1 /* 2 * validator/val_anchor.h - validator trust anchor storage. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains storage for the trust anchors for the validator. 40 */ 41 42 #ifndef VALIDATOR_VAL_ANCHOR_H 43 #define VALIDATOR_VAL_ANCHOR_H 44 #include "util/rbtree.h" 45 #include "util/locks.h" 46 struct trust_anchor; 47 struct config_file; 48 struct ub_packed_rrset_key; 49 struct autr_point_data; 50 struct autr_global_data; 51 struct sldns_buffer; 52 53 /** 54 * Trust anchor store. 55 * The tree must be locked, while no other locks (from trustanchors) are held. 56 * And then an anchor searched for. Which can be locked or deleted. Then 57 * the tree can be unlocked again. This means you have to release the lock 58 * on a trust anchor and look it up again to delete it. 59 */ 60 struct val_anchors { 61 /** lock on trees. It is locked in order after stubs. */ 62 lock_basic_type lock; 63 /** 64 * Anchors are store in this tree. Sort order is chosen, so that 65 * dnames are in nsec-like order. A lookup on class, name will return 66 * an exact match of the closest match, with the ancestor needed. 67 * contents of type trust_anchor. 68 */ 69 rbtree_type* tree; 70 /** Autotrust global data, anchors sorted by next probe time */ 71 struct autr_global_data* autr; 72 }; 73 74 /** 75 * Trust anchor key 76 */ 77 struct ta_key { 78 /** next in list */ 79 struct ta_key* next; 80 /** rdata, in wireformat of the key RR. starts with rdlength. */ 81 uint8_t* data; 82 /** length of the rdata (including rdlength). */ 83 size_t len; 84 /** DNS type (host format) of the key, DS or DNSKEY */ 85 uint16_t type; 86 }; 87 88 /** 89 * A trust anchor in the trust anchor store. 90 * Unique by name, class. 91 */ 92 struct trust_anchor { 93 /** rbtree node, key is this structure */ 94 rbnode_type node; 95 /** lock on the entire anchor and its keys; for autotrust changes */ 96 lock_basic_type lock; 97 /** name of this trust anchor */ 98 uint8_t* name; 99 /** length of name */ 100 size_t namelen; 101 /** number of labels in name of rrset */ 102 int namelabs; 103 /** the ancestor in the trustanchor tree */ 104 struct trust_anchor* parent; 105 /** 106 * List of DS or DNSKEY rrs that form the trust anchor. 107 */ 108 struct ta_key* keylist; 109 /** Autotrust anchor point data, or NULL */ 110 struct autr_point_data* autr; 111 /** number of DSs in the keylist */ 112 size_t numDS; 113 /** number of DNSKEYs in the keylist */ 114 size_t numDNSKEY; 115 /** the DS RRset */ 116 struct ub_packed_rrset_key* ds_rrset; 117 /** The DNSKEY RRset */ 118 struct ub_packed_rrset_key* dnskey_rrset; 119 /** class of the trust anchor */ 120 uint16_t dclass; 121 }; 122 123 /** 124 * Create trust anchor storage 125 * @return new storage or NULL on error. 126 */ 127 struct val_anchors* anchors_create(void); 128 129 /** 130 * Delete trust anchor storage. 131 * @param anchors: to delete. 132 */ 133 void anchors_delete(struct val_anchors* anchors); 134 135 /** 136 * Process trust anchor config. 137 * @param anchors: struct anchor storage 138 * @param cfg: config options. 139 * @return 0 on error. 140 */ 141 int anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg); 142 143 /** 144 * Recalculate parent pointers. The caller must hold the lock on the 145 * anchors structure (say after removing an item from the rbtree). 146 * Caller must not hold any locks on trust anchors. 147 * After the call is complete the parent pointers are updated and an item 148 * just removed is no longer referenced in parent pointers. 149 * @param anchors: the structure to update. 150 */ 151 void anchors_init_parents_locked(struct val_anchors* anchors); 152 153 /** 154 * Given a qname/qclass combination, find the trust anchor closest above it. 155 * Or return NULL if none exists. 156 * 157 * @param anchors: struct anchor storage 158 * @param qname: query name, uncompressed wireformat. 159 * @param qname_len: length of qname. 160 * @param qclass: class to query for. 161 * @return the trust anchor or NULL if none is found. The anchor is locked. 162 */ 163 struct trust_anchor* anchors_lookup(struct val_anchors* anchors, 164 uint8_t* qname, size_t qname_len, uint16_t qclass); 165 166 /** 167 * Find a trust anchor. Exact matching. 168 * @param anchors: anchor storage. 169 * @param name: name of trust anchor (wireformat) 170 * @param namelabs: labels in name 171 * @param namelen: length of name 172 * @param dclass: class of trust anchor 173 * @return NULL if not found. The anchor is locked. 174 */ 175 struct trust_anchor* anchor_find(struct val_anchors* anchors, 176 uint8_t* name, int namelabs, size_t namelen, uint16_t dclass); 177 178 /** 179 * Store one string as trust anchor RR. 180 * @param anchors: anchor storage. 181 * @param buffer: parsing buffer, to generate the RR wireformat in. 182 * @param str: string. 183 * @return NULL on error. 184 */ 185 struct trust_anchor* anchor_store_str(struct val_anchors* anchors, 186 struct sldns_buffer* buffer, const char* str); 187 188 /** 189 * Get memory in use by the trust anchor storage 190 * @param anchors: anchor storage. 191 * @return memory in use in bytes. 192 */ 193 size_t anchors_get_mem(struct val_anchors* anchors); 194 195 /** compare two trust anchors */ 196 int anchor_cmp(const void* k1, const void* k2); 197 198 /** 199 * Add insecure point trust anchor. For external use (locks and init_parents) 200 * @param anchors: anchor storage. 201 * @param c: class. 202 * @param nm: name of insecure trust point. 203 * @return false on alloc failure. 204 */ 205 int anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm); 206 207 /** 208 * Delete insecure point trust anchor. Does not remove if no such point. 209 * For external use (locks and init_parents) 210 * @param anchors: anchor storage. 211 * @param c: class. 212 * @param nm: name of insecure trust point. 213 */ 214 void anchors_delete_insecure(struct val_anchors* anchors, uint16_t c, 215 uint8_t* nm); 216 217 /** 218 * Get a list of keytags for the trust anchor. Zero tags for insecure points. 219 * @param ta: trust anchor (locked by caller). 220 * @param list: array of uint16_t. 221 * @param num: length of array. 222 * @return number of keytags filled into array. If total number of keytags is 223 * bigger than the array, it is truncated at num. On errors, less keytags 224 * are filled in. The array is sorted. 225 */ 226 size_t anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num); 227 228 /** 229 * Check if there is a trust anchor for given zone with this keytag. 230 * 231 * @param anchors: anchor storage 232 * @param name: name of trust anchor (wireformat) 233 * @param namelabs: labels in name 234 * @param namelen: length of name 235 * @param dclass: class of trust anchor 236 * @param keytag: keytag 237 * @return 1 if there is a trust anchor in the trustachor store for this zone 238 * and keytag, else 0. 239 */ 240 int anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs, 241 size_t namelen, uint16_t dclass, uint16_t keytag); 242 243 /** 244 * Find an anchor that is not an insecure point, if any, or there are no 245 * DNSSEC verification anchors if none. 246 * @param anchors: anchor storage 247 * @return trust anchor or NULL. It is locked. 248 */ 249 struct trust_anchor* anchors_find_any_noninsecure(struct val_anchors* anchors); 250 251 /** 252 * Swap internal tree with preallocated entries. 253 * @param anchors: anchor storage. 254 * @param data: the data structure used to take elements from. This contains 255 * the old elements on return. 256 */ 257 void anchors_swap_tree(struct val_anchors* anchors, struct val_anchors* data); 258 259 #endif /* VALIDATOR_VAL_ANCHOR_H */ 260
Indexes created Tue Jun 23 00:25:03 UTC 2026