This file contains storage for the trust anchors for the validator. More...
#include "config.h"#include <ctype.h>#include "validator/val_anchor.h"#include "validator/val_sigcrypt.h"#include "validator/autotrust.h"#include "util/data/packed_rrset.h"#include "util/data/dname.h"#include "util/log.h"#include "util/net_help.h"#include "util/config_file.h"#include "util/as112.h"#include "sldns/sbuffer.h"#include "sldns/rrdef.h"#include "sldns/str2wire.h"Functions | |
| int | anchor_cmp (const void *k1, const void *k2) |
| compare two trust anchors | |
| struct val_anchors * | anchors_create (void) |
| Create trust anchor storage. More... | |
| static void | assembled_rrset_delete (struct ub_packed_rrset_key *pkey) |
| delete assembled rrset | |
| static void | anchors_delfunc (rbnode_type *elem, void *ATTR_UNUSED(arg)) |
| destroy locks in tree and delete autotrust anchors | |
| void | anchors_delete (struct val_anchors *anchors) |
| Delete trust anchor storage. More... | |
| void | anchors_init_parents_locked (struct val_anchors *anchors) |
| Recalculate parent pointers. More... | |
| static void | init_parents (struct val_anchors *anchors) |
| initialise parent pointers in the tree | |
| struct trust_anchor * | anchor_find (struct val_anchors *anchors, uint8_t *name, int namelabs, size_t namelen, uint16_t dclass) |
| Find a trust anchor. More... | |
| static struct trust_anchor * | anchor_new_ta (struct val_anchors *anchors, uint8_t *name, int namelabs, size_t namelen, uint16_t dclass, int lockit) |
| create new trust anchor object | |
| static struct ta_key * | anchor_find_key (struct trust_anchor *ta, uint8_t *rdata, size_t rdata_len, uint16_t type) |
| find trustanchor key by exact data match | |
| static struct ta_key * | anchor_new_ta_key (uint8_t *rdata, size_t rdata_len, uint16_t type) |
| create new trustanchor key | |
| static struct trust_anchor * | anchor_store_new_key (struct val_anchors *anchors, uint8_t *name, uint16_t type, uint16_t dclass, uint8_t *rdata, size_t rdata_len) |
| This routine adds a new RR to a trust anchor. More... | |
| static struct trust_anchor * | anchor_store_new_rr (struct val_anchors *anchors, uint8_t *rr, size_t rl, size_t dl) |
| Add new RR. More... | |
| static struct trust_anchor * | anchor_insert_insecure (struct val_anchors *anchors, const char *str) |
| Insert insecure anchor. More... | |
| struct trust_anchor * | anchor_store_str (struct val_anchors *anchors, sldns_buffer *buffer, const char *str) |
| Store one string as trust anchor RR. More... | |
| static struct trust_anchor * | anchor_read_file (struct val_anchors *anchors, sldns_buffer *buffer, const char *fname, int onlyone) |
| Read a file with trust anchors. More... | |
| static void | skip_to_eol (FILE *in) |
| skip file to end of line | |
| static int | is_bind_special (int c) |
| true for special characters in bind configs | |
| static int | readkeyword_bindfile (FILE *in, sldns_buffer *buf, int *line, int comments) |
| Read a keyword skipping bind comments; spaces, specials, restkeywords. More... | |
| static int | skip_to_special (FILE *in, sldns_buffer *buf, int *line, int spec) |
| skip through file to { or ; | |
| static int | process_bind_contents (struct val_anchors *anchors, sldns_buffer *buf, int *line, FILE *in) |
| read contents of trusted-keys{ ... More... | |
| static int | anchor_read_bind_file (struct val_anchors *anchors, sldns_buffer *buffer, const char *fname) |
| Read a BIND9 like file with trust anchors in named.conf format. More... | |
| static int | anchor_read_bind_file_wild (struct val_anchors *anchors, sldns_buffer *buffer, const char *pat) |
| Read a BIND9 like files with trust anchors in named.conf format. More... | |
| static struct ub_packed_rrset_key * | assemble_it (struct trust_anchor *ta, size_t num, uint16_t type) |
| Assemble an rrset structure for the type. More... | |
| static int | anchors_assemble (struct trust_anchor *ta) |
| Assemble structures for the trust DS and DNSKEY rrsets. More... | |
| static size_t | anchors_ds_unsupported (struct trust_anchor *ta) |
| Check DS algos for support, warn if not. More... | |
| static size_t | anchors_dnskey_unsupported (struct trust_anchor *ta) |
| Check DNSKEY algos for support, warn if not. More... | |
| static int | anchors_assemble_rrsets (struct val_anchors *anchors) |
| Assemble the rrsets in the anchors, ready for use by validator. More... | |
| int | anchors_apply_cfg (struct val_anchors *anchors, struct config_file *cfg) |
| Process trust anchor config. More... | |
| struct trust_anchor * | anchors_lookup (struct val_anchors *anchors, uint8_t *qname, size_t qname_len, uint16_t qclass) |
| Given a qname/qclass combination, find the trust anchor closest above it. More... | |
| size_t | anchors_get_mem (struct val_anchors *anchors) |
| Get memory in use by the trust anchor storage. More... | |
| int | anchors_add_insecure (struct val_anchors *anchors, uint16_t c, uint8_t *nm) |
| Add insecure point trust anchor. More... | |
| void | anchors_delete_insecure (struct val_anchors *anchors, uint16_t c, uint8_t *nm) |
| Delete insecure point trust anchor. More... | |
| static int | keytag_compare (const void *x, const void *y) |
| compare two keytags, return -1, 0 or 1 | |
| size_t | anchor_list_keytags (struct trust_anchor *ta, uint16_t *list, size_t num) |
| Get a list of keytags for the trust anchor. More... | |
| int | anchor_has_keytag (struct val_anchors *anchors, uint8_t *name, int namelabs, size_t namelen, uint16_t dclass, uint16_t keytag) |
| Check if there is a trust anchor for given zone with this keytag. More... | |
| struct trust_anchor * | anchors_find_any_noninsecure (struct val_anchors *anchors) |
| Find an anchor that is not an insecure point, if any, or there are no DNSSEC verification anchors if none. More... | |
This file contains storage for the trust anchors for the validator.
| struct val_anchors* anchors_create | ( | void | ) |
Create trust anchor storage.
References anchor_cmp(), anchors_delete(), val_anchors::autr, autr_global_create(), val_anchors::lock, rbtree_create(), and val_anchors::tree.
Referenced by anchors_test(), and val_apply_cfg().
| void anchors_delete | ( | struct val_anchors * | anchors | ) |
Delete trust anchor storage.
| anchors | to delete. |
References anchors_delfunc(), val_anchors::autr, autr_global_delete(), val_anchors::lock, traverse_postorder(), and val_anchors::tree.
Referenced by anchors_create(), anchors_test(), and val_deinit().
| void anchors_init_parents_locked | ( | struct val_anchors * | anchors | ) |
Recalculate parent pointers.
The caller must hold the lock on the anchors structure (say after removing an item from the rbtree). Caller must not hold any locks on trust anchors. After the call is complete the parent pointers are updated and an item just removed is no longer referenced in parent pointers.
| anchors | the structure to update. |
References trust_anchor::dclass, dname_lab_cmp(), trust_anchor::name, trust_anchor::namelabs, trust_anchor::node, rbnode_type::parent, trust_anchor::parent, RBTREE_FOR, and val_anchors::tree.
Referenced by anchors_add_insecure(), anchors_delete_insecure(), and init_parents().
| struct trust_anchor* anchor_find | ( | struct val_anchors * | anchors, |
| uint8_t * | name, | ||
| int | namelabs, | ||
| size_t | namelen, | ||
| uint16_t | dclass | ||
| ) |
Find a trust anchor.
Exact matching.
| anchors | anchor storage. |
| name | name of trust anchor (wireformat) |
| namelabs | labels in name |
| namelen | length of name |
| dclass | class of trust anchor |
References trust_anchor::dclass, rbnode_type::key, val_anchors::lock, trust_anchor::name, trust_anchor::namelabs, trust_anchor::namelen, trust_anchor::node, rbtree_search(), and val_anchors::tree.
Referenced by anchor_has_keytag(), do_list_forwards(), find_add_tp(), iter_indicates_dnssec(), and process_prime_response().
|
static |
This routine adds a new RR to a trust anchor.
The trust anchor may not exist yet, and is created if not. The RR can be DS or DNSKEY. This routine will also remove duplicates; storing them only once.
| anchors | anchor storage. |
| name | name of trust anchor (wireformat) |
| type | type or RR |
| dclass | class of RR |
| rdata | rdata wireformat, starting with rdlength. If NULL, nothing is stored, but an entry is created. |
| rdata_len | length of rdata including rdlength. |
References dname_count_size_labels(), LDNS_RR_TYPE_DS, trust_anchor::name, trust_anchor::namelabs, and trust_anchor::namelen.
Referenced by anchor_store_new_rr().
|
static |
Add new RR.
It converts ldns RR to wire format.
| anchors | anchor storage. |
| rr | the wirerr. |
| rl | length of rr. |
| dl | length of dname. |
References anchor_store_new_key(), log_nametypeclass(), sldns_wirerr_get_class(), sldns_wirerr_get_rdatalen(), sldns_wirerr_get_rdatawl(), sldns_wirerr_get_type(), and VERB_QUERY.
|
static |
Insert insecure anchor.
| anchors | anchor storage. |
| str | the domain name. |
Referenced by anchors_apply_cfg().
| struct trust_anchor* anchor_store_str | ( | struct val_anchors * | anchors, |
| struct sldns_buffer * | buffer, | ||
| const char * | str | ||
| ) |
Store one string as trust anchor RR.
| anchors | anchor storage. |
| buffer | parsing buffer, to generate the RR wireformat in. |
| str | string. |
Referenced by anchors_apply_cfg(), test_anchor_one(), and test_anchors().
|
static |
Read a file with trust anchors.
| anchors | anchor storage. |
| buffer | parsing buffer. |
| fname | string. |
| onlyone | only one trust anchor allowed in file. |
References sldns_file_parse_state::default_ttl, sldns_file_parse_state::lineno, log_err(), sldns_buffer_begin(), sldns_buffer_capacity(), and sldns_fp2wire_rr_buf().
Referenced by anchors_apply_cfg().
|
static |
Read a keyword skipping bind comments; spaces, specials, restkeywords.
The file is split into the following tokens:
/ * C style comment * /
| in | file to read from. |
| buf | buffer, what is read is stored after current buffer position. Space is left in the buffer to write a terminating 0. |
| line | line number is increased per line, for error reports. |
| comments | if 0, comments are not possible and become text. if 1, comments are skipped entirely. In BIND files, this is when reading quoted strings, for example " base 64 text with / / in there " |
References is_bind_special(), skip_to_eol(), sldns_buffer_position(), sldns_buffer_read_u8_at(), sldns_buffer_remaining(), and sldns_buffer_skip().
Referenced by anchor_read_bind_file(), and skip_to_special().
|
static |
read contents of trusted-keys{ ...
; clauses and insert keys into storage.
| anchors | where to store keys |
| buf | buffer to use |
| line | line number in file |
| in | file to read from. |
Referenced by anchor_read_bind_file().
|
static |
Read a BIND9 like file with trust anchors in named.conf format.
| anchors | anchor storage. |
| buffer | parsing buffer. |
| fname | string. |
References log_err(), process_bind_contents(), readkeyword_bindfile(), skip_to_special(), sldns_buffer_begin(), sldns_buffer_clear(), VERB_QUERY, and verbose().
Referenced by anchor_read_bind_file_wild().
|
static |
Read a BIND9 like files with trust anchors in named.conf format.
Performs wildcard processing of name.
| anchors | anchor storage. |
| buffer | parsing buffer. |
| pat | pattern string. (can be wildcarded) |
References anchor_read_bind_file(), log_err(), VERB_QUERY, and verbose().
Referenced by anchors_apply_cfg().
|
static |
Assemble an rrset structure for the type.
| ta | trust anchor. |
| num | number of items to fetch from list. |
| type | fetch only items of this type. |
References packed_rrset_data::count, lruhash_entry::data, ta_key::data, trust_anchor::dclass, packed_rrset_key::dname, packed_rrset_key::dname_len, ub_packed_rrset_key::entry, trust_anchor::keylist, ta_key::len, memdup(), trust_anchor::name, trust_anchor::namelen, ta_key::next, ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rr_ttl, packed_rrset_key::rrset_class, rrset_trust_ultimate, packed_rrset_data::trust, packed_rrset_key::type, and ta_key::type.
Referenced by anchors_assemble().
|
static |
Assemble structures for the trust DS and DNSKEY rrsets.
| ta | trust anchor |
References assemble_it(), trust_anchor::dnskey_rrset, trust_anchor::ds_rrset, LDNS_RR_TYPE_DS, trust_anchor::numDNSKEY, and trust_anchor::numDS.
Referenced by anchors_assemble_rrsets().
|
static |
Check DS algos for support, warn if not.
| ta | trust anchor |
References ds_digest_algo_is_supported(), ds_key_algo_is_supported(), trust_anchor::ds_rrset, and trust_anchor::numDS.
Referenced by anchors_assemble_rrsets().
|
static |
Check DNSKEY algos for support, warn if not.
| ta | trust anchor |
References dnskey_algo_is_supported(), trust_anchor::dnskey_rrset, dnskey_size_is_supported(), and trust_anchor::numDNSKEY.
Referenced by anchors_assemble_rrsets().
|
static |
Assemble the rrsets in the anchors, ready for use by validator.
| anchors | trust anchor storage. |
References anchors_assemble(), anchors_dnskey_unsupported(), anchors_ds_unsupported(), trust_anchor::autr, trust_anchor::dclass, LDNS_RR_TYPE_DS, val_anchors::lock, trust_anchor::lock, log_err(), log_nametypeclass(), trust_anchor::name, NO_VERBOSE, trust_anchor::node, trust_anchor::numDNSKEY, trust_anchor::numDS, rbtree_first(), rbtree_next(), RBTREE_NULL, and val_anchors::tree.
Referenced by anchors_apply_cfg().
| int anchors_apply_cfg | ( | struct val_anchors * | anchors, |
| struct config_file * | cfg | ||
| ) |
Process trust anchor config.
| anchors | struct anchor storage |
| cfg | config options. |
References anchor_insert_insecure(), anchor_read_bind_file_wild(), anchor_read_file(), anchor_store_str(), anchors_assemble_rrsets(), as112_zones, config_file::auto_trust_anchor_file_list, autr_debug_print(), autr_read_file(), config_file::chrootdir, config_file::domain_insecure, init_parents(), config_file::insecure_lan_zones, log_err(), config_strlist::next, sldns_buffer_free(), sldns_buffer_new(), config_strlist::str, config_file::trust_anchor_file_list, config_file::trust_anchor_list, config_file::trusted_keys_file_list, VERB_ALGO, and verbosity.
Referenced by val_apply_cfg().
| struct trust_anchor* anchors_lookup | ( | struct val_anchors * | anchors, |
| uint8_t * | qname, | ||
| size_t | qname_len, | ||
| uint16_t | qclass | ||
| ) |
Given a qname/qclass combination, find the trust anchor closest above it.
Or return NULL if none exists.
| anchors | struct anchor storage |
| qname | query name, uncompressed wireformat. |
| qname_len | length of qname. |
| qclass | class to query for. |
References trust_anchor::dclass, dname_count_labels(), dname_lab_cmp(), rbnode_type::key, val_anchors::lock, trust_anchor::lock, trust_anchor::name, trust_anchor::namelabs, trust_anchor::namelen, trust_anchor::node, trust_anchor::parent, rbtree_find_less_equal(), and val_anchors::tree.
Referenced by auth_zone_verify_zonemd(), check_no_anchor(), iter_qname_indicates_dnssec(), test_anchor_empty(), test_anchor_one(), and test_anchors().
| size_t anchors_get_mem | ( | struct val_anchors * | anchors | ) |
Get memory in use by the trust anchor storage.
| anchors | anchor storage. |
References trust_anchor::namelen, RBTREE_FOR, and val_anchors::tree.
| int anchors_add_insecure | ( | struct val_anchors * | anchors, |
| uint16_t | c, | ||
| uint8_t * | nm | ||
| ) |
Add insecure point trust anchor.
For external use (locks and init_parents)
| anchors | anchor storage. |
| c | class. |
| nm | name of insecure trust point. |
References anchor_new_ta(), anchors_init_parents_locked(), trust_anchor::dclass, dname_count_size_labels(), rbnode_type::key, val_anchors::lock, log_err(), trust_anchor::name, trust_anchor::namelabs, trust_anchor::namelen, trust_anchor::node, rbtree_search(), and val_anchors::tree.
Referenced by do_insecure_add().
| void anchors_delete_insecure | ( | struct val_anchors * | anchors, |
| uint16_t | c, | ||
| uint8_t * | nm | ||
| ) |
Delete insecure point trust anchor.
Does not remove if no such point. For external use (locks and init_parents)
| anchors | anchor storage. |
| c | class. |
| nm | name of insecure trust point. |
References anchors_delfunc(), anchors_init_parents_locked(), trust_anchor::autr, trust_anchor::dclass, dname_count_size_labels(), rbnode_type::key, trust_anchor::keylist, val_anchors::lock, trust_anchor::lock, trust_anchor::name, trust_anchor::namelabs, trust_anchor::namelen, trust_anchor::node, trust_anchor::numDNSKEY, trust_anchor::numDS, rbtree_delete(), rbtree_search(), and val_anchors::tree.
Referenced by do_insecure_remove().
| size_t anchor_list_keytags | ( | struct trust_anchor * | ta, |
| uint16_t * | list, | ||
| size_t | num | ||
| ) |
Get a list of keytags for the trust anchor.
Zero tags for insecure points.
| ta | trust anchor (locked by caller). |
| list | array of uint16_t. |
| num | length of array. |
References packed_rrset_data::count, lruhash_entry::data, dnskey_calc_keytag(), trust_anchor::dnskey_rrset, ds_get_keytag(), trust_anchor::ds_rrset, ub_packed_rrset_key::entry, keytag_compare(), trust_anchor::numDNSKEY, and trust_anchor::numDS.
Referenced by anchor_has_keytag().
| int anchor_has_keytag | ( | struct val_anchors * | anchors, |
| uint8_t * | name, | ||
| int | namelabs, | ||
| size_t | namelen, | ||
| uint16_t | dclass, | ||
| uint16_t | keytag | ||
| ) |
Check if there is a trust anchor for given zone with this keytag.
| anchors | anchor storage |
| name | name of trust anchor (wireformat) |
| namelabs | labels in name |
| namelen | length of name |
| dclass | class of trust anchor |
| keytag | keytag |
References anchor_find(), anchor_list_keytags(), trust_anchor::dclass, trust_anchor::lock, trust_anchor::name, trust_anchor::namelabs, trust_anchor::namelen, trust_anchor::numDNSKEY, and trust_anchor::numDS.
| struct trust_anchor* anchors_find_any_noninsecure | ( | struct val_anchors * | anchors | ) |
Find an anchor that is not an insecure point, if any, or there are no DNSSEC verification anchors if none.
| anchors | anchor storage |
References val_anchors::lock, trust_anchor::lock, trust_anchor::node, trust_anchor::numDNSKEY, trust_anchor::numDS, rbtree_first(), rbtree_next(), RBTREE_NULL, and val_anchors::tree.
Referenced by val_init().