a85b5759f3
These files were pulled from the 1.6.3 release tarball. This new version builds against OpenSSL version 1.1 which will be the default in the new Debian Stable which is due to be released RealSoonNow (tm).
1311 lines
34 KiB
C
1311 lines
34 KiB
C
/*
|
|
* validator/val_anchor.c - validator trust anchor storage.
|
|
*
|
|
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
|
*
|
|
* This software is open source.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
*
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* Neither the name of the NLNET LABS nor the names of its contributors may
|
|
* be used to endorse or promote products derived from this software without
|
|
* specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* This file contains storage for the trust anchors for the validator.
|
|
*/
|
|
#include "config.h"
|
|
#include <ctype.h>
|
|
#include "validator/val_anchor.h"
|
|
#include "validator/val_sigcrypt.h"
|
|
#include "validator/autotrust.h"
|
|
#include "util/data/packed_rrset.h"
|
|
#include "util/data/dname.h"
|
|
#include "util/log.h"
|
|
#include "util/net_help.h"
|
|
#include "util/config_file.h"
|
|
#include "util/as112.h"
|
|
#include "sldns/sbuffer.h"
|
|
#include "sldns/rrdef.h"
|
|
#include "sldns/str2wire.h"
|
|
#ifdef HAVE_GLOB_H
|
|
#include <glob.h>
|
|
#endif
|
|
|
|
int
|
|
anchor_cmp(const void* k1, const void* k2)
|
|
{
|
|
int m;
|
|
struct trust_anchor* n1 = (struct trust_anchor*)k1;
|
|
struct trust_anchor* n2 = (struct trust_anchor*)k2;
|
|
/* no need to ntohs(class) because sort order is irrelevant */
|
|
if(n1->dclass != n2->dclass) {
|
|
if(n1->dclass < n2->dclass)
|
|
return -1;
|
|
return 1;
|
|
}
|
|
return dname_lab_cmp(n1->name, n1->namelabs, n2->name, n2->namelabs,
|
|
&m);
|
|
}
|
|
|
|
struct val_anchors*
|
|
anchors_create(void)
|
|
{
|
|
struct val_anchors* a = (struct val_anchors*)calloc(1, sizeof(*a));
|
|
if(!a)
|
|
return NULL;
|
|
a->tree = rbtree_create(anchor_cmp);
|
|
if(!a->tree) {
|
|
anchors_delete(a);
|
|
return NULL;
|
|
}
|
|
a->autr = autr_global_create();
|
|
if(!a->autr) {
|
|
anchors_delete(a);
|
|
return NULL;
|
|
}
|
|
lock_basic_init(&a->lock);
|
|
lock_protect(&a->lock, a, sizeof(*a));
|
|
lock_protect(&a->lock, a->autr, sizeof(*a->autr));
|
|
return a;
|
|
}
|
|
|
|
/** delete assembled rrset */
|
|
static void
|
|
assembled_rrset_delete(struct ub_packed_rrset_key* pkey)
|
|
{
|
|
if(!pkey) return;
|
|
if(pkey->entry.data) {
|
|
struct packed_rrset_data* pd = (struct packed_rrset_data*)
|
|
pkey->entry.data;
|
|
free(pd->rr_data);
|
|
free(pd->rr_ttl);
|
|
free(pd->rr_len);
|
|
free(pd);
|
|
}
|
|
free(pkey->rk.dname);
|
|
free(pkey);
|
|
}
|
|
|
|
/** destroy locks in tree and delete autotrust anchors */
|
|
static void
|
|
anchors_delfunc(rbnode_type* elem, void* ATTR_UNUSED(arg))
|
|
{
|
|
struct trust_anchor* ta = (struct trust_anchor*)elem;
|
|
if(!ta) return;
|
|
if(ta->autr) {
|
|
autr_point_delete(ta);
|
|
} else {
|
|
struct ta_key* p, *np;
|
|
lock_basic_destroy(&ta->lock);
|
|
free(ta->name);
|
|
p = ta->keylist;
|
|
while(p) {
|
|
np = p->next;
|
|
free(p->data);
|
|
free(p);
|
|
p = np;
|
|
}
|
|
assembled_rrset_delete(ta->ds_rrset);
|
|
assembled_rrset_delete(ta->dnskey_rrset);
|
|
free(ta);
|
|
}
|
|
}
|
|
|
|
void
|
|
anchors_delete(struct val_anchors* anchors)
|
|
{
|
|
if(!anchors)
|
|
return;
|
|
lock_unprotect(&anchors->lock, anchors->autr);
|
|
lock_unprotect(&anchors->lock, anchors);
|
|
lock_basic_destroy(&anchors->lock);
|
|
if(anchors->tree)
|
|
traverse_postorder(anchors->tree, anchors_delfunc, NULL);
|
|
free(anchors->tree);
|
|
autr_global_delete(anchors->autr);
|
|
free(anchors);
|
|
}
|
|
|
|
void
|
|
anchors_init_parents_locked(struct val_anchors* anchors)
|
|
{
|
|
struct trust_anchor* node, *prev = NULL, *p;
|
|
int m;
|
|
/* nobody else can grab locks because we hold the main lock.
|
|
* Thus the previous items, after unlocked, are not deleted */
|
|
RBTREE_FOR(node, struct trust_anchor*, anchors->tree) {
|
|
lock_basic_lock(&node->lock);
|
|
node->parent = NULL;
|
|
if(!prev || prev->dclass != node->dclass) {
|
|
prev = node;
|
|
lock_basic_unlock(&node->lock);
|
|
continue;
|
|
}
|
|
(void)dname_lab_cmp(prev->name, prev->namelabs, node->name,
|
|
node->namelabs, &m); /* we know prev is smaller */
|
|
/* sort order like: . com. bla.com. zwb.com. net. */
|
|
/* find the previous, or parent-parent-parent */
|
|
for(p = prev; p; p = p->parent)
|
|
/* looking for name with few labels, a parent */
|
|
if(p->namelabs <= m) {
|
|
/* ==: since prev matched m, this is closest*/
|
|
/* <: prev matches more, but is not a parent,
|
|
* this one is a (grand)parent */
|
|
node->parent = p;
|
|
break;
|
|
}
|
|
lock_basic_unlock(&node->lock);
|
|
prev = node;
|
|
}
|
|
}
|
|
|
|
/** initialise parent pointers in the tree */
|
|
static void
|
|
init_parents(struct val_anchors* anchors)
|
|
{
|
|
lock_basic_lock(&anchors->lock);
|
|
anchors_init_parents_locked(anchors);
|
|
lock_basic_unlock(&anchors->lock);
|
|
}
|
|
|
|
struct trust_anchor*
|
|
anchor_find(struct val_anchors* anchors, uint8_t* name, int namelabs,
|
|
size_t namelen, uint16_t dclass)
|
|
{
|
|
struct trust_anchor key;
|
|
rbnode_type* n;
|
|
if(!name) return NULL;
|
|
key.node.key = &key;
|
|
key.name = name;
|
|
key.namelabs = namelabs;
|
|
key.namelen = namelen;
|
|
key.dclass = dclass;
|
|
lock_basic_lock(&anchors->lock);
|
|
n = rbtree_search(anchors->tree, &key);
|
|
if(n) {
|
|
lock_basic_lock(&((struct trust_anchor*)n->key)->lock);
|
|
}
|
|
lock_basic_unlock(&anchors->lock);
|
|
if(!n)
|
|
return NULL;
|
|
return (struct trust_anchor*)n->key;
|
|
}
|
|
|
|
/** create new trust anchor object */
|
|
static struct trust_anchor*
|
|
anchor_new_ta(struct val_anchors* anchors, uint8_t* name, int namelabs,
|
|
size_t namelen, uint16_t dclass, int lockit)
|
|
{
|
|
#ifdef UNBOUND_DEBUG
|
|
rbnode_type* r;
|
|
#endif
|
|
struct trust_anchor* ta = (struct trust_anchor*)malloc(
|
|
sizeof(struct trust_anchor));
|
|
if(!ta)
|
|
return NULL;
|
|
memset(ta, 0, sizeof(*ta));
|
|
ta->node.key = ta;
|
|
ta->name = memdup(name, namelen);
|
|
if(!ta->name) {
|
|
free(ta);
|
|
return NULL;
|
|
}
|
|
ta->namelabs = namelabs;
|
|
ta->namelen = namelen;
|
|
ta->dclass = dclass;
|
|
lock_basic_init(&ta->lock);
|
|
if(lockit) {
|
|
lock_basic_lock(&anchors->lock);
|
|
}
|
|
#ifdef UNBOUND_DEBUG
|
|
r =
|
|
#else
|
|
(void)
|
|
#endif
|
|
rbtree_insert(anchors->tree, &ta->node);
|
|
if(lockit) {
|
|
lock_basic_unlock(&anchors->lock);
|
|
}
|
|
log_assert(r != NULL);
|
|
return ta;
|
|
}
|
|
|
|
/** find trustanchor key by exact data match */
|
|
static struct ta_key*
|
|
anchor_find_key(struct trust_anchor* ta, uint8_t* rdata, size_t rdata_len,
|
|
uint16_t type)
|
|
{
|
|
struct ta_key* k;
|
|
for(k = ta->keylist; k; k = k->next) {
|
|
if(k->type == type && k->len == rdata_len &&
|
|
memcmp(k->data, rdata, rdata_len) == 0)
|
|
return k;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/** create new trustanchor key */
|
|
static struct ta_key*
|
|
anchor_new_ta_key(uint8_t* rdata, size_t rdata_len, uint16_t type)
|
|
{
|
|
struct ta_key* k = (struct ta_key*)malloc(sizeof(*k));
|
|
if(!k)
|
|
return NULL;
|
|
memset(k, 0, sizeof(*k));
|
|
k->data = memdup(rdata, rdata_len);
|
|
if(!k->data) {
|
|
free(k);
|
|
return NULL;
|
|
}
|
|
k->len = rdata_len;
|
|
k->type = type;
|
|
return k;
|
|
}
|
|
|
|
/**
|
|
* This routine adds a new RR to a trust anchor. The trust anchor may not
|
|
* exist yet, and is created if not. The RR can be DS or DNSKEY.
|
|
* This routine will also remove duplicates; storing them only once.
|
|
* @param anchors: anchor storage.
|
|
* @param name: name of trust anchor (wireformat)
|
|
* @param type: type or RR
|
|
* @param dclass: class of RR
|
|
* @param rdata: rdata wireformat, starting with rdlength.
|
|
* If NULL, nothing is stored, but an entry is created.
|
|
* @param rdata_len: length of rdata including rdlength.
|
|
* @return: NULL on error, else the trust anchor.
|
|
*/
|
|
static struct trust_anchor*
|
|
anchor_store_new_key(struct val_anchors* anchors, uint8_t* name, uint16_t type,
|
|
uint16_t dclass, uint8_t* rdata, size_t rdata_len)
|
|
{
|
|
struct ta_key* k;
|
|
struct trust_anchor* ta;
|
|
int namelabs;
|
|
size_t namelen;
|
|
namelabs = dname_count_size_labels(name, &namelen);
|
|
if(type != LDNS_RR_TYPE_DS && type != LDNS_RR_TYPE_DNSKEY) {
|
|
log_err("Bad type for trust anchor");
|
|
return 0;
|
|
}
|
|
/* lookup or create trustanchor */
|
|
ta = anchor_find(anchors, name, namelabs, namelen, dclass);
|
|
if(!ta) {
|
|
ta = anchor_new_ta(anchors, name, namelabs, namelen, dclass, 1);
|
|
if(!ta)
|
|
return NULL;
|
|
lock_basic_lock(&ta->lock);
|
|
}
|
|
if(!rdata) {
|
|
lock_basic_unlock(&ta->lock);
|
|
return ta;
|
|
}
|
|
/* look for duplicates */
|
|
if(anchor_find_key(ta, rdata, rdata_len, type)) {
|
|
lock_basic_unlock(&ta->lock);
|
|
return ta;
|
|
}
|
|
k = anchor_new_ta_key(rdata, rdata_len, type);
|
|
if(!k) {
|
|
lock_basic_unlock(&ta->lock);
|
|
return NULL;
|
|
}
|
|
/* add new key */
|
|
if(type == LDNS_RR_TYPE_DS)
|
|
ta->numDS++;
|
|
else ta->numDNSKEY++;
|
|
k->next = ta->keylist;
|
|
ta->keylist = k;
|
|
lock_basic_unlock(&ta->lock);
|
|
return ta;
|
|
}
|
|
|
|
/**
|
|
* Add new RR. It converts ldns RR to wire format.
|
|
* @param anchors: anchor storage.
|
|
* @param rr: the wirerr.
|
|
* @param rl: length of rr.
|
|
* @param dl: length of dname.
|
|
* @return NULL on error, else the trust anchor.
|
|
*/
|
|
static struct trust_anchor*
|
|
anchor_store_new_rr(struct val_anchors* anchors, uint8_t* rr, size_t rl,
|
|
size_t dl)
|
|
{
|
|
struct trust_anchor* ta;
|
|
if(!(ta=anchor_store_new_key(anchors, rr,
|
|
sldns_wirerr_get_type(rr, rl, dl),
|
|
sldns_wirerr_get_class(rr, rl, dl),
|
|
sldns_wirerr_get_rdatawl(rr, rl, dl),
|
|
sldns_wirerr_get_rdatalen(rr, rl, dl)+2))) {
|
|
return NULL;
|
|
}
|
|
log_nametypeclass(VERB_QUERY, "adding trusted key",
|
|
rr, sldns_wirerr_get_type(rr, rl, dl),
|
|
sldns_wirerr_get_class(rr, rl, dl));
|
|
return ta;
|
|
}
|
|
|
|
/**
|
|
* Insert insecure anchor
|
|
* @param anchors: anchor storage.
|
|
* @param str: the domain name.
|
|
* @return NULL on error, Else last trust anchor point
|
|
*/
|
|
static struct trust_anchor*
|
|
anchor_insert_insecure(struct val_anchors* anchors, const char* str)
|
|
{
|
|
struct trust_anchor* ta;
|
|
size_t dname_len = 0;
|
|
uint8_t* nm = sldns_str2wire_dname(str, &dname_len);
|
|
if(!nm) {
|
|
log_err("parse error in domain name '%s'", str);
|
|
return NULL;
|
|
}
|
|
ta = anchor_store_new_key(anchors, nm, LDNS_RR_TYPE_DS,
|
|
LDNS_RR_CLASS_IN, NULL, 0);
|
|
free(nm);
|
|
return ta;
|
|
}
|
|
|
|
struct trust_anchor*
|
|
anchor_store_str(struct val_anchors* anchors, sldns_buffer* buffer,
|
|
const char* str)
|
|
{
|
|
struct trust_anchor* ta;
|
|
uint8_t* rr = sldns_buffer_begin(buffer);
|
|
size_t len = sldns_buffer_capacity(buffer), dname_len = 0;
|
|
int status = sldns_str2wire_rr_buf(str, rr, &len, &dname_len,
|
|
0, NULL, 0, NULL, 0);
|
|
if(status != 0) {
|
|
log_err("error parsing trust anchor %s: at %d: %s",
|
|
str, LDNS_WIREPARSE_OFFSET(status),
|
|
sldns_get_errorstr_parse(status));
|
|
return NULL;
|
|
}
|
|
if(!(ta=anchor_store_new_rr(anchors, rr, len, dname_len))) {
|
|
log_err("out of memory");
|
|
return NULL;
|
|
}
|
|
return ta;
|
|
}
|
|
|
|
/**
|
|
* Read a file with trust anchors
|
|
* @param anchors: anchor storage.
|
|
* @param buffer: parsing buffer.
|
|
* @param fname: string.
|
|
* @param onlyone: only one trust anchor allowed in file.
|
|
* @return NULL on error. Else last trust-anchor point.
|
|
*/
|
|
static struct trust_anchor*
|
|
anchor_read_file(struct val_anchors* anchors, sldns_buffer* buffer,
|
|
const char* fname, int onlyone)
|
|
{
|
|
struct trust_anchor* ta = NULL, *tanew;
|
|
struct sldns_file_parse_state pst;
|
|
int status;
|
|
size_t len, dname_len;
|
|
uint8_t* rr = sldns_buffer_begin(buffer);
|
|
int ok = 1;
|
|
FILE* in = fopen(fname, "r");
|
|
if(!in) {
|
|
log_err("error opening file %s: %s", fname, strerror(errno));
|
|
return 0;
|
|
}
|
|
memset(&pst, 0, sizeof(pst));
|
|
pst.default_ttl = 3600;
|
|
pst.lineno = 1;
|
|
while(!feof(in)) {
|
|
len = sldns_buffer_capacity(buffer);
|
|
dname_len = 0;
|
|
status = sldns_fp2wire_rr_buf(in, rr, &len, &dname_len, &pst);
|
|
if(len == 0) /* empty, $TTL, $ORIGIN */
|
|
continue;
|
|
if(status != 0) {
|
|
log_err("parse error in %s:%d:%d : %s", fname,
|
|
pst.lineno, LDNS_WIREPARSE_OFFSET(status),
|
|
sldns_get_errorstr_parse(status));
|
|
ok = 0;
|
|
break;
|
|
}
|
|
if(sldns_wirerr_get_type(rr, len, dname_len) !=
|
|
LDNS_RR_TYPE_DS && sldns_wirerr_get_type(rr, len,
|
|
dname_len) != LDNS_RR_TYPE_DNSKEY) {
|
|
continue;
|
|
}
|
|
if(!(tanew=anchor_store_new_rr(anchors, rr, len, dname_len))) {
|
|
log_err("mem error at %s line %d", fname, pst.lineno);
|
|
ok = 0;
|
|
break;
|
|
}
|
|
if(onlyone && ta && ta != tanew) {
|
|
log_err("error at %s line %d: no multiple anchor "
|
|
"domains allowed (you can have multiple "
|
|
"keys, but they must have the same name).",
|
|
fname, pst.lineno);
|
|
ok = 0;
|
|
break;
|
|
}
|
|
ta = tanew;
|
|
}
|
|
fclose(in);
|
|
if(!ok) return NULL;
|
|
/* empty file is OK when multiple anchors are allowed */
|
|
if(!onlyone && !ta) return (struct trust_anchor*)1;
|
|
return ta;
|
|
}
|
|
|
|
/** skip file to end of line */
|
|
static void
|
|
skip_to_eol(FILE* in)
|
|
{
|
|
int c;
|
|
while((c = getc(in)) != EOF ) {
|
|
if(c == '\n')
|
|
return;
|
|
}
|
|
}
|
|
|
|
/** true for special characters in bind configs */
|
|
static int
|
|
is_bind_special(int c)
|
|
{
|
|
switch(c) {
|
|
case '{':
|
|
case '}':
|
|
case '"':
|
|
case ';':
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Read a keyword skipping bind comments; spaces, specials, restkeywords.
|
|
* The file is split into the following tokens:
|
|
* * special characters, on their own, rdlen=1, { } doublequote ;
|
|
* * whitespace becomes a single ' ' or tab. Newlines become spaces.
|
|
* * other words ('keywords')
|
|
* * comments are skipped if desired
|
|
* / / C++ style comment to end of line
|
|
* # to end of line
|
|
* / * C style comment * /
|
|
* @param in: file to read from.
|
|
* @param buf: buffer, what is read is stored after current buffer position.
|
|
* Space is left in the buffer to write a terminating 0.
|
|
* @param line: line number is increased per line, for error reports.
|
|
* @param comments: if 0, comments are not possible and become text.
|
|
* if 1, comments are skipped entirely.
|
|
* In BIND files, this is when reading quoted strings, for example
|
|
* " base 64 text with / / in there "
|
|
* @return the number of character written to the buffer.
|
|
* 0 on end of file.
|
|
*/
|
|
static int
|
|
readkeyword_bindfile(FILE* in, sldns_buffer* buf, int* line, int comments)
|
|
{
|
|
int c;
|
|
int numdone = 0;
|
|
while((c = getc(in)) != EOF ) {
|
|
if(comments && c == '#') { /* # blabla */
|
|
skip_to_eol(in);
|
|
(*line)++;
|
|
continue;
|
|
} else if(comments && c=='/' && numdone>0 && /* /_/ bla*/
|
|
sldns_buffer_read_u8_at(buf,
|
|
sldns_buffer_position(buf)-1) == '/') {
|
|
sldns_buffer_skip(buf, -1);
|
|
numdone--;
|
|
skip_to_eol(in);
|
|
(*line)++;
|
|
continue;
|
|
} else if(comments && c=='*' && numdone>0 && /* /_* bla *_/ */
|
|
sldns_buffer_read_u8_at(buf,
|
|
sldns_buffer_position(buf)-1) == '/') {
|
|
sldns_buffer_skip(buf, -1);
|
|
numdone--;
|
|
/* skip to end of comment */
|
|
while(c != EOF && (c=getc(in)) != EOF ) {
|
|
if(c == '*') {
|
|
if((c=getc(in)) == '/')
|
|
break;
|
|
}
|
|
if(c == '\n')
|
|
(*line)++;
|
|
}
|
|
continue;
|
|
}
|
|
/* not a comment, complete the keyword */
|
|
if(numdone > 0) {
|
|
/* check same type */
|
|
if(isspace((unsigned char)c)) {
|
|
ungetc(c, in);
|
|
return numdone;
|
|
}
|
|
if(is_bind_special(c)) {
|
|
ungetc(c, in);
|
|
return numdone;
|
|
}
|
|
}
|
|
if(c == '\n') {
|
|
c = ' ';
|
|
(*line)++;
|
|
}
|
|
/* space for 1 char + 0 string terminator */
|
|
if(sldns_buffer_remaining(buf) < 2) {
|
|
fatal_exit("trusted-keys, %d, string too long", *line);
|
|
}
|
|
sldns_buffer_write_u8(buf, (uint8_t)c);
|
|
numdone++;
|
|
if(isspace((unsigned char)c)) {
|
|
/* collate whitespace into ' ' */
|
|
while((c = getc(in)) != EOF ) {
|
|
if(c == '\n')
|
|
(*line)++;
|
|
if(!isspace((unsigned char)c)) {
|
|
ungetc(c, in);
|
|
break;
|
|
}
|
|
}
|
|
return numdone;
|
|
}
|
|
if(is_bind_special(c))
|
|
return numdone;
|
|
}
|
|
return numdone;
|
|
}
|
|
|
|
/** skip through file to { or ; */
|
|
static int
|
|
skip_to_special(FILE* in, sldns_buffer* buf, int* line, int spec)
|
|
{
|
|
int rdlen;
|
|
sldns_buffer_clear(buf);
|
|
while((rdlen=readkeyword_bindfile(in, buf, line, 1))) {
|
|
if(rdlen == 1 && isspace((unsigned char)*sldns_buffer_begin(buf))) {
|
|
sldns_buffer_clear(buf);
|
|
continue;
|
|
}
|
|
if(rdlen != 1 || *sldns_buffer_begin(buf) != (uint8_t)spec) {
|
|
sldns_buffer_write_u8(buf, 0);
|
|
log_err("trusted-keys, line %d, expected %c",
|
|
*line, spec);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
log_err("trusted-keys, line %d, expected %c got EOF", *line, spec);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* read contents of trusted-keys{ ... ; clauses and insert keys into storage.
|
|
* @param anchors: where to store keys
|
|
* @param buf: buffer to use
|
|
* @param line: line number in file
|
|
* @param in: file to read from.
|
|
* @return 0 on error.
|
|
*/
|
|
static int
|
|
process_bind_contents(struct val_anchors* anchors, sldns_buffer* buf,
|
|
int* line, FILE* in)
|
|
{
|
|
/* loop over contents, collate strings before ; */
|
|
/* contents is (numbered): 0 1 2 3 4 5 6 7 8 */
|
|
/* name. 257 3 5 base64 base64 */
|
|
/* quoted value: 0 "111" 0 0 0 0 0 0 0 */
|
|
/* comments value: 1 "000" 1 1 1 "0 0 0 0" 1 */
|
|
int contnum = 0;
|
|
int quoted = 0;
|
|
int comments = 1;
|
|
int rdlen;
|
|
char* str = 0;
|
|
sldns_buffer_clear(buf);
|
|
while((rdlen=readkeyword_bindfile(in, buf, line, comments))) {
|
|
if(rdlen == 1 && sldns_buffer_position(buf) == 1
|
|
&& isspace((unsigned char)*sldns_buffer_begin(buf))) {
|
|
/* starting whitespace is removed */
|
|
sldns_buffer_clear(buf);
|
|
continue;
|
|
} else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '"') {
|
|
/* remove " from the string */
|
|
if(contnum == 0) {
|
|
quoted = 1;
|
|
comments = 0;
|
|
}
|
|
sldns_buffer_skip(buf, -1);
|
|
if(contnum > 0 && quoted) {
|
|
if(sldns_buffer_remaining(buf) < 8+1) {
|
|
log_err("line %d, too long", *line);
|
|
return 0;
|
|
}
|
|
sldns_buffer_write(buf, " DNSKEY ", 8);
|
|
quoted = 0;
|
|
comments = 1;
|
|
} else if(contnum > 0)
|
|
comments = !comments;
|
|
continue;
|
|
} else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == ';') {
|
|
|
|
if(contnum < 5) {
|
|
sldns_buffer_write_u8(buf, 0);
|
|
log_err("line %d, bad key", *line);
|
|
return 0;
|
|
}
|
|
sldns_buffer_skip(buf, -1);
|
|
sldns_buffer_write_u8(buf, 0);
|
|
str = strdup((char*)sldns_buffer_begin(buf));
|
|
if(!str) {
|
|
log_err("line %d, allocation failure", *line);
|
|
return 0;
|
|
}
|
|
if(!anchor_store_str(anchors, buf, str)) {
|
|
log_err("line %d, bad key", *line);
|
|
free(str);
|
|
return 0;
|
|
}
|
|
free(str);
|
|
sldns_buffer_clear(buf);
|
|
contnum = 0;
|
|
quoted = 0;
|
|
comments = 1;
|
|
continue;
|
|
} else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '}') {
|
|
if(contnum > 0) {
|
|
sldns_buffer_write_u8(buf, 0);
|
|
log_err("line %d, bad key before }", *line);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
} else if(rdlen == 1 &&
|
|
isspace((unsigned char)sldns_buffer_current(buf)[-1])) {
|
|
/* leave whitespace here */
|
|
} else {
|
|
/* not space or whatnot, so actual content */
|
|
contnum ++;
|
|
if(contnum == 1 && !quoted) {
|
|
if(sldns_buffer_remaining(buf) < 8+1) {
|
|
log_err("line %d, too long", *line);
|
|
return 0;
|
|
}
|
|
sldns_buffer_write(buf, " DNSKEY ", 8);
|
|
}
|
|
}
|
|
}
|
|
|
|
log_err("line %d, EOF before }", *line);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Read a BIND9 like file with trust anchors in named.conf format.
|
|
* @param anchors: anchor storage.
|
|
* @param buffer: parsing buffer.
|
|
* @param fname: string.
|
|
* @return false on error.
|
|
*/
|
|
static int
|
|
anchor_read_bind_file(struct val_anchors* anchors, sldns_buffer* buffer,
|
|
const char* fname)
|
|
{
|
|
int line_nr = 1;
|
|
FILE* in = fopen(fname, "r");
|
|
int rdlen = 0;
|
|
if(!in) {
|
|
log_err("error opening file %s: %s", fname, strerror(errno));
|
|
return 0;
|
|
}
|
|
verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname);
|
|
/* scan for trusted-keys keyword, ignore everything else */
|
|
sldns_buffer_clear(buffer);
|
|
while((rdlen=readkeyword_bindfile(in, buffer, &line_nr, 1)) != 0) {
|
|
if(rdlen != 12 || strncmp((char*)sldns_buffer_begin(buffer),
|
|
"trusted-keys", 12) != 0) {
|
|
sldns_buffer_clear(buffer);
|
|
/* ignore everything but trusted-keys */
|
|
continue;
|
|
}
|
|
if(!skip_to_special(in, buffer, &line_nr, '{')) {
|
|
log_err("error in trusted key: \"%s\"", fname);
|
|
fclose(in);
|
|
return 0;
|
|
}
|
|
/* process contents */
|
|
if(!process_bind_contents(anchors, buffer, &line_nr, in)) {
|
|
log_err("error in trusted key: \"%s\"", fname);
|
|
fclose(in);
|
|
return 0;
|
|
}
|
|
if(!skip_to_special(in, buffer, &line_nr, ';')) {
|
|
log_err("error in trusted key: \"%s\"", fname);
|
|
fclose(in);
|
|
return 0;
|
|
}
|
|
sldns_buffer_clear(buffer);
|
|
}
|
|
fclose(in);
|
|
return 1;
|
|
}
|
|
|
|
/**
|
|
* Read a BIND9 like files with trust anchors in named.conf format.
|
|
* Performs wildcard processing of name.
|
|
* @param anchors: anchor storage.
|
|
* @param buffer: parsing buffer.
|
|
* @param pat: pattern string. (can be wildcarded)
|
|
* @return false on error.
|
|
*/
|
|
static int
|
|
anchor_read_bind_file_wild(struct val_anchors* anchors, sldns_buffer* buffer,
|
|
const char* pat)
|
|
{
|
|
#ifdef HAVE_GLOB
|
|
glob_t g;
|
|
size_t i;
|
|
int r, flags;
|
|
if(!strchr(pat, '*') && !strchr(pat, '?') && !strchr(pat, '[') &&
|
|
!strchr(pat, '{') && !strchr(pat, '~')) {
|
|
return anchor_read_bind_file(anchors, buffer, pat);
|
|
}
|
|
verbose(VERB_QUERY, "wildcard found, processing %s", pat);
|
|
flags = 0
|
|
#ifdef GLOB_ERR
|
|
| GLOB_ERR
|
|
#endif
|
|
#ifdef GLOB_NOSORT
|
|
| GLOB_NOSORT
|
|
#endif
|
|
#ifdef GLOB_BRACE
|
|
| GLOB_BRACE
|
|
#endif
|
|
#ifdef GLOB_TILDE
|
|
| GLOB_TILDE
|
|
#endif
|
|
;
|
|
memset(&g, 0, sizeof(g));
|
|
r = glob(pat, flags, NULL, &g);
|
|
if(r) {
|
|
/* some error */
|
|
if(r == GLOB_NOMATCH) {
|
|
verbose(VERB_QUERY, "trusted-keys-file: "
|
|
"no matches for %s", pat);
|
|
return 1;
|
|
} else if(r == GLOB_NOSPACE) {
|
|
log_err("wildcard trusted-keys-file %s: "
|
|
"pattern out of memory", pat);
|
|
} else if(r == GLOB_ABORTED) {
|
|
log_err("wildcard trusted-keys-file %s: expansion "
|
|
"aborted (%s)", pat, strerror(errno));
|
|
} else {
|
|
log_err("wildcard trusted-keys-file %s: expansion "
|
|
"failed (%s)", pat, strerror(errno));
|
|
}
|
|
/* ignore globs that yield no files */
|
|
return 1;
|
|
}
|
|
/* process files found, if any */
|
|
for(i=0; i<(size_t)g.gl_pathc; i++) {
|
|
if(!anchor_read_bind_file(anchors, buffer, g.gl_pathv[i])) {
|
|
log_err("error reading wildcard "
|
|
"trusted-keys-file: %s", g.gl_pathv[i]);
|
|
globfree(&g);
|
|
return 0;
|
|
}
|
|
}
|
|
globfree(&g);
|
|
return 1;
|
|
#else /* not HAVE_GLOB */
|
|
return anchor_read_bind_file(anchors, buffer, pat);
|
|
#endif /* HAVE_GLOB */
|
|
}
|
|
|
|
/**
|
|
* Assemble an rrset structure for the type
|
|
* @param ta: trust anchor.
|
|
* @param num: number of items to fetch from list.
|
|
* @param type: fetch only items of this type.
|
|
* @return rrset or NULL on error.
|
|
*/
|
|
static struct ub_packed_rrset_key*
|
|
assemble_it(struct trust_anchor* ta, size_t num, uint16_t type)
|
|
{
|
|
struct ub_packed_rrset_key* pkey = (struct ub_packed_rrset_key*)
|
|
malloc(sizeof(*pkey));
|
|
struct packed_rrset_data* pd;
|
|
struct ta_key* tk;
|
|
size_t i;
|
|
if(!pkey)
|
|
return NULL;
|
|
memset(pkey, 0, sizeof(*pkey));
|
|
pkey->rk.dname = memdup(ta->name, ta->namelen);
|
|
if(!pkey->rk.dname) {
|
|
free(pkey);
|
|
return NULL;
|
|
}
|
|
|
|
pkey->rk.dname_len = ta->namelen;
|
|
pkey->rk.type = htons(type);
|
|
pkey->rk.rrset_class = htons(ta->dclass);
|
|
/* The rrset is build in an uncompressed way. This means it
|
|
* cannot be copied in the normal way. */
|
|
pd = (struct packed_rrset_data*)malloc(sizeof(*pd));
|
|
if(!pd) {
|
|
free(pkey->rk.dname);
|
|
free(pkey);
|
|
return NULL;
|
|
}
|
|
memset(pd, 0, sizeof(*pd));
|
|
pd->count = num;
|
|
pd->trust = rrset_trust_ultimate;
|
|
pd->rr_len = (size_t*)reallocarray(NULL, num, sizeof(size_t));
|
|
if(!pd->rr_len) {
|
|
free(pd);
|
|
free(pkey->rk.dname);
|
|
free(pkey);
|
|
return NULL;
|
|
}
|
|
pd->rr_ttl = (time_t*)reallocarray(NULL, num, sizeof(time_t));
|
|
if(!pd->rr_ttl) {
|
|
free(pd->rr_len);
|
|
free(pd);
|
|
free(pkey->rk.dname);
|
|
free(pkey);
|
|
return NULL;
|
|
}
|
|
pd->rr_data = (uint8_t**)reallocarray(NULL, num, sizeof(uint8_t*));
|
|
if(!pd->rr_data) {
|
|
free(pd->rr_ttl);
|
|
free(pd->rr_len);
|
|
free(pd);
|
|
free(pkey->rk.dname);
|
|
free(pkey);
|
|
return NULL;
|
|
}
|
|
/* fill in rrs */
|
|
i=0;
|
|
for(tk = ta->keylist; tk; tk = tk->next) {
|
|
if(tk->type != type)
|
|
continue;
|
|
pd->rr_len[i] = tk->len;
|
|
/* reuse data ptr to allocation in talist */
|
|
pd->rr_data[i] = tk->data;
|
|
pd->rr_ttl[i] = 0;
|
|
i++;
|
|
}
|
|
pkey->entry.data = (void*)pd;
|
|
return pkey;
|
|
}
|
|
|
|
/**
|
|
* Assemble structures for the trust DS and DNSKEY rrsets.
|
|
* @param ta: trust anchor
|
|
* @return: false on error.
|
|
*/
|
|
static int
|
|
anchors_assemble(struct trust_anchor* ta)
|
|
{
|
|
if(ta->numDS > 0) {
|
|
ta->ds_rrset = assemble_it(ta, ta->numDS, LDNS_RR_TYPE_DS);
|
|
if(!ta->ds_rrset)
|
|
return 0;
|
|
}
|
|
if(ta->numDNSKEY > 0) {
|
|
ta->dnskey_rrset = assemble_it(ta, ta->numDNSKEY,
|
|
LDNS_RR_TYPE_DNSKEY);
|
|
if(!ta->dnskey_rrset)
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/**
|
|
* Check DS algos for support, warn if not.
|
|
* @param ta: trust anchor
|
|
* @return number of DS anchors with unsupported algorithms.
|
|
*/
|
|
static size_t
|
|
anchors_ds_unsupported(struct trust_anchor* ta)
|
|
{
|
|
size_t i, num = 0;
|
|
for(i=0; i<ta->numDS; i++) {
|
|
if(!ds_digest_algo_is_supported(ta->ds_rrset, i) ||
|
|
!ds_key_algo_is_supported(ta->ds_rrset, i))
|
|
num++;
|
|
}
|
|
return num;
|
|
}
|
|
|
|
/**
|
|
* Check DNSKEY algos for support, warn if not.
|
|
* @param ta: trust anchor
|
|
* @return number of DNSKEY anchors with unsupported algorithms.
|
|
*/
|
|
static size_t
|
|
anchors_dnskey_unsupported(struct trust_anchor* ta)
|
|
{
|
|
size_t i, num = 0;
|
|
for(i=0; i<ta->numDNSKEY; i++) {
|
|
if(!dnskey_algo_is_supported(ta->dnskey_rrset, i))
|
|
num++;
|
|
}
|
|
return num;
|
|
}
|
|
|
|
/**
|
|
* Assemble the rrsets in the anchors, ready for use by validator.
|
|
* @param anchors: trust anchor storage.
|
|
* @return: false on error.
|
|
*/
|
|
static int
|
|
anchors_assemble_rrsets(struct val_anchors* anchors)
|
|
{
|
|
struct trust_anchor* ta;
|
|
struct trust_anchor* next;
|
|
size_t nods, nokey;
|
|
lock_basic_lock(&anchors->lock);
|
|
ta=(struct trust_anchor*)rbtree_first(anchors->tree);
|
|
while((rbnode_type*)ta != RBTREE_NULL) {
|
|
next = (struct trust_anchor*)rbtree_next(&ta->node);
|
|
lock_basic_lock(&ta->lock);
|
|
if(ta->autr || (ta->numDS == 0 && ta->numDNSKEY == 0)) {
|
|
lock_basic_unlock(&ta->lock);
|
|
ta = next; /* skip */
|
|
continue;
|
|
}
|
|
if(!anchors_assemble(ta)) {
|
|
log_err("out of memory");
|
|
lock_basic_unlock(&ta->lock);
|
|
lock_basic_unlock(&anchors->lock);
|
|
return 0;
|
|
}
|
|
nods = anchors_ds_unsupported(ta);
|
|
nokey = anchors_dnskey_unsupported(ta);
|
|
if(nods) {
|
|
log_nametypeclass(0, "warning: unsupported "
|
|
"algorithm for trust anchor",
|
|
ta->name, LDNS_RR_TYPE_DS, ta->dclass);
|
|
}
|
|
if(nokey) {
|
|
log_nametypeclass(0, "warning: unsupported "
|
|
"algorithm for trust anchor",
|
|
ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
|
|
}
|
|
if(nods == ta->numDS && nokey == ta->numDNSKEY) {
|
|
char b[257];
|
|
dname_str(ta->name, b);
|
|
log_warn("trust anchor %s has no supported algorithms,"
|
|
" the anchor is ignored (check if you need to"
|
|
" upgrade unbound and "
|
|
#ifdef HAVE_LIBRESSL
|
|
"libressl"
|
|
#else
|
|
"openssl"
|
|
#endif
|
|
")", b);
|
|
(void)rbtree_delete(anchors->tree, &ta->node);
|
|
lock_basic_unlock(&ta->lock);
|
|
if(anchors->dlv_anchor == ta)
|
|
anchors->dlv_anchor = NULL;
|
|
anchors_delfunc(&ta->node, NULL);
|
|
ta = next;
|
|
continue;
|
|
}
|
|
lock_basic_unlock(&ta->lock);
|
|
ta = next;
|
|
}
|
|
lock_basic_unlock(&anchors->lock);
|
|
return 1;
|
|
}
|
|
|
|
int
|
|
anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
|
|
{
|
|
struct config_strlist* f;
|
|
const char** zstr;
|
|
char* nm;
|
|
sldns_buffer* parsebuf = sldns_buffer_new(65535);
|
|
if(cfg->insecure_lan_zones) {
|
|
for(zstr = as112_zones; *zstr; zstr++) {
|
|
if(!anchor_insert_insecure(anchors, *zstr)) {
|
|
log_err("error in insecure-lan-zones: %s", *zstr);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
}
|
|
}
|
|
for(f = cfg->domain_insecure; f; f = f->next) {
|
|
if(!f->str || f->str[0] == 0) /* empty "" */
|
|
continue;
|
|
if(!anchor_insert_insecure(anchors, f->str)) {
|
|
log_err("error in domain-insecure: %s", f->str);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
}
|
|
for(f = cfg->trust_anchor_file_list; f; f = f->next) {
|
|
if(!f->str || f->str[0] == 0) /* empty "" */
|
|
continue;
|
|
nm = f->str;
|
|
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
|
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
|
nm += strlen(cfg->chrootdir);
|
|
if(!anchor_read_file(anchors, parsebuf, nm, 0)) {
|
|
log_err("error reading trust-anchor-file: %s", f->str);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
}
|
|
for(f = cfg->trusted_keys_file_list; f; f = f->next) {
|
|
if(!f->str || f->str[0] == 0) /* empty "" */
|
|
continue;
|
|
nm = f->str;
|
|
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
|
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
|
nm += strlen(cfg->chrootdir);
|
|
if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) {
|
|
log_err("error reading trusted-keys-file: %s", f->str);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
}
|
|
for(f = cfg->trust_anchor_list; f; f = f->next) {
|
|
if(!f->str || f->str[0] == 0) /* empty "" */
|
|
continue;
|
|
if(!anchor_store_str(anchors, parsebuf, f->str)) {
|
|
log_err("error in trust-anchor: \"%s\"", f->str);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
}
|
|
if(cfg->dlv_anchor_file && cfg->dlv_anchor_file[0] != 0) {
|
|
struct trust_anchor* dlva;
|
|
nm = cfg->dlv_anchor_file;
|
|
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
|
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
|
nm += strlen(cfg->chrootdir);
|
|
if(!(dlva = anchor_read_file(anchors, parsebuf,
|
|
nm, 1))) {
|
|
log_err("error reading dlv-anchor-file: %s",
|
|
cfg->dlv_anchor_file);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
lock_basic_lock(&anchors->lock);
|
|
anchors->dlv_anchor = dlva;
|
|
lock_basic_unlock(&anchors->lock);
|
|
}
|
|
for(f = cfg->dlv_anchor_list; f; f = f->next) {
|
|
struct trust_anchor* dlva;
|
|
if(!f->str || f->str[0] == 0) /* empty "" */
|
|
continue;
|
|
if(!(dlva = anchor_store_str(
|
|
anchors, parsebuf, f->str))) {
|
|
log_err("error in dlv-anchor: \"%s\"", f->str);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
lock_basic_lock(&anchors->lock);
|
|
anchors->dlv_anchor = dlva;
|
|
lock_basic_unlock(&anchors->lock);
|
|
}
|
|
/* do autr last, so that it sees what anchors are filled by other
|
|
* means can can print errors about double config for the name */
|
|
for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) {
|
|
if(!f->str || f->str[0] == 0) /* empty "" */
|
|
continue;
|
|
nm = f->str;
|
|
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
|
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
|
nm += strlen(cfg->chrootdir);
|
|
if(!autr_read_file(anchors, nm)) {
|
|
log_err("error reading auto-trust-anchor-file: %s",
|
|
f->str);
|
|
sldns_buffer_free(parsebuf);
|
|
return 0;
|
|
}
|
|
}
|
|
/* first assemble, since it may delete useless anchors */
|
|
anchors_assemble_rrsets(anchors);
|
|
init_parents(anchors);
|
|
sldns_buffer_free(parsebuf);
|
|
if(verbosity >= VERB_ALGO) autr_debug_print(anchors);
|
|
return 1;
|
|
}
|
|
|
|
struct trust_anchor*
|
|
anchors_lookup(struct val_anchors* anchors,
|
|
uint8_t* qname, size_t qname_len, uint16_t qclass)
|
|
{
|
|
struct trust_anchor key;
|
|
struct trust_anchor* result;
|
|
rbnode_type* res = NULL;
|
|
key.node.key = &key;
|
|
key.name = qname;
|
|
key.namelabs = dname_count_labels(qname);
|
|
key.namelen = qname_len;
|
|
key.dclass = qclass;
|
|
lock_basic_lock(&anchors->lock);
|
|
if(rbtree_find_less_equal(anchors->tree, &key, &res)) {
|
|
/* exact */
|
|
result = (struct trust_anchor*)res;
|
|
} else {
|
|
/* smaller element (or no element) */
|
|
int m;
|
|
result = (struct trust_anchor*)res;
|
|
if(!result || result->dclass != qclass) {
|
|
lock_basic_unlock(&anchors->lock);
|
|
return NULL;
|
|
}
|
|
/* count number of labels matched */
|
|
(void)dname_lab_cmp(result->name, result->namelabs, key.name,
|
|
key.namelabs, &m);
|
|
while(result) { /* go up until qname is subdomain of stub */
|
|
if(result->namelabs <= m)
|
|
break;
|
|
result = result->parent;
|
|
}
|
|
}
|
|
if(result) {
|
|
lock_basic_lock(&result->lock);
|
|
}
|
|
lock_basic_unlock(&anchors->lock);
|
|
return result;
|
|
}
|
|
|
|
size_t
|
|
anchors_get_mem(struct val_anchors* anchors)
|
|
{
|
|
struct trust_anchor *ta;
|
|
size_t s = sizeof(*anchors);
|
|
if(!anchors)
|
|
return 0;
|
|
RBTREE_FOR(ta, struct trust_anchor*, anchors->tree) {
|
|
s += sizeof(*ta) + ta->namelen;
|
|
/* keys and so on */
|
|
}
|
|
return s;
|
|
}
|
|
|
|
int
|
|
anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm)
|
|
{
|
|
struct trust_anchor key;
|
|
key.node.key = &key;
|
|
key.name = nm;
|
|
key.namelabs = dname_count_size_labels(nm, &key.namelen);
|
|
key.dclass = c;
|
|
lock_basic_lock(&anchors->lock);
|
|
if(rbtree_search(anchors->tree, &key)) {
|
|
lock_basic_unlock(&anchors->lock);
|
|
/* nothing to do, already an anchor or insecure point */
|
|
return 1;
|
|
}
|
|
if(!anchor_new_ta(anchors, nm, key.namelabs, key.namelen, c, 0)) {
|
|
log_err("out of memory");
|
|
lock_basic_unlock(&anchors->lock);
|
|
return 0;
|
|
}
|
|
/* no other contents in new ta, because it is insecure point */
|
|
anchors_init_parents_locked(anchors);
|
|
lock_basic_unlock(&anchors->lock);
|
|
return 1;
|
|
}
|
|
|
|
void
|
|
anchors_delete_insecure(struct val_anchors* anchors, uint16_t c,
|
|
uint8_t* nm)
|
|
{
|
|
struct trust_anchor key;
|
|
struct trust_anchor* ta;
|
|
key.node.key = &key;
|
|
key.name = nm;
|
|
key.namelabs = dname_count_size_labels(nm, &key.namelen);
|
|
key.dclass = c;
|
|
lock_basic_lock(&anchors->lock);
|
|
if(!(ta=(struct trust_anchor*)rbtree_search(anchors->tree, &key))) {
|
|
lock_basic_unlock(&anchors->lock);
|
|
/* nothing there */
|
|
return;
|
|
}
|
|
/* lock it to drive away other threads that use it */
|
|
lock_basic_lock(&ta->lock);
|
|
/* see if its really an insecure point */
|
|
if(ta->keylist || ta->autr || ta->numDS || ta->numDNSKEY) {
|
|
lock_basic_unlock(&anchors->lock);
|
|
lock_basic_unlock(&ta->lock);
|
|
/* its not an insecure point, do not remove it */
|
|
return;
|
|
}
|
|
|
|
/* remove from tree */
|
|
(void)rbtree_delete(anchors->tree, &ta->node);
|
|
anchors_init_parents_locked(anchors);
|
|
lock_basic_unlock(&anchors->lock);
|
|
|
|
/* actual free of data */
|
|
lock_basic_unlock(&ta->lock);
|
|
anchors_delfunc(&ta->node, NULL);
|
|
}
|
|
|
|
/** compare two keytags, return -1, 0 or 1 */
|
|
static int
|
|
keytag_compare(const void* x, const void* y)
|
|
{
|
|
if(*(uint16_t*)x == *(uint16_t*)y)
|
|
return 0;
|
|
if(*(uint16_t*)x > *(uint16_t*)y)
|
|
return 1;
|
|
return -1;
|
|
}
|
|
|
|
size_t
|
|
anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num)
|
|
{
|
|
size_t i, ret = 0;
|
|
if(ta->numDS == 0 && ta->numDNSKEY == 0)
|
|
return 0; /* insecure point */
|
|
if(ta->numDS != 0 && ta->ds_rrset) {
|
|
struct packed_rrset_data* d=(struct packed_rrset_data*)
|
|
ta->ds_rrset->entry.data;
|
|
for(i=0; i<d->count; i++) {
|
|
if(ret == num) continue;
|
|
list[ret++] = ds_get_keytag(ta->ds_rrset, i);
|
|
}
|
|
}
|
|
if(ta->numDNSKEY != 0 && ta->dnskey_rrset) {
|
|
struct packed_rrset_data* d=(struct packed_rrset_data*)
|
|
ta->dnskey_rrset->entry.data;
|
|
for(i=0; i<d->count; i++) {
|
|
if(ret == num) continue;
|
|
list[ret++] = dnskey_calc_keytag(ta->dnskey_rrset, i);
|
|
}
|
|
}
|
|
qsort(list, ret, sizeof(*list), keytag_compare);
|
|
return ret;
|
|
}
|