diff options
author | Riccardo Spagni <ric@spagni.net> | 2018-03-18 18:50:21 +0200 |
---|---|---|
committer | Riccardo Spagni <ric@spagni.net> | 2018-03-18 18:50:21 +0200 |
commit | 1f6e6001ed37b48788ef071f3297b7e9d67586a5 (patch) | |
tree | 7ff391303a4b5643294bc4f91d1c493791f98879 /external/unbound/validator/val_anchor.c | |
parent | Merge pull request #3426 (diff) | |
parent | Unbound: add git submodule for unbound (diff) | |
download | monero-1f6e6001ed37b48788ef071f3297b7e9d67586a5.tar.xz |
Merge pull request #2133
efe70a15 Unbound: add git submodule for unbound (anonimal)
84c5a9ba Unbound: remove unbound from in-tree source (anonimal)
Diffstat (limited to 'external/unbound/validator/val_anchor.c')
m--------- | external/unbound | 0 | ||||
-rw-r--r-- | external/unbound/validator/val_anchor.c | 1311 |
2 files changed, 0 insertions, 1311 deletions
diff --git a/external/unbound b/external/unbound new file mode 160000 +Subproject 193bdc4ee3fe2b0d17e547e86512528c2614483 diff --git a/external/unbound/validator/val_anchor.c b/external/unbound/validator/val_anchor.c deleted file mode 100644 index 6c6322447..000000000 --- a/external/unbound/validator/val_anchor.c +++ /dev/null @@ -1,1311 +0,0 @@ -/* - * validator/val_anchor.c - validator trust anchor storage. - * - * Copyright (c) 2007, NLnet Labs. All rights reserved. - * - * This software is open source. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of the NLNET LABS nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED - * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * \file - * - * This file contains storage for the trust anchors for the validator. - */ -#include "config.h" -#include <ctype.h> -#include "validator/val_anchor.h" -#include "validator/val_sigcrypt.h" -#include "validator/autotrust.h" -#include "util/data/packed_rrset.h" -#include "util/data/dname.h" -#include "util/log.h" -#include "util/net_help.h" -#include "util/config_file.h" -#include "util/as112.h" -#include "sldns/sbuffer.h" -#include "sldns/rrdef.h" -#include "sldns/str2wire.h" -#ifdef HAVE_GLOB_H -#include <glob.h> -#endif - -int -anchor_cmp(const void* k1, const void* k2) -{ - int m; - struct trust_anchor* n1 = (struct trust_anchor*)k1; - struct trust_anchor* n2 = (struct trust_anchor*)k2; - /* no need to ntohs(class) because sort order is irrelevant */ - if(n1->dclass != n2->dclass) { - if(n1->dclass < n2->dclass) - return -1; - return 1; - } - return dname_lab_cmp(n1->name, n1->namelabs, n2->name, n2->namelabs, - &m); -} - -struct val_anchors* -anchors_create(void) -{ - struct val_anchors* a = (struct val_anchors*)calloc(1, sizeof(*a)); - if(!a) - return NULL; - a->tree = rbtree_create(anchor_cmp); - if(!a->tree) { - anchors_delete(a); - return NULL; - } - a->autr = autr_global_create(); - if(!a->autr) { - anchors_delete(a); - return NULL; - } - lock_basic_init(&a->lock); - lock_protect(&a->lock, a, sizeof(*a)); - lock_protect(&a->lock, a->autr, sizeof(*a->autr)); - return a; -} - -/** delete assembled rrset */ -static void -assembled_rrset_delete(struct ub_packed_rrset_key* pkey) -{ - if(!pkey) return; - if(pkey->entry.data) { - struct packed_rrset_data* pd = (struct packed_rrset_data*) - pkey->entry.data; - free(pd->rr_data); - free(pd->rr_ttl); - free(pd->rr_len); - free(pd); - } - free(pkey->rk.dname); - free(pkey); -} - -/** destroy locks in tree and delete autotrust anchors */ -static void -anchors_delfunc(rbnode_type* elem, void* ATTR_UNUSED(arg)) -{ - struct trust_anchor* ta = (struct trust_anchor*)elem; - if(!ta) return; - if(ta->autr) { - autr_point_delete(ta); - } else { - struct ta_key* p, *np; - lock_basic_destroy(&ta->lock); - free(ta->name); - p = ta->keylist; - while(p) { - np = p->next; - free(p->data); - free(p); - p = np; - } - assembled_rrset_delete(ta->ds_rrset); - assembled_rrset_delete(ta->dnskey_rrset); - free(ta); - } -} - -void -anchors_delete(struct val_anchors* anchors) -{ - if(!anchors) - return; - lock_unprotect(&anchors->lock, anchors->autr); - lock_unprotect(&anchors->lock, anchors); - lock_basic_destroy(&anchors->lock); - if(anchors->tree) - traverse_postorder(anchors->tree, anchors_delfunc, NULL); - free(anchors->tree); - autr_global_delete(anchors->autr); - free(anchors); -} - -void -anchors_init_parents_locked(struct val_anchors* anchors) -{ - struct trust_anchor* node, *prev = NULL, *p; - int m; - /* nobody else can grab locks because we hold the main lock. - * Thus the previous items, after unlocked, are not deleted */ - RBTREE_FOR(node, struct trust_anchor*, anchors->tree) { - lock_basic_lock(&node->lock); - node->parent = NULL; - if(!prev || prev->dclass != node->dclass) { - prev = node; - lock_basic_unlock(&node->lock); - continue; - } - (void)dname_lab_cmp(prev->name, prev->namelabs, node->name, - node->namelabs, &m); /* we know prev is smaller */ - /* sort order like: . com. bla.com. zwb.com. net. */ - /* find the previous, or parent-parent-parent */ - for(p = prev; p; p = p->parent) - /* looking for name with few labels, a parent */ - if(p->namelabs <= m) { - /* ==: since prev matched m, this is closest*/ - /* <: prev matches more, but is not a parent, - * this one is a (grand)parent */ - node->parent = p; - break; - } - lock_basic_unlock(&node->lock); - prev = node; - } -} - -/** initialise parent pointers in the tree */ -static void -init_parents(struct val_anchors* anchors) -{ - lock_basic_lock(&anchors->lock); - anchors_init_parents_locked(anchors); - lock_basic_unlock(&anchors->lock); -} - -struct trust_anchor* -anchor_find(struct val_anchors* anchors, uint8_t* name, int namelabs, - size_t namelen, uint16_t dclass) -{ - struct trust_anchor key; - rbnode_type* n; - if(!name) return NULL; - key.node.key = &key; - key.name = name; - key.namelabs = namelabs; - key.namelen = namelen; - key.dclass = dclass; - lock_basic_lock(&anchors->lock); - n = rbtree_search(anchors->tree, &key); - if(n) { - lock_basic_lock(&((struct trust_anchor*)n->key)->lock); - } - lock_basic_unlock(&anchors->lock); - if(!n) - return NULL; - return (struct trust_anchor*)n->key; -} - -/** create new trust anchor object */ -static struct trust_anchor* -anchor_new_ta(struct val_anchors* anchors, uint8_t* name, int namelabs, - size_t namelen, uint16_t dclass, int lockit) -{ -#ifdef UNBOUND_DEBUG - rbnode_type* r; -#endif - struct trust_anchor* ta = (struct trust_anchor*)malloc( - sizeof(struct trust_anchor)); - if(!ta) - return NULL; - memset(ta, 0, sizeof(*ta)); - ta->node.key = ta; - ta->name = memdup(name, namelen); - if(!ta->name) { - free(ta); - return NULL; - } - ta->namelabs = namelabs; - ta->namelen = namelen; - ta->dclass = dclass; - lock_basic_init(&ta->lock); - if(lockit) { - lock_basic_lock(&anchors->lock); - } -#ifdef UNBOUND_DEBUG - r = -#else - (void) -#endif - rbtree_insert(anchors->tree, &ta->node); - if(lockit) { - lock_basic_unlock(&anchors->lock); - } - log_assert(r != NULL); - return ta; -} - -/** find trustanchor key by exact data match */ -static struct ta_key* -anchor_find_key(struct trust_anchor* ta, uint8_t* rdata, size_t rdata_len, - uint16_t type) -{ - struct ta_key* k; - for(k = ta->keylist; k; k = k->next) { - if(k->type == type && k->len == rdata_len && - memcmp(k->data, rdata, rdata_len) == 0) - return k; - } - return NULL; -} - -/** create new trustanchor key */ -static struct ta_key* -anchor_new_ta_key(uint8_t* rdata, size_t rdata_len, uint16_t type) -{ - struct ta_key* k = (struct ta_key*)malloc(sizeof(*k)); - if(!k) - return NULL; - memset(k, 0, sizeof(*k)); - k->data = memdup(rdata, rdata_len); - if(!k->data) { - free(k); - return NULL; - } - k->len = rdata_len; - k->type = type; - return k; -} - -/** - * This routine adds a new RR to a trust anchor. The trust anchor may not - * exist yet, and is created if not. The RR can be DS or DNSKEY. - * This routine will also remove duplicates; storing them only once. - * @param anchors: anchor storage. - * @param name: name of trust anchor (wireformat) - * @param type: type or RR - * @param dclass: class of RR - * @param rdata: rdata wireformat, starting with rdlength. - * If NULL, nothing is stored, but an entry is created. - * @param rdata_len: length of rdata including rdlength. - * @return: NULL on error, else the trust anchor. - */ -static struct trust_anchor* -anchor_store_new_key(struct val_anchors* anchors, uint8_t* name, uint16_t type, - uint16_t dclass, uint8_t* rdata, size_t rdata_len) -{ - struct ta_key* k; - struct trust_anchor* ta; - int namelabs; - size_t namelen; - namelabs = dname_count_size_labels(name, &namelen); - if(type != LDNS_RR_TYPE_DS && type != LDNS_RR_TYPE_DNSKEY) { - log_err("Bad type for trust anchor"); - return 0; - } - /* lookup or create trustanchor */ - ta = anchor_find(anchors, name, namelabs, namelen, dclass); - if(!ta) { - ta = anchor_new_ta(anchors, name, namelabs, namelen, dclass, 1); - if(!ta) - return NULL; - lock_basic_lock(&ta->lock); - } - if(!rdata) { - lock_basic_unlock(&ta->lock); - return ta; - } - /* look for duplicates */ - if(anchor_find_key(ta, rdata, rdata_len, type)) { - lock_basic_unlock(&ta->lock); - return ta; - } - k = anchor_new_ta_key(rdata, rdata_len, type); - if(!k) { - lock_basic_unlock(&ta->lock); - return NULL; - } - /* add new key */ - if(type == LDNS_RR_TYPE_DS) - ta->numDS++; - else ta->numDNSKEY++; - k->next = ta->keylist; - ta->keylist = k; - lock_basic_unlock(&ta->lock); - return ta; -} - -/** - * Add new RR. It converts ldns RR to wire format. - * @param anchors: anchor storage. - * @param rr: the wirerr. - * @param rl: length of rr. - * @param dl: length of dname. - * @return NULL on error, else the trust anchor. - */ -static struct trust_anchor* -anchor_store_new_rr(struct val_anchors* anchors, uint8_t* rr, size_t rl, - size_t dl) -{ - struct trust_anchor* ta; - if(!(ta=anchor_store_new_key(anchors, rr, - sldns_wirerr_get_type(rr, rl, dl), - sldns_wirerr_get_class(rr, rl, dl), - sldns_wirerr_get_rdatawl(rr, rl, dl), - sldns_wirerr_get_rdatalen(rr, rl, dl)+2))) { - return NULL; - } - log_nametypeclass(VERB_QUERY, "adding trusted key", - rr, sldns_wirerr_get_type(rr, rl, dl), - sldns_wirerr_get_class(rr, rl, dl)); - return ta; -} - -/** - * Insert insecure anchor - * @param anchors: anchor storage. - * @param str: the domain name. - * @return NULL on error, Else last trust anchor point - */ -static struct trust_anchor* -anchor_insert_insecure(struct val_anchors* anchors, const char* str) -{ - struct trust_anchor* ta; - size_t dname_len = 0; - uint8_t* nm = sldns_str2wire_dname(str, &dname_len); - if(!nm) { - log_err("parse error in domain name '%s'", str); - return NULL; - } - ta = anchor_store_new_key(anchors, nm, LDNS_RR_TYPE_DS, - LDNS_RR_CLASS_IN, NULL, 0); - free(nm); - return ta; -} - -struct trust_anchor* -anchor_store_str(struct val_anchors* anchors, sldns_buffer* buffer, - const char* str) -{ - struct trust_anchor* ta; - uint8_t* rr = sldns_buffer_begin(buffer); - size_t len = sldns_buffer_capacity(buffer), dname_len = 0; - int status = sldns_str2wire_rr_buf(str, rr, &len, &dname_len, - 0, NULL, 0, NULL, 0); - if(status != 0) { - log_err("error parsing trust anchor %s: at %d: %s", - str, LDNS_WIREPARSE_OFFSET(status), - sldns_get_errorstr_parse(status)); - return NULL; - } - if(!(ta=anchor_store_new_rr(anchors, rr, len, dname_len))) { - log_err("out of memory"); - return NULL; - } - return ta; -} - -/** - * Read a file with trust anchors - * @param anchors: anchor storage. - * @param buffer: parsing buffer. - * @param fname: string. - * @param onlyone: only one trust anchor allowed in file. - * @return NULL on error. Else last trust-anchor point. - */ -static struct trust_anchor* -anchor_read_file(struct val_anchors* anchors, sldns_buffer* buffer, - const char* fname, int onlyone) -{ - struct trust_anchor* ta = NULL, *tanew; - struct sldns_file_parse_state pst; - int status; - size_t len, dname_len; - uint8_t* rr = sldns_buffer_begin(buffer); - int ok = 1; - FILE* in = fopen(fname, "r"); - if(!in) { - log_err("error opening file %s: %s", fname, strerror(errno)); - return 0; - } - memset(&pst, 0, sizeof(pst)); - pst.default_ttl = 3600; - pst.lineno = 1; - while(!feof(in)) { - len = sldns_buffer_capacity(buffer); - dname_len = 0; - status = sldns_fp2wire_rr_buf(in, rr, &len, &dname_len, &pst); - if(len == 0) /* empty, $TTL, $ORIGIN */ - continue; - if(status != 0) { - log_err("parse error in %s:%d:%d : %s", fname, - pst.lineno, LDNS_WIREPARSE_OFFSET(status), - sldns_get_errorstr_parse(status)); - ok = 0; - break; - } - if(sldns_wirerr_get_type(rr, len, dname_len) != - LDNS_RR_TYPE_DS && sldns_wirerr_get_type(rr, len, - dname_len) != LDNS_RR_TYPE_DNSKEY) { - continue; - } - if(!(tanew=anchor_store_new_rr(anchors, rr, len, dname_len))) { - log_err("mem error at %s line %d", fname, pst.lineno); - ok = 0; - break; - } - if(onlyone && ta && ta != tanew) { - log_err("error at %s line %d: no multiple anchor " - "domains allowed (you can have multiple " - "keys, but they must have the same name).", - fname, pst.lineno); - ok = 0; - break; - } - ta = tanew; - } - fclose(in); - if(!ok) return NULL; - /* empty file is OK when multiple anchors are allowed */ - if(!onlyone && !ta) return (struct trust_anchor*)1; - return ta; -} - -/** skip file to end of line */ -static void -skip_to_eol(FILE* in) -{ - int c; - while((c = getc(in)) != EOF ) { - if(c == '\n') - return; - } -} - -/** true for special characters in bind configs */ -static int -is_bind_special(int c) -{ - switch(c) { - case '{': - case '}': - case '"': - case ';': - return 1; - } - return 0; -} - -/** - * Read a keyword skipping bind comments; spaces, specials, restkeywords. - * The file is split into the following tokens: - * * special characters, on their own, rdlen=1, { } doublequote ; - * * whitespace becomes a single ' ' or tab. Newlines become spaces. - * * other words ('keywords') - * * comments are skipped if desired - * / / C++ style comment to end of line - * # to end of line - * / * C style comment * / - * @param in: file to read from. - * @param buf: buffer, what is read is stored after current buffer position. - * Space is left in the buffer to write a terminating 0. - * @param line: line number is increased per line, for error reports. - * @param comments: if 0, comments are not possible and become text. - * if 1, comments are skipped entirely. - * In BIND files, this is when reading quoted strings, for example - * " base 64 text with / / in there " - * @return the number of character written to the buffer. - * 0 on end of file. - */ -static int -readkeyword_bindfile(FILE* in, sldns_buffer* buf, int* line, int comments) -{ - int c; - int numdone = 0; - while((c = getc(in)) != EOF ) { - if(comments && c == '#') { /* # blabla */ - skip_to_eol(in); - (*line)++; - continue; - } else if(comments && c=='/' && numdone>0 && /* /_/ bla*/ - sldns_buffer_read_u8_at(buf, - sldns_buffer_position(buf)-1) == '/') { - sldns_buffer_skip(buf, -1); - numdone--; - skip_to_eol(in); - (*line)++; - continue; - } else if(comments && c=='*' && numdone>0 && /* /_* bla *_/ */ - sldns_buffer_read_u8_at(buf, - sldns_buffer_position(buf)-1) == '/') { - sldns_buffer_skip(buf, -1); - numdone--; - /* skip to end of comment */ - while(c != EOF && (c=getc(in)) != EOF ) { - if(c == '*') { - if((c=getc(in)) == '/') - break; - } - if(c == '\n') - (*line)++; - } - continue; - } - /* not a comment, complete the keyword */ - if(numdone > 0) { - /* check same type */ - if(isspace((unsigned char)c)) { - ungetc(c, in); - return numdone; - } - if(is_bind_special(c)) { - ungetc(c, in); - return numdone; - } - } - if(c == '\n') { - c = ' '; - (*line)++; - } - /* space for 1 char + 0 string terminator */ - if(sldns_buffer_remaining(buf) < 2) { - fatal_exit("trusted-keys, %d, string too long", *line); - } - sldns_buffer_write_u8(buf, (uint8_t)c); - numdone++; - if(isspace((unsigned char)c)) { - /* collate whitespace into ' ' */ - while((c = getc(in)) != EOF ) { - if(c == '\n') - (*line)++; - if(!isspace((unsigned char)c)) { - ungetc(c, in); - break; - } - } - return numdone; - } - if(is_bind_special(c)) - return numdone; - } - return numdone; -} - -/** skip through file to { or ; */ -static int -skip_to_special(FILE* in, sldns_buffer* buf, int* line, int spec) -{ - int rdlen; - sldns_buffer_clear(buf); - while((rdlen=readkeyword_bindfile(in, buf, line, 1))) { - if(rdlen == 1 && isspace((unsigned char)*sldns_buffer_begin(buf))) { - sldns_buffer_clear(buf); - continue; - } - if(rdlen != 1 || *sldns_buffer_begin(buf) != (uint8_t)spec) { - sldns_buffer_write_u8(buf, 0); - log_err("trusted-keys, line %d, expected %c", - *line, spec); - return 0; - } - return 1; - } - log_err("trusted-keys, line %d, expected %c got EOF", *line, spec); - return 0; -} - -/** - * read contents of trusted-keys{ ... ; clauses and insert keys into storage. - * @param anchors: where to store keys - * @param buf: buffer to use - * @param line: line number in file - * @param in: file to read from. - * @return 0 on error. - */ -static int -process_bind_contents(struct val_anchors* anchors, sldns_buffer* buf, - int* line, FILE* in) -{ - /* loop over contents, collate strings before ; */ - /* contents is (numbered): 0 1 2 3 4 5 6 7 8 */ - /* name. 257 3 5 base64 base64 */ - /* quoted value: 0 "111" 0 0 0 0 0 0 0 */ - /* comments value: 1 "000" 1 1 1 "0 0 0 0" 1 */ - int contnum = 0; - int quoted = 0; - int comments = 1; - int rdlen; - char* str = 0; - sldns_buffer_clear(buf); - while((rdlen=readkeyword_bindfile(in, buf, line, comments))) { - if(rdlen == 1 && sldns_buffer_position(buf) == 1 - && isspace((unsigned char)*sldns_buffer_begin(buf))) { - /* starting whitespace is removed */ - sldns_buffer_clear(buf); - continue; - } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '"') { - /* remove " from the string */ - if(contnum == 0) { - quoted = 1; - comments = 0; - } - sldns_buffer_skip(buf, -1); - if(contnum > 0 && quoted) { - if(sldns_buffer_remaining(buf) < 8+1) { - log_err("line %d, too long", *line); - return 0; - } - sldns_buffer_write(buf, " DNSKEY ", 8); - quoted = 0; - comments = 1; - } else if(contnum > 0) - comments = !comments; - continue; - } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == ';') { - - if(contnum < 5) { - sldns_buffer_write_u8(buf, 0); - log_err("line %d, bad key", *line); - return 0; - } - sldns_buffer_skip(buf, -1); - sldns_buffer_write_u8(buf, 0); - str = strdup((char*)sldns_buffer_begin(buf)); - if(!str) { - log_err("line %d, allocation failure", *line); - return 0; - } - if(!anchor_store_str(anchors, buf, str)) { - log_err("line %d, bad key", *line); - free(str); - return 0; - } - free(str); - sldns_buffer_clear(buf); - contnum = 0; - quoted = 0; - comments = 1; - continue; - } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '}') { - if(contnum > 0) { - sldns_buffer_write_u8(buf, 0); - log_err("line %d, bad key before }", *line); - return 0; - } - return 1; - } else if(rdlen == 1 && - isspace((unsigned char)sldns_buffer_current(buf)[-1])) { - /* leave whitespace here */ - } else { - /* not space or whatnot, so actual content */ - contnum ++; - if(contnum == 1 && !quoted) { - if(sldns_buffer_remaining(buf) < 8+1) { - log_err("line %d, too long", *line); - return 0; - } - sldns_buffer_write(buf, " DNSKEY ", 8); - } - } - } - - log_err("line %d, EOF before }", *line); - return 0; -} - -/** - * Read a BIND9 like file with trust anchors in named.conf format. - * @param anchors: anchor storage. - * @param buffer: parsing buffer. - * @param fname: string. - * @return false on error. - */ -static int -anchor_read_bind_file(struct val_anchors* anchors, sldns_buffer* buffer, - const char* fname) -{ - int line_nr = 1; - FILE* in = fopen(fname, "r"); - int rdlen = 0; - if(!in) { - log_err("error opening file %s: %s", fname, strerror(errno)); - return 0; - } - verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname); - /* scan for trusted-keys keyword, ignore everything else */ - sldns_buffer_clear(buffer); - while((rdlen=readkeyword_bindfile(in, buffer, &line_nr, 1)) != 0) { - if(rdlen != 12 || strncmp((char*)sldns_buffer_begin(buffer), - "trusted-keys", 12) != 0) { - sldns_buffer_clear(buffer); - /* ignore everything but trusted-keys */ - continue; - } - if(!skip_to_special(in, buffer, &line_nr, '{')) { - log_err("error in trusted key: \"%s\"", fname); - fclose(in); - return 0; - } - /* process contents */ - if(!process_bind_contents(anchors, buffer, &line_nr, in)) { - log_err("error in trusted key: \"%s\"", fname); - fclose(in); - return 0; - } - if(!skip_to_special(in, buffer, &line_nr, ';')) { - log_err("error in trusted key: \"%s\"", fname); - fclose(in); - return 0; - } - sldns_buffer_clear(buffer); - } - fclose(in); - return 1; -} - -/** - * Read a BIND9 like files with trust anchors in named.conf format. - * Performs wildcard processing of name. - * @param anchors: anchor storage. - * @param buffer: parsing buffer. - * @param pat: pattern string. (can be wildcarded) - * @return false on error. - */ -static int -anchor_read_bind_file_wild(struct val_anchors* anchors, sldns_buffer* buffer, - const char* pat) -{ -#ifdef HAVE_GLOB - glob_t g; - size_t i; - int r, flags; - if(!strchr(pat, '*') && !strchr(pat, '?') && !strchr(pat, '[') && - !strchr(pat, '{') && !strchr(pat, '~')) { - return anchor_read_bind_file(anchors, buffer, pat); - } - verbose(VERB_QUERY, "wildcard found, processing %s", pat); - flags = 0 -#ifdef GLOB_ERR - | GLOB_ERR -#endif -#ifdef GLOB_NOSORT - | GLOB_NOSORT -#endif -#ifdef GLOB_BRACE - | GLOB_BRACE -#endif -#ifdef GLOB_TILDE - | GLOB_TILDE -#endif - ; - memset(&g, 0, sizeof(g)); - r = glob(pat, flags, NULL, &g); - if(r) { - /* some error */ - if(r == GLOB_NOMATCH) { - verbose(VERB_QUERY, "trusted-keys-file: " - "no matches for %s", pat); - return 1; - } else if(r == GLOB_NOSPACE) { - log_err("wildcard trusted-keys-file %s: " - "pattern out of memory", pat); - } else if(r == GLOB_ABORTED) { - log_err("wildcard trusted-keys-file %s: expansion " - "aborted (%s)", pat, strerror(errno)); - } else { - log_err("wildcard trusted-keys-file %s: expansion " - "failed (%s)", pat, strerror(errno)); - } - /* ignore globs that yield no files */ - return 1; - } - /* process files found, if any */ - for(i=0; i<(size_t)g.gl_pathc; i++) { - if(!anchor_read_bind_file(anchors, buffer, g.gl_pathv[i])) { - log_err("error reading wildcard " - "trusted-keys-file: %s", g.gl_pathv[i]); - globfree(&g); - return 0; - } - } - globfree(&g); - return 1; -#else /* not HAVE_GLOB */ - return anchor_read_bind_file(anchors, buffer, pat); -#endif /* HAVE_GLOB */ -} - -/** - * Assemble an rrset structure for the type - * @param ta: trust anchor. - * @param num: number of items to fetch from list. - * @param type: fetch only items of this type. - * @return rrset or NULL on error. - */ -static struct ub_packed_rrset_key* -assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) -{ - struct ub_packed_rrset_key* pkey = (struct ub_packed_rrset_key*) - malloc(sizeof(*pkey)); - struct packed_rrset_data* pd; - struct ta_key* tk; - size_t i; - if(!pkey) - return NULL; - memset(pkey, 0, sizeof(*pkey)); - pkey->rk.dname = memdup(ta->name, ta->namelen); - if(!pkey->rk.dname) { - free(pkey); - return NULL; - } - - pkey->rk.dname_len = ta->namelen; - pkey->rk.type = htons(type); - pkey->rk.rrset_class = htons(ta->dclass); - /* The rrset is build in an uncompressed way. This means it - * cannot be copied in the normal way. */ - pd = (struct packed_rrset_data*)malloc(sizeof(*pd)); - if(!pd) { - free(pkey->rk.dname); - free(pkey); - return NULL; - } - memset(pd, 0, sizeof(*pd)); - pd->count = num; - pd->trust = rrset_trust_ultimate; - pd->rr_len = (size_t*)reallocarray(NULL, num, sizeof(size_t)); - if(!pd->rr_len) { - free(pd); - free(pkey->rk.dname); - free(pkey); - return NULL; - } - pd->rr_ttl = (time_t*)reallocarray(NULL, num, sizeof(time_t)); - if(!pd->rr_ttl) { - free(pd->rr_len); - free(pd); - free(pkey->rk.dname); - free(pkey); - return NULL; - } - pd->rr_data = (uint8_t**)reallocarray(NULL, num, sizeof(uint8_t*)); - if(!pd->rr_data) { - free(pd->rr_ttl); - free(pd->rr_len); - free(pd); - free(pkey->rk.dname); - free(pkey); - return NULL; - } - /* fill in rrs */ - i=0; - for(tk = ta->keylist; tk; tk = tk->next) { - if(tk->type != type) - continue; - pd->rr_len[i] = tk->len; - /* reuse data ptr to allocation in talist */ - pd->rr_data[i] = tk->data; - pd->rr_ttl[i] = 0; - i++; - } - pkey->entry.data = (void*)pd; - return pkey; -} - -/** - * Assemble structures for the trust DS and DNSKEY rrsets. - * @param ta: trust anchor - * @return: false on error. - */ -static int -anchors_assemble(struct trust_anchor* ta) -{ - if(ta->numDS > 0) { - ta->ds_rrset = assemble_it(ta, ta->numDS, LDNS_RR_TYPE_DS); - if(!ta->ds_rrset) - return 0; - } - if(ta->numDNSKEY > 0) { - ta->dnskey_rrset = assemble_it(ta, ta->numDNSKEY, - LDNS_RR_TYPE_DNSKEY); - if(!ta->dnskey_rrset) - return 0; - } - return 1; -} - -/** - * Check DS algos for support, warn if not. - * @param ta: trust anchor - * @return number of DS anchors with unsupported algorithms. - */ -static size_t -anchors_ds_unsupported(struct trust_anchor* ta) -{ - size_t i, num = 0; - for(i=0; i<ta->numDS; i++) { - if(!ds_digest_algo_is_supported(ta->ds_rrset, i) || - !ds_key_algo_is_supported(ta->ds_rrset, i)) - num++; - } - return num; -} - -/** - * Check DNSKEY algos for support, warn if not. - * @param ta: trust anchor - * @return number of DNSKEY anchors with unsupported algorithms. - */ -static size_t -anchors_dnskey_unsupported(struct trust_anchor* ta) -{ - size_t i, num = 0; - for(i=0; i<ta->numDNSKEY; i++) { - if(!dnskey_algo_is_supported(ta->dnskey_rrset, i)) - num++; - } - return num; -} - -/** - * Assemble the rrsets in the anchors, ready for use by validator. - * @param anchors: trust anchor storage. - * @return: false on error. - */ -static int -anchors_assemble_rrsets(struct val_anchors* anchors) -{ - struct trust_anchor* ta; - struct trust_anchor* next; - size_t nods, nokey; - lock_basic_lock(&anchors->lock); - ta=(struct trust_anchor*)rbtree_first(anchors->tree); - while((rbnode_type*)ta != RBTREE_NULL) { - next = (struct trust_anchor*)rbtree_next(&ta->node); - lock_basic_lock(&ta->lock); - if(ta->autr || (ta->numDS == 0 && ta->numDNSKEY == 0)) { - lock_basic_unlock(&ta->lock); - ta = next; /* skip */ - continue; - } - if(!anchors_assemble(ta)) { - log_err("out of memory"); - lock_basic_unlock(&ta->lock); - lock_basic_unlock(&anchors->lock); - return 0; - } - nods = anchors_ds_unsupported(ta); - nokey = anchors_dnskey_unsupported(ta); - if(nods) { - log_nametypeclass(0, "warning: unsupported " - "algorithm for trust anchor", - ta->name, LDNS_RR_TYPE_DS, ta->dclass); - } - if(nokey) { - log_nametypeclass(0, "warning: unsupported " - "algorithm for trust anchor", - ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); - } - if(nods == ta->numDS && nokey == ta->numDNSKEY) { - char b[257]; - dname_str(ta->name, b); - log_warn("trust anchor %s has no supported algorithms," - " the anchor is ignored (check if you need to" - " upgrade unbound and " -#ifdef HAVE_LIBRESSL - "libressl" -#else - "openssl" -#endif - ")", b); - (void)rbtree_delete(anchors->tree, &ta->node); - lock_basic_unlock(&ta->lock); - if(anchors->dlv_anchor == ta) - anchors->dlv_anchor = NULL; - anchors_delfunc(&ta->node, NULL); - ta = next; - continue; - } - lock_basic_unlock(&ta->lock); - ta = next; - } - lock_basic_unlock(&anchors->lock); - return 1; -} - -int -anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) -{ - struct config_strlist* f; - const char** zstr; - char* nm; - sldns_buffer* parsebuf = sldns_buffer_new(65535); - if(cfg->insecure_lan_zones) { - for(zstr = as112_zones; *zstr; zstr++) { - if(!anchor_insert_insecure(anchors, *zstr)) { - log_err("error in insecure-lan-zones: %s", *zstr); - sldns_buffer_free(parsebuf); - return 0; - } - } - } - for(f = cfg->domain_insecure; f; f = f->next) { - if(!f->str || f->str[0] == 0) /* empty "" */ - continue; - if(!anchor_insert_insecure(anchors, f->str)) { - log_err("error in domain-insecure: %s", f->str); - sldns_buffer_free(parsebuf); - return 0; - } - } - for(f = cfg->trust_anchor_file_list; f; f = f->next) { - if(!f->str || f->str[0] == 0) /* empty "" */ - continue; - nm = f->str; - if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, - cfg->chrootdir, strlen(cfg->chrootdir)) == 0) - nm += strlen(cfg->chrootdir); - if(!anchor_read_file(anchors, parsebuf, nm, 0)) { - log_err("error reading trust-anchor-file: %s", f->str); - sldns_buffer_free(parsebuf); - return 0; - } - } - for(f = cfg->trusted_keys_file_list; f; f = f->next) { - if(!f->str || f->str[0] == 0) /* empty "" */ - continue; - nm = f->str; - if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, - cfg->chrootdir, strlen(cfg->chrootdir)) == 0) - nm += strlen(cfg->chrootdir); - if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) { - log_err("error reading trusted-keys-file: %s", f->str); - sldns_buffer_free(parsebuf); - return 0; - } - } - for(f = cfg->trust_anchor_list; f; f = f->next) { - if(!f->str || f->str[0] == 0) /* empty "" */ - continue; - if(!anchor_store_str(anchors, parsebuf, f->str)) { - log_err("error in trust-anchor: \"%s\"", f->str); - sldns_buffer_free(parsebuf); - return 0; - } - } - if(cfg->dlv_anchor_file && cfg->dlv_anchor_file[0] != 0) { - struct trust_anchor* dlva; - nm = cfg->dlv_anchor_file; - if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, - cfg->chrootdir, strlen(cfg->chrootdir)) == 0) - nm += strlen(cfg->chrootdir); - if(!(dlva = anchor_read_file(anchors, parsebuf, - nm, 1))) { - log_err("error reading dlv-anchor-file: %s", - cfg->dlv_anchor_file); - sldns_buffer_free(parsebuf); - return 0; - } - lock_basic_lock(&anchors->lock); - anchors->dlv_anchor = dlva; - lock_basic_unlock(&anchors->lock); - } - for(f = cfg->dlv_anchor_list; f; f = f->next) { - struct trust_anchor* dlva; - if(!f->str || f->str[0] == 0) /* empty "" */ - continue; - if(!(dlva = anchor_store_str( - anchors, parsebuf, f->str))) { - log_err("error in dlv-anchor: \"%s\"", f->str); - sldns_buffer_free(parsebuf); - return 0; - } - lock_basic_lock(&anchors->lock); - anchors->dlv_anchor = dlva; - lock_basic_unlock(&anchors->lock); - } - /* do autr last, so that it sees what anchors are filled by other - * means can can print errors about double config for the name */ - for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) { - if(!f->str || f->str[0] == 0) /* empty "" */ - continue; - nm = f->str; - if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm, - cfg->chrootdir, strlen(cfg->chrootdir)) == 0) - nm += strlen(cfg->chrootdir); - if(!autr_read_file(anchors, nm)) { - log_err("error reading auto-trust-anchor-file: %s", - f->str); - sldns_buffer_free(parsebuf); - return 0; - } - } - /* first assemble, since it may delete useless anchors */ - anchors_assemble_rrsets(anchors); - init_parents(anchors); - sldns_buffer_free(parsebuf); - if(verbosity >= VERB_ALGO) autr_debug_print(anchors); - return 1; -} - -struct trust_anchor* -anchors_lookup(struct val_anchors* anchors, - uint8_t* qname, size_t qname_len, uint16_t qclass) -{ - struct trust_anchor key; - struct trust_anchor* result; - rbnode_type* res = NULL; - key.node.key = &key; - key.name = qname; - key.namelabs = dname_count_labels(qname); - key.namelen = qname_len; - key.dclass = qclass; - lock_basic_lock(&anchors->lock); - if(rbtree_find_less_equal(anchors->tree, &key, &res)) { - /* exact */ - result = (struct trust_anchor*)res; - } else { - /* smaller element (or no element) */ - int m; - result = (struct trust_anchor*)res; - if(!result || result->dclass != qclass) { - lock_basic_unlock(&anchors->lock); - return NULL; - } - /* count number of labels matched */ - (void)dname_lab_cmp(result->name, result->namelabs, key.name, - key.namelabs, &m); - while(result) { /* go up until qname is subdomain of stub */ - if(result->namelabs <= m) - break; - result = result->parent; - } - } - if(result) { - lock_basic_lock(&result->lock); - } - lock_basic_unlock(&anchors->lock); - return result; -} - -size_t -anchors_get_mem(struct val_anchors* anchors) -{ - struct trust_anchor *ta; - size_t s = sizeof(*anchors); - if(!anchors) - return 0; - RBTREE_FOR(ta, struct trust_anchor*, anchors->tree) { - s += sizeof(*ta) + ta->namelen; - /* keys and so on */ - } - return s; -} - -int -anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm) -{ - struct trust_anchor key; - key.node.key = &key; - key.name = nm; - key.namelabs = dname_count_size_labels(nm, &key.namelen); - key.dclass = c; - lock_basic_lock(&anchors->lock); - if(rbtree_search(anchors->tree, &key)) { - lock_basic_unlock(&anchors->lock); - /* nothing to do, already an anchor or insecure point */ - return 1; - } - if(!anchor_new_ta(anchors, nm, key.namelabs, key.namelen, c, 0)) { - log_err("out of memory"); - lock_basic_unlock(&anchors->lock); - return 0; - } - /* no other contents in new ta, because it is insecure point */ - anchors_init_parents_locked(anchors); - lock_basic_unlock(&anchors->lock); - return 1; -} - -void -anchors_delete_insecure(struct val_anchors* anchors, uint16_t c, - uint8_t* nm) -{ - struct trust_anchor key; - struct trust_anchor* ta; - key.node.key = &key; - key.name = nm; - key.namelabs = dname_count_size_labels(nm, &key.namelen); - key.dclass = c; - lock_basic_lock(&anchors->lock); - if(!(ta=(struct trust_anchor*)rbtree_search(anchors->tree, &key))) { - lock_basic_unlock(&anchors->lock); - /* nothing there */ - return; - } - /* lock it to drive away other threads that use it */ - lock_basic_lock(&ta->lock); - /* see if its really an insecure point */ - if(ta->keylist || ta->autr || ta->numDS || ta->numDNSKEY) { - lock_basic_unlock(&anchors->lock); - lock_basic_unlock(&ta->lock); - /* its not an insecure point, do not remove it */ - return; - } - - /* remove from tree */ - (void)rbtree_delete(anchors->tree, &ta->node); - anchors_init_parents_locked(anchors); - lock_basic_unlock(&anchors->lock); - - /* actual free of data */ - lock_basic_unlock(&ta->lock); - anchors_delfunc(&ta->node, NULL); -} - -/** compare two keytags, return -1, 0 or 1 */ -static int -keytag_compare(const void* x, const void* y) -{ - if(*(uint16_t*)x == *(uint16_t*)y) - return 0; - if(*(uint16_t*)x > *(uint16_t*)y) - return 1; - return -1; -} - -size_t -anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num) -{ - size_t i, ret = 0; - if(ta->numDS == 0 && ta->numDNSKEY == 0) - return 0; /* insecure point */ - if(ta->numDS != 0 && ta->ds_rrset) { - struct packed_rrset_data* d=(struct packed_rrset_data*) - ta->ds_rrset->entry.data; - for(i=0; i<d->count; i++) { - if(ret == num) continue; - list[ret++] = ds_get_keytag(ta->ds_rrset, i); - } - } - if(ta->numDNSKEY != 0 && ta->dnskey_rrset) { - struct packed_rrset_data* d=(struct packed_rrset_data*) - ta->dnskey_rrset->entry.data; - for(i=0; i<d->count; i++) { - if(ret == num) continue; - list[ret++] = dnskey_calc_keytag(ta->dnskey_rrset, i); - } - } - qsort(list, ret, sizeof(*list), keytag_compare); - return ret; -} |