørgrav free(pd); 916b7579f77SDag-Erling Smørgrav free(pkey->rk.dname); 917b7579f77SDag-Erling Smørgrav free(pkey); 918b7579f77SDag-Erling Smørgrav return NULL; 919b7579f77SDag-Erling Smørgrav } 920b7579f77SDag-Erling Smørgrav /* fill in rrs */ 921b7579f77SDag-Erling Smørgrav i=0; 922b7579f77SDag-Erling Smørgrav for(tk = ta->keylist; tk; tk = tk->next) { 923b7579f77SDag-Erling Smørgrav if(tk->type != type) 924b7579f77SDag-Erling Smørgrav continue; 925b7579f77SDag-Erling Smørgrav pd->rr_len[i] = tk->len; 926b7579f77SDag-Erling Smørgrav /* reuse data ptr to allocation in talist */ 927b7579f77SDag-Erling Smørgrav pd->rr_data[i] = tk->data; 928b7579f77SDag-Erling Smørgrav pd->rr_ttl[i] = 0; 929b7579f77SDag-Erling Smørgrav i++; 930b7579f77SDag-Erling Smørgrav } 931b7579f77SDag-Erling Smørgrav pkey->entry.data = (void*)pd; 932b7579f77SDag-Erling Smørgrav return pkey; 933b7579f77SDag-Erling Smørgrav } 934b7579f77SDag-Erling Smørgrav 935b7579f77SDag-Erling Smørgrav /** 936b7579f77SDag-Erling Smørgrav * Assemble structures for the trust DS and DNSKEY rrsets. 937b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 938b7579f77SDag-Erling Smørgrav * @return: false on error. 939b7579f77SDag-Erling Smørgrav */ 940b7579f77SDag-Erling Smørgrav static int 941b7579f77SDag-Erling Smørgrav anchors_assemble(struct trust_anchor* ta) 942b7579f77SDag-Erling Smørgrav { 943b7579f77SDag-Erling Smørgrav if(ta->numDS > 0) { 944b7579f77SDag-Erling Smørgrav ta->ds_rrset = assemble_it(ta, ta->numDS, LDNS_RR_TYPE_DS); 945b7579f77SDag-Erling Smørgrav if(!ta->ds_rrset) 946b7579f77SDag-Erling Smørgrav return 0; 947b7579f77SDag-Erling Smørgrav } 948b7579f77SDag-Erling Smørgrav if(ta->numDNSKEY > 0) { 949b7579f77SDag-Erling Smørgrav ta->dnskey_rrset = assemble_it(ta, ta->numDNSKEY, 950b7579f77SDag-Erling Smørgrav LDNS_RR_TYPE_DNSKEY); 951b7579f77SDag-Erling Smørgrav if(!ta->dnskey_rrset) 952b7579f77SDag-Erling Smørgrav return 0; 953b7579f77SDag-Erling Smørgrav } 954b7579f77SDag-Erling Smørgrav return 1; 955b7579f77SDag-Erling Smørgrav } 956b7579f77SDag-Erling Smørgrav 957b7579f77SDag-Erling Smørgrav /** 958b7579f77SDag-Erling Smørgrav * Check DS algos for support, warn if not. 959b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 960b7579f77SDag-Erling Smørgrav * @return number of DS anchors with unsupported algorithms. 961b7579f77SDag-Erling Smørgrav */ 962b7579f77SDag-Erling Smørgrav static size_t 963b7579f77SDag-Erling Smørgrav anchors_ds_unsupported(struct trust_anchor* ta) 964b7579f77SDag-Erling Smørgrav { 965b7579f77SDag-Erling Smørgrav size_t i, num = 0; 966b7579f77SDag-Erling Smørgrav for(i=0; i<ta->numDS; i++) { 967b7579f77SDag-Erling Smørgrav if(!ds_digest_algo_is_supported(ta->ds_rrset, i) || 968b7579f77SDag-Erling Smørgrav !ds_key_algo_is_supported(ta->ds_rrset, i)) 969b7579f77SDag-Erling Smørgrav num++; 970b7579f77SDag-Erling Smørgrav } 971b7579f77SDag-Erling Smørgrav return num; 972b7579f77SDag-Erling Smørgrav } 973b7579f77SDag-Erling Smørgrav 974b7579f77SDag-Erling Smørgrav /** 975b7579f77SDag-Erling Smørgrav * Check DNSKEY algos for support, warn if not. 976b7579f77SDag-Erling Smørgrav * @param ta: trust anchor 977b7579f77SDag-Erling Smørgrav * @return number of DNSKEY anchors with unsupported algorithms. 978b7579f77SDag-Erling Smørgrav */ 979b7579f77SDag-Erling Smørgrav static size_t 980b7579f77SDag-Erling Smørgrav anchors_dnskey_unsupported(struct trust_anchor* ta) 981b7579f77SDag-Erling Smørgrav { 982b7579f77SDag-Erling Smørgrav size_t i, num = 0; 983b7579f77SDag-Erling Smørgrav for(i=0; i<ta->numDNSKEY; i++) { 984b7579f77SDag-Erling Smørgrav if(!dnskey_algo_is_supported(ta->dnskey_rrset, i)) 985b7579f77SDag-Erling Smørgrav num++; 986b7579f77SDag-Erling Smørgrav } 987b7579f77SDag-Erling Smørgrav return num; 988b7579f77SDag-Erling Smørgrav } 989b7579f77SDag-Erling Smørgrav 990b7579f77SDag-Erling Smørgrav /** 991b7579f77SDag-Erling Smørgrav * Assemble the rrsets in the anchors, ready for use by validator. 992b7579f77SDag-Erling Smørgrav * @param anchors: trust anchor storage. 993b7579f77SDag-Erling Smørgrav * @return: false on error. 994b7579f77SDag-Erling Smørgrav */ 995b7579f77SDag-Erling Smørgrav static int 996b7579f77SDag-Erling Smørgrav anchors_assemble_rrsets(struct val_anchors* anchors) 997b7579f77SDag-Erling Smørgrav { 998b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 999b7579f77SDag-Erling Smørgrav struct trust_anchor* next; 1000b7579f77SDag-Erling Smørgrav size_t nods, nokey; 1001b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1002b7579f77SDag-Erling Smørgrav ta=(struct trust_anchor*)rbtree_first(anchors->tree); 1003b7579f77SDag-Erling Smørgrav while((rbnode_t*)ta != RBTREE_NULL) { 1004b7579f77SDag-Erling Smørgrav next = (struct trust_anchor*)rbtree_next(&ta->node); 1005b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 1006b7579f77SDag-Erling Smørgrav if(ta->autr || (ta->numDS == 0 && ta->numDNSKEY == 0)) { 1007b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1008b7579f77SDag-Erling Smørgrav ta = next; /* skip */ 1009b7579f77SDag-Erling Smørgrav continue; 1010b7579f77SDag-Erling Smørgrav } 1011b7579f77SDag-Erling Smørgrav if(!anchors_assemble(ta)) { 1012b7579f77SDag-Erling Smørgrav log_err("out of memory"); 1013b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1014b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1015b7579f77SDag-Erling Smørgrav return 0; 1016b7579f77SDag-Erling Smørgrav } 1017b7579f77SDag-Erling Smørgrav nods = anchors_ds_unsupported(ta); 1018b7579f77SDag-Erling Smørgrav nokey = anchors_dnskey_unsupported(ta); 1019b7579f77SDag-Erling Smørgrav if(nods) { 1020b7579f77SDag-Erling Smørgrav log_nametypeclass(0, "warning: unsupported " 1021b7579f77SDag-Erling Smørgrav "algorithm for trust anchor", 1022b7579f77SDag-Erling Smørgrav ta->name, LDNS_RR_TYPE_DS, ta->dclass); 1023b7579f77SDag-Erling Smørgrav } 1024b7579f77SDag-Erling Smørgrav if(nokey) { 1025b7579f77SDag-Erling Smørgrav log_nametypeclass(0, "warning: unsupported " 1026b7579f77SDag-Erling Smørgrav "algorithm for trust anchor", 1027b7579f77SDag-Erling Smørgrav ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 1028b7579f77SDag-Erling Smørgrav } 1029b7579f77SDag-Erling Smørgrav if(nods == ta->numDS && nokey == ta->numDNSKEY) { 1030b7579f77SDag-Erling Smørgrav char b[257]; 1031b7579f77SDag-Erling Smørgrav dname_str(ta->name, b); 1032b7579f77SDag-Erling Smørgrav log_warn("trust anchor %s has no supported algorithms," 1033b7579f77SDag-Erling Smørgrav " the anchor is ignored (check if you need to" 1034b7579f77SDag-Erling Smørgrav " upgrade unbound and openssl)", b); 1035b7579f77SDag-Erling Smørgrav (void)rbtree_delete(anchors->tree, &ta->node); 1036b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1037b7579f77SDag-Erling Smørgrav anchors_delfunc(&ta->node, NULL); 1038b7579f77SDag-Erling Smørgrav ta = next; 1039b7579f77SDag-Erling Smørgrav continue; 1040b7579f77SDag-Erling Smørgrav } 1041b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1042b7579f77SDag-Erling Smørgrav ta = next; 1043b7579f77SDag-Erling Smørgrav } 1044b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1045b7579f77SDag-Erling Smørgrav return 1; 1046b7579f77SDag-Erling Smørgrav } 1047b7579f77SDag-Erling Smørgrav 1048b7579f77SDag-Erling Smørgrav int 1049b7579f77SDag-Erling Smørgrav anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) 1050b7579f77SDag-Erling Smørgrav { 1051b7579f77SDag-Erling Smørgrav struct config_strlist* f; 1052b7579f77SDag-Erling Smørgrav char* nm; 1053b7579f77SDag-Erling Smørgrav ldns_buffer* parsebuf = ldns_buffer_new(65535); 1054b7579f77SDag-Erling Smørgrav for(f = cfg->domain_insecure; f; f = f->next) { 1055b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1056b7579f77SDag-Erling Smørgrav continue; 1057b7579f77SDag-Erling Smørgrav if(!anchor_insert_insecure(anchors, f->str)) { 1058b7579f77SDag-Erling Smørgrav log_err("error in domain-insecure: %s", f->str); 1059b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1060b7579f77SDag-Erling Smørgrav return 0; 1061b7579f77SDag-Erling Smørgrav } 1062b7579f77SDag-Erling Smørgrav } 1063b7579f77SDag-Erling Smørgrav for(f = cfg->trust_anchor_file_list; f; f = f->next) { 1064b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1065b7579f77SDag-Erling Smørgrav continue; 1066b7579f77SDag-Erling Smørgrav nm = f->str; 1067b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1068b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1069b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1070b7579f77SDag-Erling Smørgrav if(!anchor_read_file(anchors, parsebuf, nm, 0)) { 1071b7579f77SDag-Erling Smørgrav log_err("error reading trust-anchor-file: %s", f->str); 1072b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1073b7579f77SDag-Erling Smørgrav return 0; 1074b7579f77SDag-Erling Smørgrav } 1075b7579f77SDag-Erling Smørgrav } 1076b7579f77SDag-Erling Smørgrav for(f = cfg->trusted_keys_file_list; f; f = f->next) { 1077b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1078b7579f77SDag-Erling Smørgrav continue; 1079b7579f77SDag-Erling Smørgrav nm = f->str; 1080b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1081b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1082b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1083b7579f77SDag-Erling Smørgrav if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) { 1084b7579f77SDag-Erling Smørgrav log_err("error reading trusted-keys-file: %s", f->str); 1085b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1086b7579f77SDag-Erling Smørgrav return 0; 1087b7579f77SDag-Erling Smørgrav } 1088b7579f77SDag-Erling Smørgrav } 1089b7579f77SDag-Erling Smørgrav for(f = cfg->trust_anchor_list; f; f = f->next) { 1090b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1091b7579f77SDag-Erling Smørgrav continue; 1092b7579f77SDag-Erling Smørgrav if(!anchor_store_str(anchors, parsebuf, f->str)) { 1093b7579f77SDag-Erling Smørgrav log_err("error in trust-anchor: \"%s\"", f->str); 1094b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1095b7579f77SDag-Erling Smørgrav return 0; 1096b7579f77SDag-Erling Smørgrav } 1097b7579f77SDag-Erling Smørgrav } 1098b7579f77SDag-Erling Smørgrav if(cfg->dlv_anchor_file && cfg->dlv_anchor_file[0] != 0) { 1099b7579f77SDag-Erling Smørgrav struct trust_anchor* dlva; 1100b7579f77SDag-Erling Smørgrav nm = cfg->dlv_anchor_file; 1101b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1102b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1103b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1104b7579f77SDag-Erling Smørgrav if(!(dlva = anchor_read_file(anchors, parsebuf, 1105b7579f77SDag-Erling Smørgrav nm, 1))) { 1106b7579f77SDag-Erling Smørgrav log_err("error reading dlv-anchor-file: %s", 1107b7579f77SDag-Erling Smørgrav cfg->dlv_anchor_file); 1108b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1109b7579f77SDag-Erling Smørgrav return 0; 1110b7579f77SDag-Erling Smørgrav } 1111b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1112b7579f77SDag-Erling Smørgrav anchors->dlv_anchor = dlva; 1113b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1114b7579f77SDag-Erling Smørgrav } 1115b7579f77SDag-Erling Smørgrav for(f = cfg->dlv_anchor_list; f; f = f->next) { 1116b7579f77SDag-Erling Smørgrav struct trust_anchor* dlva; 1117b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1118b7579f77SDag-Erling Smørgrav continue; 1119b7579f77SDag-Erling Smørgrav if(!(dlva = anchor_store_str( 1120b7579f77SDag-Erling Smørgrav anchors, parsebuf, f->str))) { 1121b7579f77SDag-Erling Smørgrav log_err("error in dlv-anchor: \"%s\"", f->str); 1122b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1123b7579f77SDag-Erling Smørgrav return 0; 1124b7579f77SDag-Erling Smørgrav } 1125b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1126b7579f77SDag-Erling Smørgrav anchors->dlv_anchor = dlva; 1127b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1128b7579f77SDag-Erling Smørgrav } 1129b7579f77SDag-Erling Smørgrav /* do autr last, so that it sees what anchors are filled by other 1130b7579f77SDag-Erling Smørgrav * means can can print errors about double config for the name */ 1131b7579f77SDag-Erling Smørgrav for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) { 1132b7579f77SDag-Erling Smørgrav if(!f->str || f->str[0] == 0) /* empty "" */ 1133b7579f77SDag-Erling Smørgrav continue; 1134b7579f77SDag-Erling Smørgrav nm = f->str; 1135b7579f77SDag-Erling Smørgrav if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, 1136b7579f77SDag-Erling Smørgrav cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1137b7579f77SDag-Erling Smørgrav nm += strlen(cfg->chrootdir); 1138b7579f77SDag-Erling Smørgrav if(!autr_read_file(anchors, nm)) { 1139b7579f77SDag-Erling Smørgrav log_err("error reading auto-trust-anchor-file: %s", 1140b7579f77SDag-Erling Smørgrav f->str); 1141b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1142b7579f77SDag-Erling Smørgrav return 0; 1143b7579f77SDag-Erling Smørgrav } 1144b7579f77SDag-Erling Smørgrav } 1145b7579f77SDag-Erling Smørgrav /* first assemble, since it may delete useless anchors */ 1146b7579f77SDag-Erling Smørgrav anchors_assemble_rrsets(anchors); 1147b7579f77SDag-Erling Smørgrav init_parents(anchors); 1148b7579f77SDag-Erling Smørgrav ldns_buffer_free(parsebuf); 1149b7579f77SDag-Erling Smørgrav if(verbosity >= VERB_ALGO) autr_debug_print(anchors); 1150b7579f77SDag-Erling Smørgrav return 1; 1151b7579f77SDag-Erling Smørgrav } 1152b7579f77SDag-Erling Smørgrav 1153b7579f77SDag-Erling Smørgrav struct trust_anchor* 1154b7579f77SDag-Erling Smørgrav anchors_lookup(struct val_anchors* anchors, 1155b7579f77SDag-Erling Smørgrav uint8_t* qname, size_t qname_len, uint16_t qclass) 1156b7579f77SDag-Erling Smørgrav { 1157b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1158b7579f77SDag-Erling Smørgrav struct trust_anchor* result; 1159b7579f77SDag-Erling Smørgrav rbnode_t* res = NULL; 1160b7579f77SDag-Erling Smørgrav key.node.key = &key; 1161b7579f77SDag-Erling Smørgrav key.name = qname; 1162b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_labels(qname); 1163b7579f77SDag-Erling Smørgrav key.namelen = qname_len; 1164b7579f77SDag-Erling Smørgrav key.dclass = qclass; 1165b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1166b7579f77SDag-Erling Smørgrav if(rbtree_find_less_equal(anchors->tree, &key, &res)) { 1167b7579f77SDag-Erling Smørgrav /* exact */ 1168b7579f77SDag-Erling Smørgrav result = (struct trust_anchor*)res; 1169b7579f77SDag-Erling Smørgrav } else { 1170b7579f77SDag-Erling Smørgrav /* smaller element (or no element) */ 1171b7579f77SDag-Erling Smørgrav int m; 1172b7579f77SDag-Erling Smørgrav result = (struct trust_anchor*)res; 1173b7579f77SDag-Erling Smørgrav if(!result || result->dclass != qclass) { 1174b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1175b7579f77SDag-Erling Smørgrav return NULL; 1176b7579f77SDag-Erling Smørgrav } 1177b7579f77SDag-Erling Smørgrav /* count number of labels matched */ 1178b7579f77SDag-Erling Smørgrav (void)dname_lab_cmp(result->name, result->namelabs, key.name, 1179b7579f77SDag-Erling Smørgrav key.namelabs, &m); 1180b7579f77SDag-Erling Smørgrav while(result) { /* go up until qname is subdomain of stub */ 1181b7579f77SDag-Erling Smørgrav if(result->namelabs <= m) 1182b7579f77SDag-Erling Smørgrav break; 1183b7579f77SDag-Erling Smørgrav result = result->parent; 1184b7579f77SDag-Erling Smørgrav } 1185b7579f77SDag-Erling Smørgrav } 1186b7579f77SDag-Erling Smørgrav if(result) { 1187b7579f77SDag-Erling Smørgrav lock_basic_lock(&result->lock); 1188b7579f77SDag-Erling Smørgrav } 1189b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1190b7579f77SDag-Erling Smørgrav return result; 1191b7579f77SDag-Erling Smørgrav } 1192b7579f77SDag-Erling Smørgrav 1193b7579f77SDag-Erling Smørgrav size_t 1194b7579f77SDag-Erling Smørgrav anchors_get_mem(struct val_anchors* anchors) 1195b7579f77SDag-Erling Smørgrav { 1196b7579f77SDag-Erling Smørgrav struct trust_anchor *ta; 1197b7579f77SDag-Erling Smørgrav size_t s = sizeof(*anchors); 1198b7579f77SDag-Erling Smørgrav RBTREE_FOR(ta, struct trust_anchor*, anchors->tree) { 1199b7579f77SDag-Erling Smørgrav s += sizeof(*ta) + ta->namelen; 1200b7579f77SDag-Erling Smørgrav /* keys and so on */ 1201b7579f77SDag-Erling Smørgrav } 1202b7579f77SDag-Erling Smørgrav return s; 1203b7579f77SDag-Erling Smørgrav } 1204b7579f77SDag-Erling Smørgrav 1205b7579f77SDag-Erling Smørgrav int 1206b7579f77SDag-Erling Smørgrav anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm) 1207b7579f77SDag-Erling Smørgrav { 1208b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1209b7579f77SDag-Erling Smørgrav key.node.key = &key; 1210b7579f77SDag-Erling Smørgrav key.name = nm; 1211b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_size_labels(nm, &key.namelen); 1212b7579f77SDag-Erling Smørgrav key.dclass = c; 1213b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1214b7579f77SDag-Erling Smørgrav if(rbtree_search(anchors->tree, &key)) { 1215b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1216b7579f77SDag-Erling Smørgrav /* nothing to do, already an anchor or insecure point */ 1217b7579f77SDag-Erling Smørgrav return 1; 1218b7579f77SDag-Erling Smørgrav } 1219b7579f77SDag-Erling Smørgrav if(!anchor_new_ta(anchors, nm, key.namelabs, key.namelen, c, 0)) { 1220b7579f77SDag-Erling Smørgrav log_err("out of memory"); 1221b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1222b7579f77SDag-Erling Smørgrav return 0; 1223b7579f77SDag-Erling Smørgrav } 1224b7579f77SDag-Erling Smørgrav /* no other contents in new ta, because it is insecure point */ 1225b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 1226b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1227b7579f77SDag-Erling Smørgrav return 1; 1228b7579f77SDag-Erling Smørgrav } 1229b7579f77SDag-Erling Smørgrav 1230b7579f77SDag-Erling Smørgrav void 1231b7579f77SDag-Erling Smørgrav anchors_delete_insecure(struct val_anchors* anchors, uint16_t c, 1232b7579f77SDag-Erling Smørgrav uint8_t* nm) 1233b7579f77SDag-Erling Smørgrav { 1234b7579f77SDag-Erling Smørgrav struct trust_anchor key; 1235b7579f77SDag-Erling Smørgrav struct trust_anchor* ta; 1236b7579f77SDag-Erling Smørgrav key.node.key = &key; 1237b7579f77SDag-Erling Smørgrav key.name = nm; 1238b7579f77SDag-Erling Smørgrav key.namelabs = dname_count_size_labels(nm, &key.namelen); 1239b7579f77SDag-Erling Smørgrav key.dclass = c; 1240b7579f77SDag-Erling Smørgrav lock_basic_lock(&anchors->lock); 1241b7579f77SDag-Erling Smørgrav if(!(ta=(struct trust_anchor*)rbtree_search(anchors->tree, &key))) { 1242b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1243b7579f77SDag-Erling Smørgrav /* nothing there */ 1244b7579f77SDag-Erling Smørgrav return; 1245b7579f77SDag-Erling Smørgrav } 1246b7579f77SDag-Erling Smørgrav /* lock it to drive away other threads that use it */ 1247b7579f77SDag-Erling Smørgrav lock_basic_lock(&ta->lock); 1248b7579f77SDag-Erling Smørgrav /* see if its really an insecure point */ 1249b7579f77SDag-Erling Smørgrav if(ta->keylist || ta->autr || ta->numDS || ta->numDNSKEY) { 1250*8ed2b524SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1251b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1252b7579f77SDag-Erling Smørgrav /* its not an insecure point, do not remove it */ 1253b7579f77SDag-Erling Smørgrav return; 1254b7579f77SDag-Erling Smørgrav } 1255b7579f77SDag-Erling Smørgrav 1256b7579f77SDag-Erling Smørgrav /* remove from tree */ 1257b7579f77SDag-Erling Smørgrav (void)rbtree_delete(anchors->tree, &ta->node); 1258b7579f77SDag-Erling Smørgrav anchors_init_parents_locked(anchors); 1259b7579f77SDag-Erling Smørgrav lock_basic_unlock(&anchors->lock); 1260b7579f77SDag-Erling Smørgrav 1261b7579f77SDag-Erling Smørgrav /* actual free of data */ 1262b7579f77SDag-Erling Smørgrav lock_basic_unlock(&ta->lock); 1263b7579f77SDag-Erling Smørgrav anchors_delfunc(&ta->node, NULL); 1264b7579f77SDag-Erling Smørgrav } 1265b7579f77SDag-Erling Smørgrav 1266