diff options
Diffstat (limited to '')
| -rw-r--r-- | external/unbound/validator/autotrust.c | 2393 |
1 files changed, 2393 insertions, 0 deletions
diff --git a/external/unbound/validator/autotrust.c b/external/unbound/validator/autotrust.c new file mode 100644 index 000000000..a59763382 --- /dev/null +++ b/external/unbound/validator/autotrust.c @@ -0,0 +1,2393 @@ +/* + * validator/autotrust.c - RFC5011 trust anchor management for unbound. + * + * Copyright (c) 2009, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * Contains autotrust implementation. The implementation was taken from + * the autotrust daemon (BSD licensed), written by Matthijs Mekking. + * It was modified to fit into unbound. The state table process is the same. + */ +#include "config.h" +#include "validator/autotrust.h" +#include "validator/val_anchor.h" +#include "validator/val_utils.h" +#include "validator/val_sigcrypt.h" +#include "util/data/dname.h" +#include "util/data/packed_rrset.h" +#include "util/log.h" +#include "util/module.h" +#include "util/net_help.h" +#include "util/config_file.h" +#include "util/regional.h" +#include "util/random.h" +#include "util/data/msgparse.h" +#include "services/mesh.h" +#include "services/cache/rrset.h" +#include "validator/val_kcache.h" +#include "ldns/sbuffer.h" +#include "ldns/wire2str.h" +#include "ldns/str2wire.h" +#include "ldns/keyraw.h" +#include "ldns/rrdef.h" +#include <stdarg.h> +#include <ctype.h> + +/** number of times a key must be seen before it can become valid */ +#define MIN_PENDINGCOUNT 2 + +/** Event: Revoked */ +static void do_revoked(struct module_env* env, struct autr_ta* anchor, int* c); + +struct autr_global_data* autr_global_create(void) +{ + struct autr_global_data* global; + global = (struct autr_global_data*)malloc(sizeof(*global)); + if(!global) + return NULL; + rbtree_init(&global->probe, &probetree_cmp); + return global; +} + +void autr_global_delete(struct autr_global_data* global) +{ + if(!global) + return; + /* elements deleted by parent */ + memset(global, 0, sizeof(*global)); + free(global); +} + +int probetree_cmp(const void* x, const void* y) +{ + struct trust_anchor* a = (struct trust_anchor*)x; + struct trust_anchor* b = (struct trust_anchor*)y; + log_assert(a->autr && b->autr); + if(a->autr->next_probe_time < b->autr->next_probe_time) + return -1; + if(a->autr->next_probe_time > b->autr->next_probe_time) + return 1; + /* time is equal, sort on trust point identity */ + return anchor_cmp(x, y); +} + +size_t +autr_get_num_anchors(struct val_anchors* anchors) +{ + size_t res = 0; + if(!anchors) + return 0; + lock_basic_lock(&anchors->lock); + if(anchors->autr) + res = anchors->autr->probe.count; + lock_basic_unlock(&anchors->lock); + return res; +} + +/** Position in string */ +static int +position_in_string(char *str, const char* sub) +{ + char* pos = strstr(str, sub); + if(pos) + return (int)(pos-str)+(int)strlen(sub); + return -1; +} + +/** Debug routine to print pretty key information */ +static void +verbose_key(struct autr_ta* ta, enum verbosity_value level, + const char* format, ...) ATTR_FORMAT(printf, 3, 4); + +/** + * Implementation of debug pretty key print + * @param ta: trust anchor key with DNSKEY data. + * @param level: verbosity level to print at. + * @param format: printf style format string. + */ +static void +verbose_key(struct autr_ta* ta, enum verbosity_value level, + const char* format, ...) +{ + va_list args; + va_start(args, format); + if(verbosity >= level) { + char* str = sldns_wire2str_dname(ta->rr, ta->dname_len); + int keytag = (int)sldns_calc_keytag_raw(sldns_wirerr_get_rdata( + ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, + ta->dname_len)); + char msg[MAXSYSLOGMSGLEN]; + vsnprintf(msg, sizeof(msg), format, args); + verbose(level, "%s key %d %s", str?str:"??", keytag, msg); + free(str); + } + va_end(args); +} + +/** + * Parse comments + * @param str: to parse + * @param ta: trust key autotrust metadata + * @return false on failure. + */ +static int +parse_comments(char* str, struct autr_ta* ta) +{ + int len = (int)strlen(str), pos = 0, timestamp = 0; + char* comment = (char*) malloc(sizeof(char)*len+1); + char* comments = comment; + if(!comment) { + log_err("malloc failure in parse"); + return 0; + } + /* skip over whitespace and data at start of line */ + while (*str != '\0' && *str != ';') + str++; + if (*str == ';') + str++; + /* copy comments */ + while (*str != '\0') + { + *comments = *str; + comments++; + str++; + } + *comments = '\0'; + + comments = comment; + + /* read state */ + pos = position_in_string(comments, "state="); + if (pos >= (int) strlen(comments)) + { + log_err("parse error"); + free(comment); + return 0; + } + if (pos <= 0) + ta->s = AUTR_STATE_VALID; + else + { + int s = (int) comments[pos] - '0'; + switch(s) + { + case AUTR_STATE_START: + case AUTR_STATE_ADDPEND: + case AUTR_STATE_VALID: + case AUTR_STATE_MISSING: + case AUTR_STATE_REVOKED: + case AUTR_STATE_REMOVED: + ta->s = s; + break; + default: + verbose_key(ta, VERB_OPS, "has undefined " + "state, considered NewKey"); + ta->s = AUTR_STATE_START; + break; + } + } + /* read pending count */ + pos = position_in_string(comments, "count="); + if (pos >= (int) strlen(comments)) + { + log_err("parse error"); + free(comment); + return 0; + } + if (pos <= 0) + ta->pending_count = 0; + else + { + comments += pos; + ta->pending_count = (uint8_t)atoi(comments); + } + + /* read last change */ + pos = position_in_string(comments, "lastchange="); + if (pos >= (int) strlen(comments)) + { + log_err("parse error"); + free(comment); + return 0; + } + if (pos >= 0) + { + comments += pos; + timestamp = atoi(comments); + } + if (pos < 0 || !timestamp) + ta->last_change = 0; + else + ta->last_change = (time_t)timestamp; + + free(comment); + return 1; +} + +/** Check if a line contains data (besides comments) */ +static int +str_contains_data(char* str, char comment) +{ + while (*str != '\0') { + if (*str == comment || *str == '\n') + return 0; + if (*str != ' ' && *str != '\t') + return 1; + str++; + } + return 0; +} + +/** Get DNSKEY flags + * rdata without rdatalen in front of it. */ +static int +dnskey_flags(uint16_t t, uint8_t* rdata, size_t len) +{ + uint16_t f; + if(t != LDNS_RR_TYPE_DNSKEY) + return 0; + if(len < 2) + return 0; + memmove(&f, rdata, 2); + f = ntohs(f); + return (int)f; +} + +/** Check if KSK DNSKEY. + * pass rdata without rdatalen in front of it */ +static int +rr_is_dnskey_sep(uint16_t t, uint8_t* rdata, size_t len) +{ + return (dnskey_flags(t, rdata, len)&DNSKEY_BIT_SEP); +} + +/** Check if TA is KSK DNSKEY */ +static int +ta_is_dnskey_sep(struct autr_ta* ta) +{ + return (dnskey_flags( + sldns_wirerr_get_type(ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdata(ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, ta->dname_len) + ) & DNSKEY_BIT_SEP); +} + +/** Check if REVOKED DNSKEY + * pass rdata without rdatalen in front of it */ +static int +rr_is_dnskey_revoked(uint16_t t, uint8_t* rdata, size_t len) +{ + return (dnskey_flags(t, rdata, len)&LDNS_KEY_REVOKE_KEY); +} + +/** create ta */ +static struct autr_ta* +autr_ta_create(uint8_t* rr, size_t rr_len, size_t dname_len) +{ + struct autr_ta* ta = (struct autr_ta*)calloc(1, sizeof(*ta)); + if(!ta) { + free(rr); + return NULL; + } + ta->rr = rr; + ta->rr_len = rr_len; + ta->dname_len = dname_len; + return ta; +} + +/** create tp */ +static struct trust_anchor* +autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len, + uint16_t dc) +{ + struct trust_anchor* tp = (struct trust_anchor*)calloc(1, sizeof(*tp)); + if(!tp) return NULL; + tp->name = memdup(own, own_len); + if(!tp->name) { + free(tp); + return NULL; + } + tp->namelen = own_len; + tp->namelabs = dname_count_labels(tp->name); + tp->node.key = tp; + tp->dclass = dc; + tp->autr = (struct autr_point_data*)calloc(1, sizeof(*tp->autr)); + if(!tp->autr) { + free(tp->name); + free(tp); + return NULL; + } + tp->autr->pnode.key = tp; + + lock_basic_lock(&anchors->lock); + if(!rbtree_insert(anchors->tree, &tp->node)) { + lock_basic_unlock(&anchors->lock); + log_err("trust anchor presented twice"); + free(tp->name); + free(tp->autr); + free(tp); + return NULL; + } + if(!rbtree_insert(&anchors->autr->probe, &tp->autr->pnode)) { + (void)rbtree_delete(anchors->tree, tp); + lock_basic_unlock(&anchors->lock); + log_err("trust anchor in probetree twice"); + free(tp->name); + free(tp->autr); + free(tp); + return NULL; + } + lock_basic_unlock(&anchors->lock); + lock_basic_init(&tp->lock); + lock_protect(&tp->lock, tp, sizeof(*tp)); + lock_protect(&tp->lock, tp->autr, sizeof(*tp->autr)); + return tp; +} + +/** delete assembled rrsets */ +static void +autr_rrset_delete(struct ub_packed_rrset_key* r) +{ + if(r) { + free(r->rk.dname); + free(r->entry.data); + free(r); + } +} + +void autr_point_delete(struct trust_anchor* tp) +{ + if(!tp) + return; + lock_unprotect(&tp->lock, tp); + lock_unprotect(&tp->lock, tp->autr); + lock_basic_destroy(&tp->lock); + autr_rrset_delete(tp->ds_rrset); + autr_rrset_delete(tp->dnskey_rrset); + if(tp->autr) { + struct autr_ta* p = tp->autr->keys, *np; + while(p) { + np = p->next; + free(p->rr); + free(p); + p = np; + } + free(tp->autr->file); + free(tp->autr); + } + free(tp->name); + free(tp); +} + +/** find or add a new trust point for autotrust */ +static struct trust_anchor* +find_add_tp(struct val_anchors* anchors, uint8_t* rr, size_t rr_len, + size_t dname_len) +{ + struct trust_anchor* tp; + tp = anchor_find(anchors, rr, dname_count_labels(rr), dname_len, + sldns_wirerr_get_class(rr, rr_len, dname_len)); + if(tp) { + if(!tp->autr) { + log_err("anchor cannot be with and without autotrust"); + lock_basic_unlock(&tp->lock); + return NULL; + } + return tp; + } + tp = autr_tp_create(anchors, rr, dname_len, sldns_wirerr_get_class(rr, + rr_len, dname_len)); + lock_basic_lock(&tp->lock); + return tp; +} + +/** Add trust anchor from RR */ +static struct autr_ta* +add_trustanchor_frm_rr(struct val_anchors* anchors, uint8_t* rr, size_t rr_len, + size_t dname_len, struct trust_anchor** tp) +{ + struct autr_ta* ta = autr_ta_create(rr, rr_len, dname_len); + if(!ta) + return NULL; + *tp = find_add_tp(anchors, rr, rr_len, dname_len); + if(!*tp) { + free(ta->rr); + free(ta); + return NULL; + } + /* add ta to tp */ + ta->next = (*tp)->autr->keys; + (*tp)->autr->keys = ta; + lock_basic_unlock(&(*tp)->lock); + return ta; +} + +/** + * Add new trust anchor from a string in file. + * @param anchors: all anchors + * @param str: string with anchor and comments, if any comments. + * @param tp: trust point returned. + * @param origin: what to use for @ + * @param origin_len: length of origin + * @param prev: previous rr name + * @param prev_len: length of prev + * @param skip: if true, the result is NULL, but not an error, skip it. + * @return new key in trust point. + */ +static struct autr_ta* +add_trustanchor_frm_str(struct val_anchors* anchors, char* str, + struct trust_anchor** tp, uint8_t* origin, size_t origin_len, + uint8_t** prev, size_t* prev_len, int* skip) +{ + uint8_t rr[LDNS_RR_BUF_SIZE]; + size_t rr_len = sizeof(rr), dname_len; + uint8_t* drr; + int lstatus; + if (!str_contains_data(str, ';')) { + *skip = 1; + return NULL; /* empty line */ + } + if(0 != (lstatus = sldns_str2wire_rr_buf(str, rr, &rr_len, &dname_len, + 0, origin, origin_len, *prev, *prev_len))) + { + log_err("ldns error while converting string to RR at%d: %s: %s", + LDNS_WIREPARSE_OFFSET(lstatus), + sldns_get_errorstr_parse(lstatus), str); + return NULL; + } + free(*prev); + *prev = memdup(rr, dname_len); + *prev_len = dname_len; + if(!*prev) { + log_err("malloc failure in add_trustanchor"); + return NULL; + } + if(sldns_wirerr_get_type(rr, rr_len, dname_len)!=LDNS_RR_TYPE_DNSKEY && + sldns_wirerr_get_type(rr, rr_len, dname_len)!=LDNS_RR_TYPE_DS) { + *skip = 1; + return NULL; /* only DS and DNSKEY allowed */ + } + drr = memdup(rr, rr_len); + if(!drr) { + log_err("malloc failure in add trustanchor"); + return NULL; + } + return add_trustanchor_frm_rr(anchors, drr, rr_len, dname_len, tp); +} + +/** + * Load single anchor + * @param anchors: all points. + * @param str: comments line + * @param fname: filename + * @param origin: the $ORIGIN. + * @param origin_len: length of origin + * @param prev: passed to ldns. + * @param prev_len: length of prev + * @param skip: if true, the result is NULL, but not an error, skip it. + * @return false on failure, otherwise the tp read. + */ +static struct trust_anchor* +load_trustanchor(struct val_anchors* anchors, char* str, const char* fname, + uint8_t* origin, size_t origin_len, uint8_t** prev, size_t* prev_len, + int* skip) +{ + struct autr_ta* ta = NULL; + struct trust_anchor* tp = NULL; + + ta = add_trustanchor_frm_str(anchors, str, &tp, origin, origin_len, + prev, prev_len, skip); + if(!ta) + return NULL; + lock_basic_lock(&tp->lock); + if(!parse_comments(str, ta)) { + lock_basic_unlock(&tp->lock); + return NULL; + } + if(!tp->autr->file) { + tp->autr->file = strdup(fname); + if(!tp->autr->file) { + lock_basic_unlock(&tp->lock); + log_err("malloc failure"); + return NULL; + } + } + lock_basic_unlock(&tp->lock); + return tp; +} + +/** iterator for DSes from keylist. return true if a next element exists */ +static int +assemble_iterate_ds(struct autr_ta** list, uint8_t** rr, size_t* rr_len, + size_t* dname_len) +{ + while(*list) { + if(sldns_wirerr_get_type((*list)->rr, (*list)->rr_len, + (*list)->dname_len) == LDNS_RR_TYPE_DS) { + *rr = (*list)->rr; + *rr_len = (*list)->rr_len; + *dname_len = (*list)->dname_len; + *list = (*list)->next; + return 1; + } + *list = (*list)->next; + } + return 0; +} + +/** iterator for DNSKEYs from keylist. return true if a next element exists */ +static int +assemble_iterate_dnskey(struct autr_ta** list, uint8_t** rr, size_t* rr_len, + size_t* dname_len) +{ + while(*list) { + if(sldns_wirerr_get_type((*list)->rr, (*list)->rr_len, + (*list)->dname_len) != LDNS_RR_TYPE_DS && + ((*list)->s == AUTR_STATE_VALID || + (*list)->s == AUTR_STATE_MISSING)) { + *rr = (*list)->rr; + *rr_len = (*list)->rr_len; + *dname_len = (*list)->dname_len; + *list = (*list)->next; + return 1; + } + *list = (*list)->next; + } + return 0; +} + +/** see if iterator-list has any elements in it, or it is empty */ +static int +assemble_iterate_hasfirst(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t rr_len = 0, dname_len = 0; + return iter(&list, &rr, &rr_len, &dname_len); +} + +/** number of elements in iterator list */ +static size_t +assemble_iterate_count(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t i = 0, rr_len = 0, dname_len = 0; + while(iter(&list, &rr, &rr_len, &dname_len)) { + i++; + } + return i; +} + +/** + * Create a ub_packed_rrset_key allocated on the heap. + * It therefore does not have the correct ID value, and cannot be used + * inside the cache. It can be used in storage outside of the cache. + * Keys for the cache have to be obtained from alloc.h . + * @param iter: iterator over the elements in the list. It filters elements. + * @param list: the list. + * @return key allocated or NULL on failure. + */ +static struct ub_packed_rrset_key* +ub_packed_rrset_heap_key(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t rr_len = 0, dname_len = 0; + struct ub_packed_rrset_key* k; + if(!iter(&list, &rr, &rr_len, &dname_len)) + return NULL; + k = (struct ub_packed_rrset_key*)calloc(1, sizeof(*k)); + if(!k) + return NULL; + k->rk.type = htons(sldns_wirerr_get_type(rr, rr_len, dname_len)); + k->rk.rrset_class = htons(sldns_wirerr_get_class(rr, rr_len, dname_len)); + k->rk.dname_len = dname_len; + k->rk.dname = memdup(rr, dname_len); + if(!k->rk.dname) { + free(k); + return NULL; + } + return k; +} + +/** + * Create packed_rrset data on the heap. + * @param iter: iterator over the elements in the list. It filters elements. + * @param list: the list. + * @return data allocated or NULL on failure. + */ +static struct packed_rrset_data* +packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t rr_len = 0, dname_len = 0; + struct packed_rrset_data* data; + size_t count=0, rrsig_count=0, len=0, i, total; + uint8_t* nextrdata; + struct autr_ta* list_i; + time_t ttl = 0; + + list_i = list; + while(iter(&list_i, &rr, &rr_len, &dname_len)) { + if(sldns_wirerr_get_type(rr, rr_len, dname_len) == + LDNS_RR_TYPE_RRSIG) + rrsig_count++; + else count++; + /* sizeof the rdlength + rdatalen */ + len += 2 + sldns_wirerr_get_rdatalen(rr, rr_len, dname_len); + ttl = (time_t)sldns_wirerr_get_ttl(rr, rr_len, dname_len); + } + if(count == 0 && rrsig_count == 0) + return NULL; + + /* allocate */ + total = count + rrsig_count; + len += sizeof(*data) + total*(sizeof(size_t) + sizeof(time_t) + + sizeof(uint8_t*)); + data = (struct packed_rrset_data*)calloc(1, len); + if(!data) + return NULL; + + /* fill it */ + data->ttl = ttl; + data->count = count; + data->rrsig_count = rrsig_count; + data->rr_len = (size_t*)((uint8_t*)data + + sizeof(struct packed_rrset_data)); + data->rr_data = (uint8_t**)&(data->rr_len[total]); + data->rr_ttl = (time_t*)&(data->rr_data[total]); + nextrdata = (uint8_t*)&(data->rr_ttl[total]); + + /* fill out len, ttl, fields */ + list_i = list; + i = 0; + while(iter(&list_i, &rr, &rr_len, &dname_len)) { + data->rr_ttl[i] = (time_t)sldns_wirerr_get_ttl(rr, rr_len, + dname_len); + if(data->rr_ttl[i] < data->ttl) + data->ttl = data->rr_ttl[i]; + data->rr_len[i] = 2 /* the rdlength */ + + sldns_wirerr_get_rdatalen(rr, rr_len, dname_len); + i++; + } + + /* fixup rest of ptrs */ + for(i=0; i<total; i++) { + data->rr_data[i] = nextrdata; + nextrdata += data->rr_len[i]; + } + + /* copy data in there */ + list_i = list; + i = 0; + while(iter(&list_i, &rr, &rr_len, &dname_len)) { + memmove(data->rr_data[i], + sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), + data->rr_len[i]); + i++; + } + + if(data->rrsig_count && data->count == 0) { + data->count = data->rrsig_count; /* rrset type is RRSIG */ + data->rrsig_count = 0; + } + return data; +} + +/** + * Assemble the trust anchors into DS and DNSKEY packed rrsets. + * Uses only VALID and MISSING DNSKEYs. + * Read the sldns_rrs and builds packed rrsets + * @param tp: the trust point. Must be locked. + * @return false on malloc failure. + */ +static int +autr_assemble(struct trust_anchor* tp) +{ + struct ub_packed_rrset_key* ubds=NULL, *ubdnskey=NULL; + + /* make packed rrset keys - malloced with no ID number, they + * are not in the cache */ + /* make packed rrset data (if there is a key) */ + if(assemble_iterate_hasfirst(assemble_iterate_ds, tp->autr->keys)) { + ubds = ub_packed_rrset_heap_key( + assemble_iterate_ds, tp->autr->keys); + if(!ubds) + goto error_cleanup; + ubds->entry.data = packed_rrset_heap_data( + assemble_iterate_ds, tp->autr->keys); + if(!ubds->entry.data) + goto error_cleanup; + } + + /* make packed DNSKEY data */ + if(assemble_iterate_hasfirst(assemble_iterate_dnskey, tp->autr->keys)) { + ubdnskey = ub_packed_rrset_heap_key( + assemble_iterate_dnskey, tp->autr->keys); + if(!ubdnskey) + goto error_cleanup; + ubdnskey->entry.data = packed_rrset_heap_data( + assemble_iterate_dnskey, tp->autr->keys); + if(!ubdnskey->entry.data) { + error_cleanup: + autr_rrset_delete(ubds); + autr_rrset_delete(ubdnskey); + return 0; + } + } + + /* we have prepared the new keys so nothing can go wrong any more. + * And we are sure we cannot be left without trustanchor after + * any errors. Put in the new keys and remove old ones. */ + + /* free the old data */ + autr_rrset_delete(tp->ds_rrset); + autr_rrset_delete(tp->dnskey_rrset); + + /* assign the data to replace the old */ + tp->ds_rrset = ubds; + tp->dnskey_rrset = ubdnskey; + tp->numDS = assemble_iterate_count(assemble_iterate_ds, + tp->autr->keys); + tp->numDNSKEY = assemble_iterate_count(assemble_iterate_dnskey, + tp->autr->keys); + return 1; +} + +/** parse integer */ +static unsigned int +parse_int(char* line, int* ret) +{ + char *e; + unsigned int x = (unsigned int)strtol(line, &e, 10); + if(line == e) { + *ret = -1; /* parse error */ + return 0; + } + *ret = 1; /* matched */ + return x; +} + +/** parse id sequence for anchor */ +static struct trust_anchor* +parse_id(struct val_anchors* anchors, char* line) +{ + struct trust_anchor *tp; + int r; + uint16_t dclass; + uint8_t* dname; + size_t dname_len; + /* read the owner name */ + char* next = strchr(line, ' '); + if(!next) + return NULL; + next[0] = 0; + dname = sldns_str2wire_dname(line, &dname_len); + if(!dname) + return NULL; + + /* read the class */ + dclass = parse_int(next+1, &r); + if(r == -1) { + free(dname); + return NULL; + } + + /* find the trust point */ + tp = autr_tp_create(anchors, dname, dname_len, dclass); + free(dname); + return tp; +} + +/** + * Parse variable from trustanchor header + * @param line: to parse + * @param anchors: the anchor is added to this, if "id:" is seen. + * @param anchor: the anchor as result value or previously returned anchor + * value to read the variable lines into. + * @return: 0 no match, -1 failed syntax error, +1 success line read. + * +2 revoked trust anchor file. + */ +static int +parse_var_line(char* line, struct val_anchors* anchors, + struct trust_anchor** anchor) +{ + struct trust_anchor* tp = *anchor; + int r = 0; + if(strncmp(line, ";;id: ", 6) == 0) { + *anchor = parse_id(anchors, line+6); + if(!*anchor) return -1; + else return 1; + } else if(strncmp(line, ";;REVOKED", 9) == 0) { + if(tp) { + log_err("REVOKED statement must be at start of file"); + return -1; + } + return 2; + } else if(strncmp(line, ";;last_queried: ", 16) == 0) { + if(!tp) return -1; + lock_basic_lock(&tp->lock); + tp->autr->last_queried = (time_t)parse_int(line+16, &r); + lock_basic_unlock(&tp->lock); + } else if(strncmp(line, ";;last_success: ", 16) == 0) { + if(!tp) return -1; + lock_basic_lock(&tp->lock); + tp->autr->last_success = (time_t)parse_int(line+16, &r); + lock_basic_unlock(&tp->lock); + } else if(strncmp(line, ";;next_probe_time: ", 19) == 0) { + if(!tp) return -1; + lock_basic_lock(&anchors->lock); + lock_basic_lock(&tp->lock); + (void)rbtree_delete(&anchors->autr->probe, tp); + tp->autr->next_probe_time = (time_t)parse_int(line+19, &r); + (void)rbtree_insert(&anchors->autr->probe, &tp->autr->pnode); + lock_basic_unlock(&tp->lock); + lock_basic_unlock(&anchors->lock); + } else if(strncmp(line, ";;query_failed: ", 16) == 0) { + if(!tp) return -1; + lock_basic_lock(&tp->lock); + tp->autr->query_failed = (uint8_t)parse_int(line+16, &r); + lock_basic_unlock(&tp->lock); + } else if(strncmp(line, ";;query_interval: ", 18) == 0) { + if(!tp) return -1; + lock_basic_lock(&tp->lock); + tp->autr->query_interval = (time_t)parse_int(line+18, &r); + lock_basic_unlock(&tp->lock); + } else if(strncmp(line, ";;retry_time: ", 14) == 0) { + if(!tp) return -1; + lock_basic_lock(&tp->lock); + tp->autr->retry_time = (time_t)parse_int(line+14, &r); + lock_basic_unlock(&tp->lock); + } + return r; +} + +/** handle origin lines */ +static int +handle_origin(char* line, uint8_t** origin, size_t* origin_len) +{ + size_t len = 0; + while(isspace((int)*line)) + line++; + if(strncmp(line, "$ORIGIN", 7) != 0) + return 0; + free(*origin); + line += 7; + while(isspace((int)*line)) + line++; + *origin = sldns_str2wire_dname(line, &len); + *origin_len = len; + if(!*origin) + log_warn("malloc failure or parse error in $ORIGIN"); + return 1; +} + +/** Read one line and put multiline RRs onto one line string */ +static int +read_multiline(char* buf, size_t len, FILE* in, int* linenr) +{ + char* pos = buf; + size_t left = len; + int depth = 0; + buf[len-1] = 0; + while(left > 0 && fgets(pos, (int)left, in) != NULL) { + size_t i, poslen = strlen(pos); + (*linenr)++; + + /* check what the new depth is after the line */ + /* this routine cannot handle braces inside quotes, + say for TXT records, but this routine only has to read keys */ + for(i=0; i<poslen; i++) { + if(pos[i] == '(') { + depth++; + } else if(pos[i] == ')') { + if(depth == 0) { + log_err("mismatch: too many ')'"); + return -1; + } + depth--; + } else if(pos[i] == ';') { + break; + } + } + + /* normal oneline or last line: keeps newline and comments */ + if(depth == 0) { + return 1; + } + + /* more lines expected, snip off comments and newline */ + if(poslen>0) + pos[poslen-1] = 0; /* strip newline */ + if(strchr(pos, ';')) + strchr(pos, ';')[0] = 0; /* strip comments */ + + /* move to paste other lines behind this one */ + poslen = strlen(pos); + pos += poslen; + left -= poslen; + /* the newline is changed into a space */ + if(left <= 2 /* space and eos */) { + log_err("line too long"); + return -1; + } + pos[0] = ' '; + pos[1] = 0; + pos += 1; + left -= 1; + } + if(depth != 0) { + log_err("mismatch: too many '('"); + return -1; + } + if(pos != buf) + return 1; + return 0; +} + +int autr_read_file(struct val_anchors* anchors, const char* nm) +{ + /* the file descriptor */ + FILE* fd; + /* keep track of line numbers */ + int line_nr = 0; + /* single line */ + char line[10240]; + /* trust point being read */ + struct trust_anchor *tp = NULL, *tp2; + int r; + /* for $ORIGIN parsing */ + uint8_t *origin=NULL, *prev=NULL; + size_t origin_len=0, prev_len=0; + + if (!(fd = fopen(nm, "r"))) { + log_err("unable to open %s for reading: %s", + nm, strerror(errno)); + return 0; + } + verbose(VERB_ALGO, "reading autotrust anchor file %s", nm); + while ( (r=read_multiline(line, sizeof(line), fd, &line_nr)) != 0) { + if(r == -1 || (r = parse_var_line(line, anchors, &tp)) == -1) { + log_err("could not parse auto-trust-anchor-file " + "%s line %d", nm, line_nr); + fclose(fd); + free(origin); + free(prev); + return 0; + } else if(r == 1) { + continue; + } else if(r == 2) { + log_warn("trust anchor %s has been revoked", nm); + fclose(fd); + free(origin); + free(prev); + return 1; + } + if (!str_contains_data(line, ';')) + continue; /* empty lines allowed */ + if(handle_origin(line, &origin, &origin_len)) + continue; + r = 0; + if(!(tp2=load_trustanchor(anchors, line, nm, origin, + origin_len, &prev, &prev_len, &r))) { + if(!r) log_err("failed to load trust anchor from %s " + "at line %i, skipping", nm, line_nr); + /* try to do the rest */ + continue; + } + if(tp && tp != tp2) { + log_err("file %s has mismatching data inside: " + "the file may only contain keys for one name, " + "remove keys for other domain names", nm); + fclose(fd); + free(origin); + free(prev); + return 0; + } + tp = tp2; + } + fclose(fd); + free(origin); + free(prev); + if(!tp) { + log_err("failed to read %s", nm); + return 0; + } + + /* now assemble the data into DNSKEY and DS packed rrsets */ + lock_basic_lock(&tp->lock); + if(!autr_assemble(tp)) { + lock_basic_unlock(&tp->lock); + log_err("malloc failure assembling %s", nm); + return 0; + } + lock_basic_unlock(&tp->lock); + return 1; +} + +/** string for a trustanchor state */ +static const char* +trustanchor_state2str(autr_state_t s) +{ + switch (s) { + case AUTR_STATE_START: return " START "; + case AUTR_STATE_ADDPEND: return " ADDPEND "; + case AUTR_STATE_VALID: return " VALID "; + case AUTR_STATE_MISSING: return " MISSING "; + case AUTR_STATE_REVOKED: return " REVOKED "; + case AUTR_STATE_REMOVED: return " REMOVED "; + } + return " UNKNOWN "; +} + +/** print ID to file */ +static int +print_id(FILE* out, char* fname, uint8_t* nm, size_t nmlen, uint16_t dclass) +{ + char* s = sldns_wire2str_dname(nm, nmlen); + if(!s) { + log_err("malloc failure in write to %s", fname); + return 0; + } + if(fprintf(out, ";;id: %s %d\n", s, (int)dclass) < 0) { + log_err("could not write to %s: %s", fname, strerror(errno)); + free(s); + return 0; + } + free(s); + return 1; +} + +static int +autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp) +{ + char tmi[32]; + struct autr_ta* ta; + char* str; + + /* write pretty header */ + if(fprintf(out, "; autotrust trust anchor file\n") < 0) { + log_err("could not write to %s: %s", fn, strerror(errno)); + return 0; + } + if(tp->autr->revoked) { + if(fprintf(out, ";;REVOKED\n") < 0 || + fprintf(out, "; The zone has all keys revoked, and is\n" + "; considered as if it has no trust anchors.\n" + "; the remainder of the file is the last probe.\n" + "; to restart the trust anchor, overwrite this file.\n" + "; with one containing valid DNSKEYs or DSes.\n") < 0) { + log_err("could not write to %s: %s", fn, strerror(errno)); + return 0; + } + } + if(!print_id(out, fn, tp->name, tp->namelen, tp->dclass)) { + return 0; + } + if(fprintf(out, ";;last_queried: %u ;;%s", + (unsigned int)tp->autr->last_queried, + ctime_r(&(tp->autr->last_queried), tmi)) < 0 || + fprintf(out, ";;last_success: %u ;;%s", + (unsigned int)tp->autr->last_success, + ctime_r(&(tp->autr->last_success), tmi)) < 0 || + fprintf(out, ";;next_probe_time: %u ;;%s", + (unsigned int)tp->autr->next_probe_time, + ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 || + fprintf(out, ";;query_failed: %d\n", (int)tp->autr->query_failed)<0 + || fprintf(out, ";;query_interval: %d\n", + (int)tp->autr->query_interval) < 0 || + fprintf(out, ";;retry_time: %d\n", (int)tp->autr->retry_time) < 0) { + log_err("could not write to %s: %s", fn, strerror(errno)); + return 0; + } + + /* write anchors */ + for(ta=tp->autr->keys; ta; ta=ta->next) { + /* by default do not store START and REMOVED keys */ + if(ta->s == AUTR_STATE_START) + continue; + if(ta->s == AUTR_STATE_REMOVED) + continue; + /* only store keys */ + if(sldns_wirerr_get_type(ta->rr, ta->rr_len, ta->dname_len) + != LDNS_RR_TYPE_DNSKEY) + continue; + str = sldns_wire2str_rr(ta->rr, ta->rr_len); + if(!str || !str[0]) { + free(str); + log_err("malloc failure writing %s", fn); + return 0; + } + str[strlen(str)-1] = 0; /* remove newline */ + if(fprintf(out, "%s ;;state=%d [%s] ;;count=%d " + ";;lastchange=%u ;;%s", str, (int)ta->s, + trustanchor_state2str(ta->s), (int)ta->pending_count, + (unsigned int)ta->last_change, + ctime_r(&(ta->last_change), tmi)) < 0) { + log_err("could not write to %s: %s", fn, strerror(errno)); + free(str); + return 0; + } + free(str); + } + return 1; +} + +void autr_write_file(struct module_env* env, struct trust_anchor* tp) +{ + FILE* out; + char* fname = tp->autr->file; + char tempf[2048]; + log_assert(tp->autr); + if(!env) { + log_err("autr_write_file: Module environment is NULL."); + return; + } + /* unique name with pid number and thread number */ + snprintf(tempf, sizeof(tempf), "%s.%d-%d", fname, (int)getpid(), + env->worker?*(int*)env->worker:0); + verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf); + out = fopen(tempf, "w"); + if(!out) { + log_err("could not open autotrust file for writing, %s: %s", + tempf, strerror(errno)); + return; + } + if(!autr_write_contents(out, tempf, tp)) { + /* failed to write contents (completely) */ + fclose(out); + unlink(tempf); + log_err("could not completely write: %s", fname); + return; + } + if(fclose(out) != 0) { + log_err("could not complete write: %s: %s", + fname, strerror(errno)); + unlink(tempf); + return; + } + /* success; overwrite actual file */ + verbose(VERB_ALGO, "autotrust: replaced %s", fname); +#ifdef UB_ON_WINDOWS + (void)unlink(fname); /* windows does not replace file with rename() */ +#endif + if(rename(tempf, fname) < 0) { + log_err("rename(%s to %s): %s", tempf, fname, strerror(errno)); + } +} + +/** + * Verify if dnskey works for trust point + * @param env: environment (with time) for verification + * @param ve: validator environment (with options) for verification. + * @param tp: trust point to verify with + * @param rrset: DNSKEY rrset to verify. + * @return false on failure, true if verification successful. + */ +static int +verify_dnskey(struct module_env* env, struct val_env* ve, + struct trust_anchor* tp, struct ub_packed_rrset_key* rrset) +{ + char* reason = NULL; + uint8_t sigalg[ALGO_NEEDS_MAX+1]; + int downprot = 1; + enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset, + tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason); + /* sigalg is ignored, it returns algorithms signalled to exist, but + * in 5011 there are no other rrsets to check. if downprot is + * enabled, then it checks that the DNSKEY is signed with all + * algorithms available in the trust store. */ + verbose(VERB_ALGO, "autotrust: validate DNSKEY with anchor: %s", + sec_status_to_string(sec)); + return sec == sec_status_secure; +} + +static int32_t +rrsig_get_expiry(uint8_t* d, size_t len) +{ + /* rrsig: 2(rdlen), 2(type) 1(alg) 1(v) 4(origttl), then 4(expi), (4)incep) */ + if(len < 2+8+4) + return 0; + return sldns_read_uint32(d+2+8); +} + +/** Find minimum expiration interval from signatures */ +static time_t +min_expiry(struct module_env* env, struct packed_rrset_data* dd) +{ + size_t i; + int32_t t, r = 15 * 24 * 3600; /* 15 days max */ + for(i=dd->count; i<dd->count+dd->rrsig_count; i++) { + t = rrsig_get_expiry(dd->rr_data[i], dd->rr_len[i]); + if((int32_t)t - (int32_t)*env->now > 0) { + t -= (int32_t)*env->now; + if(t < r) + r = t; + } + } + return (time_t)r; +} + +/** Is rr self-signed revoked key */ +static int +rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key* dnskey_rrset, size_t i) +{ + enum sec_status sec; + char* reason = NULL; + verbose(VERB_ALGO, "seen REVOKE flag, check self-signed, rr %d", + (int)i); + /* no algorithm downgrade protection necessary, if it is selfsigned + * revoked it can be removed. */ + sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i, + &reason); + return (sec == sec_status_secure); +} + +/** Set fetched value */ +static void +seen_trustanchor(struct autr_ta* ta, uint8_t seen) +{ + ta->fetched = seen; + if(ta->pending_count < 250) /* no numerical overflow, please */ + ta->pending_count++; +} + +/** set revoked value */ +static void +seen_revoked_trustanchor(struct autr_ta* ta, uint8_t revoked) +{ + ta->revoked = revoked; +} + +/** revoke a trust anchor */ +static void +revoke_dnskey(struct autr_ta* ta, int off) +{ + uint16_t flags; + uint8_t* data; + if(sldns_wirerr_get_type(ta->rr, ta->rr_len, ta->dname_len) != + LDNS_RR_TYPE_DNSKEY) + return; + if(sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, ta->dname_len) < 2) + return; + data = sldns_wirerr_get_rdata(ta->rr, ta->rr_len, ta->dname_len); + flags = sldns_read_uint16(data); + if (off && (flags&LDNS_KEY_REVOKE_KEY)) + flags ^= LDNS_KEY_REVOKE_KEY; /* flip */ + else + flags |= LDNS_KEY_REVOKE_KEY; + sldns_write_uint16(data, flags); +} + +/** Compare two RRs skipping the REVOKED bit. Pass rdata(no len) */ +static int +dnskey_compare_skip_revbit(uint8_t* a, size_t a_len, uint8_t* b, size_t b_len) +{ + size_t i; + if(a_len != b_len) + return -1; + /* compare RRs RDATA byte for byte. */ + for(i = 0; i < a_len; i++) + { + uint8_t rdf1, rdf2; + rdf1 = a[i]; + rdf2 = b[i]; + if(i==1) { + /* this is the second part of the flags field */ + rdf1 |= LDNS_KEY_REVOKE_KEY; + rdf2 |= LDNS_KEY_REVOKE_KEY; + } + if (rdf1 < rdf2) return -1; + else if (rdf1 > rdf2) return 1; + } + return 0; +} + + +/** compare trust anchor with rdata, 0 if equal. Pass rdata(no len) */ +static int +ta_compare(struct autr_ta* a, uint16_t t, uint8_t* b, size_t b_len) +{ + if(!a) return -1; + else if(!b) return -1; + else if(sldns_wirerr_get_type(a->rr, a->rr_len, a->dname_len) != t) + return (int)sldns_wirerr_get_type(a->rr, a->rr_len, + a->dname_len) - (int)t; + else if(t == LDNS_RR_TYPE_DNSKEY) { + return dnskey_compare_skip_revbit( + sldns_wirerr_get_rdata(a->rr, a->rr_len, a->dname_len), + sldns_wirerr_get_rdatalen(a->rr, a->rr_len, + a->dname_len), b, b_len); + } + else if(t == LDNS_RR_TYPE_DS) { + if(sldns_wirerr_get_rdatalen(a->rr, a->rr_len, a->dname_len) != + b_len) + return -1; + return memcmp(sldns_wirerr_get_rdata(a->rr, + a->rr_len, a->dname_len), b, b_len); + } + return -1; +} + +/** + * Find key + * @param tp: to search in + * @param t: rr type of the rdata. + * @param rdata: to look for (no rdatalen in it) + * @param rdata_len: length of rdata + * @param result: returns NULL or the ta key looked for. + * @return false on malloc failure during search. if true examine result. + */ +static int +find_key(struct trust_anchor* tp, uint16_t t, uint8_t* rdata, size_t rdata_len, + struct autr_ta** result) +{ + struct autr_ta* ta; + if(!tp || !rdata) { + *result = NULL; + return 0; + } + for(ta=tp->autr->keys; ta; ta=ta->next) { + if(ta_compare(ta, t, rdata, rdata_len) == 0) { + *result = ta; + return 1; + } + } + *result = NULL; + return 1; +} + +/** add key and clone RR and tp already locked. rdata without rdlen. */ +static struct autr_ta* +add_key(struct trust_anchor* tp, uint32_t ttl, uint8_t* rdata, size_t rdata_len) +{ + struct autr_ta* ta; + uint8_t* rr; + size_t rr_len, dname_len; + uint16_t rrtype = htons(LDNS_RR_TYPE_DNSKEY); + uint16_t rrclass = htons(LDNS_RR_CLASS_IN); + uint16_t rdlen = htons(rdata_len); + dname_len = tp->namelen; + ttl = htonl(ttl); + rr_len = dname_len + 10 /* type,class,ttl,rdatalen */ + rdata_len; + rr = (uint8_t*)malloc(rr_len); + if(!rr) return NULL; + memmove(rr, tp->name, tp->namelen); + memmove(rr+dname_len, &rrtype, 2); + memmove(rr+dname_len+2, &rrclass, 2); + memmove(rr+dname_len+4, &ttl, 4); + memmove(rr+dname_len+8, &rdlen, 2); + memmove(rr+dname_len+10, rdata, rdata_len); + ta = autr_ta_create(rr, rr_len, dname_len); + if(!ta) { + /* rr freed in autr_ta_create */ + return NULL; + } + /* link in, tp already locked */ + ta->next = tp->autr->keys; + tp->autr->keys = ta; + return ta; +} + +/** get TTL from DNSKEY rrset */ +static time_t +key_ttl(struct ub_packed_rrset_key* k) +{ + struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; + return d->ttl; +} + +/** update the time values for the trustpoint */ +static void +set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval, + time_t origttl, int* changed) +{ + time_t x, qi = tp->autr->query_interval, rt = tp->autr->retry_time; + + /* x = MIN(15days, ttl/2, expire/2) */ + x = 15 * 24 * 3600; + if(origttl/2 < x) + x = origttl/2; + if(rrsig_exp_interval/2 < x) + x = rrsig_exp_interval/2; + /* MAX(1hr, x) */ + if(x < 3600) + tp->autr->query_interval = 3600; + else tp->autr->query_interval = x; + + /* x= MIN(1day, ttl/10, expire/10) */ + x = 24 * 3600; + if(origttl/10 < x) + x = origttl/10; + if(rrsig_exp_interval/10 < x) + x = rrsig_exp_interval/10; + /* MAX(1hr, x) */ + if(x < 3600) + tp->autr->retry_time = 3600; + else tp->autr->retry_time = x; + + if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) { + *changed = 1; + verbose(VERB_ALGO, "orig_ttl is %d", (int)origttl); + verbose(VERB_ALGO, "rrsig_exp_interval is %d", + (int)rrsig_exp_interval); + verbose(VERB_ALGO, "query_interval: %d, retry_time: %d", + (int)tp->autr->query_interval, + (int)tp->autr->retry_time); + } +} + +/** init events to zero */ +static void +init_events(struct trust_anchor* tp) +{ + struct autr_ta* ta; + for(ta=tp->autr->keys; ta; ta=ta->next) { + ta->fetched = 0; + } +} + +/** check for revoked keys without trusting any other information */ +static void +check_contains_revoked(struct module_env* env, struct val_env* ve, + struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset, + int* changed) +{ + struct packed_rrset_data* dd = (struct packed_rrset_data*) + dnskey_rrset->entry.data; + size_t i; + log_assert(ntohs(dnskey_rrset->rk.type) == LDNS_RR_TYPE_DNSKEY); + for(i=0; i<dd->count; i++) { + struct autr_ta* ta = NULL; + if(!rr_is_dnskey_sep(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2) || + !rr_is_dnskey_revoked(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2)) + continue; /* not a revoked KSK */ + if(!find_key(tp, ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2, &ta)) { + log_err("malloc failure"); + continue; /* malloc fail in compare*/ + } + if(!ta) + continue; /* key not found */ + if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i)) { + /* checked if there is an rrsig signed by this key. */ + /* same keytag, but stored can be revoked already, so + * compare keytags, with +0 or +128(REVOKE flag) */ + log_assert(dnskey_calc_keytag(dnskey_rrset, i)-128 == + sldns_calc_keytag_raw(sldns_wirerr_get_rdata( + ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, + ta->dname_len)) || + dnskey_calc_keytag(dnskey_rrset, i) == + sldns_calc_keytag_raw(sldns_wirerr_get_rdata( + ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, + ta->dname_len))); /* checks conversion*/ + verbose_key(ta, VERB_ALGO, "is self-signed revoked"); + if(!ta->revoked) + *changed = 1; + seen_revoked_trustanchor(ta, 1); + do_revoked(env, ta, changed); + } + } +} + +/** See if a DNSKEY is verified by one of the DSes */ +static int +key_matches_a_ds(struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key* dnskey_rrset, size_t key_idx, + struct ub_packed_rrset_key* ds_rrset) +{ + struct packed_rrset_data* dd = (struct packed_rrset_data*) + ds_rrset->entry.data; + size_t ds_idx, num = dd->count; + int d = val_favorite_ds_algo(ds_rrset); + char* reason = ""; + for(ds_idx=0; ds_idx<num; ds_idx++) { + if(!ds_digest_algo_is_supported(ds_rrset, ds_idx) || + !ds_key_algo_is_supported(ds_rrset, ds_idx) || + ds_get_digest_algo(ds_rrset, ds_idx) != d) + continue; + if(ds_get_key_algo(ds_rrset, ds_idx) + != dnskey_get_algo(dnskey_rrset, key_idx) + || dnskey_calc_keytag(dnskey_rrset, key_idx) + != ds_get_keytag(ds_rrset, ds_idx)) { + continue; + } + if(!ds_digest_match_dnskey(env, dnskey_rrset, key_idx, + ds_rrset, ds_idx)) { + verbose(VERB_ALGO, "DS match attempt failed"); + continue; + } + if(dnskey_verify_rrset(env, ve, dnskey_rrset, + dnskey_rrset, key_idx, &reason) == sec_status_secure) { + return 1; + } else { + verbose(VERB_ALGO, "DS match failed because the key " + "does not verify the keyset: %s", reason); + } + } + return 0; +} + +/** Set update events */ +static int +update_events(struct module_env* env, struct val_env* ve, + struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset, + int* changed) +{ + struct packed_rrset_data* dd = (struct packed_rrset_data*) + dnskey_rrset->entry.data; + size_t i; + log_assert(ntohs(dnskey_rrset->rk.type) == LDNS_RR_TYPE_DNSKEY); + init_events(tp); + for(i=0; i<dd->count; i++) { + struct autr_ta* ta = NULL; + if(!rr_is_dnskey_sep(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2)) + continue; + if(rr_is_dnskey_revoked(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2)) { + /* self-signed revoked keys already detected before, + * other revoked keys are not 'added' again */ + continue; + } + /* is a key of this type supported?. Note rr_list and + * packed_rrset are in the same order. */ + if(!dnskey_algo_is_supported(dnskey_rrset, i)) { + /* skip unknown algorithm key, it is useless to us */ + log_nametypeclass(VERB_DETAIL, "trust point has " + "unsupported algorithm at", + tp->name, LDNS_RR_TYPE_DNSKEY, tp->dclass); + continue; + } + + /* is it new? if revocation bit set, find the unrevoked key */ + if(!find_key(tp, ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2, &ta)) { + return 0; + } + if(!ta) { + ta = add_key(tp, (uint32_t)dd->rr_ttl[i], + dd->rr_data[i]+2, dd->rr_len[i]-2); + *changed = 1; + /* first time seen, do we have DSes? if match: VALID */ + if(ta && tp->ds_rrset && key_matches_a_ds(env, ve, + dnskey_rrset, i, tp->ds_rrset)) { + verbose_key(ta, VERB_ALGO, "verified by DS"); + ta->s = AUTR_STATE_VALID; + } + } + if(!ta) { + return 0; + } + seen_trustanchor(ta, 1); + verbose_key(ta, VERB_ALGO, "in DNS response"); + } + set_tp_times(tp, min_expiry(env, dd), key_ttl(dnskey_rrset), changed); + return 1; +} + +/** + * Check if the holddown time has already exceeded + * setting: add-holddown: add holddown timer + * setting: del-holddown: del holddown timer + * @param env: environment with current time + * @param ta: trust anchor to check for. + * @param holddown: the timer value + * @return number of seconds the holddown has passed. + */ +static time_t +check_holddown(struct module_env* env, struct autr_ta* ta, + unsigned int holddown) +{ + time_t elapsed; + if(*env->now < ta->last_change) { + log_warn("time goes backwards. delaying key holddown"); + return 0; + } + elapsed = *env->now - ta->last_change; + if (elapsed > (time_t)holddown) { + return elapsed-(time_t)holddown; + } + verbose_key(ta, VERB_ALGO, "holddown time " ARG_LL "d seconds to go", + (long long) ((time_t)holddown-elapsed)); + return 0; +} + + +/** Set last_change to now */ +static void +reset_holddown(struct module_env* env, struct autr_ta* ta, int* changed) +{ + ta->last_change = *env->now; + *changed = 1; +} + +/** Set the state for this trust anchor */ +static void +set_trustanchor_state(struct module_env* env, struct autr_ta* ta, int* changed, + autr_state_t s) +{ + verbose_key(ta, VERB_ALGO, "update: %s to %s", + trustanchor_state2str(ta->s), trustanchor_state2str(s)); + ta->s = s; + reset_holddown(env, ta, changed); +} + + +/** Event: NewKey */ +static void +do_newkey(struct module_env* env, struct autr_ta* anchor, int* c) +{ + if (anchor->s == AUTR_STATE_START) + set_trustanchor_state(env, anchor, c, AUTR_STATE_ADDPEND); +} + +/** Event: AddTime */ +static void +do_addtime(struct module_env* env, struct autr_ta* anchor, int* c) +{ + /* This not according to RFC, this is 30 days, but the RFC demands + * MAX(30days, TTL expire time of first DNSKEY set with this key), + * The value may be too small if a very large TTL was used. */ + time_t exceeded = check_holddown(env, anchor, env->cfg->add_holddown); + if (exceeded && anchor->s == AUTR_STATE_ADDPEND) { + verbose_key(anchor, VERB_ALGO, "add-holddown time exceeded " + ARG_LL "d seconds ago, and pending-count %d", + (long long)exceeded, anchor->pending_count); + if(anchor->pending_count >= MIN_PENDINGCOUNT) { + set_trustanchor_state(env, anchor, c, AUTR_STATE_VALID); + anchor->pending_count = 0; + return; + } + verbose_key(anchor, VERB_ALGO, "add-holddown time sanity check " + "failed (pending count: %d)", anchor->pending_count); + } +} + +/** Event: RemTime */ +static void +do_remtime(struct module_env* env, struct autr_ta* anchor, int* c) +{ + time_t exceeded = check_holddown(env, anchor, env->cfg->del_holddown); + if(exceeded && anchor->s == AUTR_STATE_REVOKED) { + verbose_key(anchor, VERB_ALGO, "del-holddown time exceeded " + ARG_LL "d seconds ago", (long long)exceeded); + set_trustanchor_state(env, anchor, c, AUTR_STATE_REMOVED); + } +} + +/** Event: KeyRem */ +static void +do_keyrem(struct module_env* env, struct autr_ta* anchor, int* c) +{ + if(anchor->s == AUTR_STATE_ADDPEND) { + set_trustanchor_state(env, anchor, c, AUTR_STATE_START); + anchor->pending_count = 0; + } else if(anchor->s == AUTR_STATE_VALID) + set_trustanchor_state(env, anchor, c, AUTR_STATE_MISSING); +} + +/** Event: KeyPres */ +static void +do_keypres(struct module_env* env, struct autr_ta* anchor, int* c) +{ + if(anchor->s == AUTR_STATE_MISSING) + set_trustanchor_state(env, anchor, c, AUTR_STATE_VALID); +} + +/* Event: Revoked */ +static void +do_revoked(struct module_env* env, struct autr_ta* anchor, int* c) +{ + if(anchor->s == AUTR_STATE_VALID || anchor->s == AUTR_STATE_MISSING) { + set_trustanchor_state(env, anchor, c, AUTR_STATE_REVOKED); + verbose_key(anchor, VERB_ALGO, "old id, prior to revocation"); + revoke_dnskey(anchor, 0); + verbose_key(anchor, VERB_ALGO, "new id, after revocation"); + } +} + +/** Do statestable transition matrix for anchor */ +static void +anchor_state_update(struct module_env* env, struct autr_ta* anchor, int* c) +{ + log_assert(anchor); + switch(anchor->s) { + /* START */ + case AUTR_STATE_START: + /* NewKey: ADDPEND */ + if (anchor->fetched) + do_newkey(env, anchor, c); + break; + /* ADDPEND */ + case AUTR_STATE_ADDPEND: + /* KeyRem: START */ + if (!anchor->fetched) + do_keyrem(env, anchor, c); + /* AddTime: VALID */ + else do_addtime(env, anchor, c); + break; + /* VALID */ + case AUTR_STATE_VALID: + /* RevBit: REVOKED */ + if (anchor->revoked) + do_revoked(env, anchor, c); + /* KeyRem: MISSING */ + else if (!anchor->fetched) + do_keyrem(env, anchor, c); + else if(!anchor->last_change) { + verbose_key(anchor, VERB_ALGO, "first seen"); + reset_holddown(env, anchor, c); + } + break; + /* MISSING */ + case AUTR_STATE_MISSING: + /* RevBit: REVOKED */ + if (anchor->revoked) + do_revoked(env, anchor, c); + /* KeyPres */ + else if (anchor->fetched) + do_keypres(env, anchor, c); + break; + /* REVOKED */ + case AUTR_STATE_REVOKED: + if (anchor->fetched) + reset_holddown(env, anchor, c); + /* RemTime: REMOVED */ + else do_remtime(env, anchor, c); + break; + /* REMOVED */ + case AUTR_STATE_REMOVED: + default: + break; + } +} + +/** if ZSK init then trust KSKs */ +static int +init_zsk_to_ksk(struct module_env* env, struct trust_anchor* tp, int* changed) +{ + /* search for VALID ZSKs */ + struct autr_ta* anchor; + int validzsk = 0; + int validksk = 0; + for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { + /* last_change test makes sure it was manually configured */ + if(sldns_wirerr_get_type(anchor->rr, anchor->rr_len, + anchor->dname_len) == LDNS_RR_TYPE_DNSKEY && + anchor->last_change == 0 && + !ta_is_dnskey_sep(anchor) && + anchor->s == AUTR_STATE_VALID) + validzsk++; + } + if(validzsk == 0) + return 0; + for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { + if (ta_is_dnskey_sep(anchor) && + anchor->s == AUTR_STATE_ADDPEND) { + verbose_key(anchor, VERB_ALGO, "trust KSK from " + "ZSK(config)"); + set_trustanchor_state(env, anchor, changed, + AUTR_STATE_VALID); + validksk++; + } + } + return validksk; +} + +/** Remove missing trustanchors so the list does not grow forever */ +static void +remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp, + int* changed) +{ + struct autr_ta* anchor; + time_t exceeded; + int valid = 0; + /* see if we have anchors that are valid */ + for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { + /* Only do KSKs */ + if (!ta_is_dnskey_sep(anchor)) + continue; + if (anchor->s == AUTR_STATE_VALID) + valid++; + } + /* if there are no SEP Valid anchors, see if we started out with + * a ZSK (last-change=0) anchor, which is VALID and there are KSKs + * now that can be made valid. Do this immediately because there + * is no guarantee that the ZSKs get announced long enough. Usually + * this is immediately after init with a ZSK trusted, unless the domain + * was not advertising any KSKs at all. In which case we perfectly + * track the zero number of KSKs. */ + if(valid == 0) { + valid = init_zsk_to_ksk(env, tp, changed); + if(valid == 0) + return; + } + + for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { + /* ignore ZSKs if newly added */ + if(anchor->s == AUTR_STATE_START) + continue; + /* remove ZSKs if a KSK is present */ + if (!ta_is_dnskey_sep(anchor)) { + if(valid > 0) { + verbose_key(anchor, VERB_ALGO, "remove ZSK " + "[%d key(s) VALID]", valid); + set_trustanchor_state(env, anchor, changed, + AUTR_STATE_REMOVED); + } + continue; + } + /* Only do MISSING keys */ + if (anchor->s != AUTR_STATE_MISSING) + continue; + if(env->cfg->keep_missing == 0) + continue; /* keep forever */ + + exceeded = check_holddown(env, anchor, env->cfg->keep_missing); + /* If keep_missing has exceeded and we still have more than + * one valid KSK: remove missing trust anchor */ + if (exceeded && valid > 0) { + verbose_key(anchor, VERB_ALGO, "keep-missing time " + "exceeded " ARG_LL "d seconds ago, [%d key(s) VALID]", + (long long)exceeded, valid); + set_trustanchor_state(env, anchor, changed, + AUTR_STATE_REMOVED); + } + } +} + +/** Do the statetable from RFC5011 transition matrix */ +static int +do_statetable(struct module_env* env, struct trust_anchor* tp, int* changed) +{ + struct autr_ta* anchor; + for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { + /* Only do KSKs */ + if(!ta_is_dnskey_sep(anchor)) + continue; + anchor_state_update(env, anchor, changed); + } + remove_missing_trustanchors(env, tp, changed); + return 1; +} + +/** See if time alone makes ADDPEND to VALID transition */ +static void +autr_holddown_exceed(struct module_env* env, struct trust_anchor* tp, int* c) +{ + struct autr_ta* anchor; + for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { + if(ta_is_dnskey_sep(anchor) && + anchor->s == AUTR_STATE_ADDPEND) + do_addtime(env, anchor, c); + } +} + +/** cleanup key list */ +static void +autr_cleanup_keys(struct trust_anchor* tp) +{ + struct autr_ta* p, **prevp; + prevp = &tp->autr->keys; + p = tp->autr->keys; + while(p) { + /* do we want to remove this key? */ + if(p->s == AUTR_STATE_START || p->s == AUTR_STATE_REMOVED || + sldns_wirerr_get_type(p->rr, p->rr_len, p->dname_len) + != LDNS_RR_TYPE_DNSKEY) { + struct autr_ta* np = p->next; + /* remove */ + free(p->rr); + free(p); + /* snip and go to next item */ + *prevp = np; + p = np; + continue; + } + /* remove pending counts if no longer pending */ + if(p->s != AUTR_STATE_ADDPEND) + p->pending_count = 0; + prevp = &p->next; + p = p->next; + } +} + +/** calculate next probe time */ +static time_t +calc_next_probe(struct module_env* env, time_t wait) +{ + /* make it random, 90-100% */ + time_t rnd, rest; + if(wait < 3600) + wait = 3600; + rnd = wait/10; + rest = wait-rnd; + rnd = (time_t)ub_random_max(env->rnd, (long int)rnd); + return (time_t)(*env->now + rest + rnd); +} + +/** what is first probe time (anchors must be locked) */ +static time_t +wait_probe_time(struct val_anchors* anchors) +{ + rbnode_t* t = rbtree_first(&anchors->autr->probe); + if(t != RBTREE_NULL) + return ((struct trust_anchor*)t->key)->autr->next_probe_time; + return 0; +} + +/** reset worker timer */ +static void +reset_worker_timer(struct module_env* env) +{ + struct timeval tv; +#ifndef S_SPLINT_S + time_t next = (time_t)wait_probe_time(env->anchors); + /* in case this is libunbound, no timer */ + if(!env->probe_timer) + return; + if(next > *env->now) + tv.tv_sec = (time_t)(next - *env->now); + else tv.tv_sec = 0; +#endif + tv.tv_usec = 0; + comm_timer_set(env->probe_timer, &tv); + verbose(VERB_ALGO, "scheduled next probe in " ARG_LL "d sec", (long long)tv.tv_sec); +} + +/** set next probe for trust anchor */ +static int +set_next_probe(struct module_env* env, struct trust_anchor* tp, + struct ub_packed_rrset_key* dnskey_rrset) +{ + struct trust_anchor key, *tp2; + time_t mold, mnew; + /* use memory allocated in rrset for temporary name storage */ + key.node.key = &key; + key.name = dnskey_rrset->rk.dname; + key.namelen = dnskey_rrset->rk.dname_len; + key.namelabs = dname_count_labels(key.name); + key.dclass = tp->dclass; + lock_basic_unlock(&tp->lock); + + /* fetch tp again and lock anchors, so that we can modify the trees */ + lock_basic_lock(&env->anchors->lock); + tp2 = (struct trust_anchor*)rbtree_search(env->anchors->tree, &key); + if(!tp2) { + verbose(VERB_ALGO, "trustpoint was deleted in set_next_probe"); + lock_basic_unlock(&env->anchors->lock); + return 0; + } + log_assert(tp == tp2); + lock_basic_lock(&tp->lock); + + /* schedule */ + mold = wait_probe_time(env->anchors); + (void)rbtree_delete(&env->anchors->autr->probe, tp); + tp->autr->next_probe_time = calc_next_probe(env, + tp->autr->query_interval); + (void)rbtree_insert(&env->anchors->autr->probe, &tp->autr->pnode); + mnew = wait_probe_time(env->anchors); + + lock_basic_unlock(&env->anchors->lock); + verbose(VERB_ALGO, "next probe set in %d seconds", + (int)tp->autr->next_probe_time - (int)*env->now); + if(mold != mnew) { + reset_worker_timer(env); + } + return 1; +} + +/** Revoke and Delete a trust point */ +static void +autr_tp_remove(struct module_env* env, struct trust_anchor* tp, + struct ub_packed_rrset_key* dnskey_rrset) +{ + struct trust_anchor* del_tp; + struct trust_anchor key; + struct autr_point_data pd; + time_t mold, mnew; + + log_nametypeclass(VERB_OPS, "trust point was revoked", + tp->name, LDNS_RR_TYPE_DNSKEY, tp->dclass); + tp->autr->revoked = 1; + + /* use space allocated for dnskey_rrset to save name of anchor */ + memset(&key, 0, sizeof(key)); + memset(&pd, 0, sizeof(pd)); + key.autr = &pd; + key.node.key = &key; + pd.pnode.key = &key; + pd.next_probe_time = tp->autr->next_probe_time; + key.name = dnskey_rrset->rk.dname; + key.namelen = tp->namelen; + key.namelabs = tp->namelabs; + key.dclass = tp->dclass; + + /* unlock */ + lock_basic_unlock(&tp->lock); + + /* take from tree. It could be deleted by someone else,hence (void). */ + lock_basic_lock(&env->anchors->lock); + del_tp = (struct trust_anchor*)rbtree_delete(env->anchors->tree, &key); + mold = wait_probe_time(env->anchors); + (void)rbtree_delete(&env->anchors->autr->probe, &key); + mnew = wait_probe_time(env->anchors); + anchors_init_parents_locked(env->anchors); + lock_basic_unlock(&env->anchors->lock); + + /* if !del_tp then the trust point is no longer present in the tree, + * it was deleted by someone else, who will write the zonefile and + * clean up the structure */ + if(del_tp) { + /* save on disk */ + del_tp->autr->next_probe_time = 0; /* no more probing for it */ + autr_write_file(env, del_tp); + + /* delete */ + autr_point_delete(del_tp); + } + if(mold != mnew) { + reset_worker_timer(env); + } +} + +int autr_process_prime(struct module_env* env, struct val_env* ve, + struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset) +{ + int changed = 0; + log_assert(tp && tp->autr); + /* autotrust update trust anchors */ + /* the tp is locked, and stays locked unless it is deleted */ + + /* we could just catch the anchor here while another thread + * is busy deleting it. Just unlock and let the other do its job */ + if(tp->autr->revoked) { + log_nametypeclass(VERB_ALGO, "autotrust not processed, " + "trust point revoked", tp->name, + LDNS_RR_TYPE_DNSKEY, tp->dclass); + lock_basic_unlock(&tp->lock); + return 0; /* it is revoked */ + } + + /* query_dnskeys(): */ + tp->autr->last_queried = *env->now; + + log_nametypeclass(VERB_ALGO, "autotrust process for", + tp->name, LDNS_RR_TYPE_DNSKEY, tp->dclass); + /* see if time alone makes some keys valid */ + autr_holddown_exceed(env, tp, &changed); + if(changed) { + verbose(VERB_ALGO, "autotrust: morekeys, reassemble"); + if(!autr_assemble(tp)) { + log_err("malloc failure assembling autotrust keys"); + return 1; /* unchanged */ + } + } + /* did we get any data? */ + if(!dnskey_rrset) { + verbose(VERB_ALGO, "autotrust: no dnskey rrset"); + /* no update of query_failed, because then we would have + * to write to disk. But we cannot because we maybe are + * still 'initialising' with DS records, that we cannot write + * in the full format (which only contains KSKs). */ + return 1; /* trust point exists */ + } + /* check for revoked keys to remove immediately */ + check_contains_revoked(env, ve, tp, dnskey_rrset, &changed); + if(changed) { + verbose(VERB_ALGO, "autotrust: revokedkeys, reassemble"); + if(!autr_assemble(tp)) { + log_err("malloc failure assembling autotrust keys"); + return 1; /* unchanged */ + } + if(!tp->ds_rrset && !tp->dnskey_rrset) { + /* no more keys, all are revoked */ + /* this is a success for this probe attempt */ + tp->autr->last_success = *env->now; + autr_tp_remove(env, tp, dnskey_rrset); + return 0; /* trust point removed */ + } + } + /* verify the dnskey rrset and see if it is valid. */ + if(!verify_dnskey(env, ve, tp, dnskey_rrset)) { + verbose(VERB_ALGO, "autotrust: dnskey did not verify."); + /* only increase failure count if this is not the first prime, + * this means there was a previous succesful probe */ + if(tp->autr->last_success) { + tp->autr->query_failed += 1; + autr_write_file(env, tp); + } + return 1; /* trust point exists */ + } + + tp->autr->last_success = *env->now; + tp->autr->query_failed = 0; + + /* Add new trust anchors to the data structure + * - note which trust anchors are seen this probe. + * Set trustpoint query_interval and retry_time. + * - find minimum rrsig expiration interval + */ + if(!update_events(env, ve, tp, dnskey_rrset, &changed)) { + log_err("malloc failure in autotrust update_events. " + "trust point unchanged."); + return 1; /* trust point unchanged, so exists */ + } + + /* - for every SEP key do the 5011 statetable. + * - remove missing trustanchors (if veryold and we have new anchors). + */ + if(!do_statetable(env, tp, &changed)) { + log_err("malloc failure in autotrust do_statetable. " + "trust point unchanged."); + return 1; /* trust point unchanged, so exists */ + } + + autr_cleanup_keys(tp); + if(!set_next_probe(env, tp, dnskey_rrset)) + return 0; /* trust point does not exist */ + autr_write_file(env, tp); + if(changed) { + verbose(VERB_ALGO, "autotrust: changed, reassemble"); + if(!autr_assemble(tp)) { + log_err("malloc failure assembling autotrust keys"); + return 1; /* unchanged */ + } + if(!tp->ds_rrset && !tp->dnskey_rrset) { + /* no more keys, all are revoked */ + autr_tp_remove(env, tp, dnskey_rrset); + return 0; /* trust point removed */ + } + } else verbose(VERB_ALGO, "autotrust: no changes"); + + return 1; /* trust point exists */ +} + +/** debug print a trust anchor key */ +static void +autr_debug_print_ta(struct autr_ta* ta) +{ + char buf[32]; + char* str = sldns_wire2str_rr(ta->rr, ta->rr_len); + if(!str) { + log_info("out of memory in debug_print_ta"); + return; + } + if(str && str[0]) str[strlen(str)-1]=0; /* remove newline */ + ctime_r(&ta->last_change, buf); + if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */ + log_info("[%s] %s ;;state:%d ;;pending_count:%d%s%s last:%s", + trustanchor_state2str(ta->s), str, ta->s, ta->pending_count, + ta->fetched?" fetched":"", ta->revoked?" revoked":"", buf); + free(str); +} + +/** debug print a trust point */ +static void +autr_debug_print_tp(struct trust_anchor* tp) +{ + struct autr_ta* ta; + char buf[257]; + if(!tp->autr) + return; + dname_str(tp->name, buf); + log_info("trust point %s : %d", buf, (int)tp->dclass); + log_info("assembled %d DS and %d DNSKEYs", + (int)tp->numDS, (int)tp->numDNSKEY); + if(tp->ds_rrset) { + log_packed_rrset(0, "DS:", tp->ds_rrset); + } + if(tp->dnskey_rrset) { + log_packed_rrset(0, "DNSKEY:", tp->dnskey_rrset); + } + log_info("file %s", tp->autr->file); + ctime_r(&tp->autr->last_queried, buf); + if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */ + log_info("last_queried: %u %s", (unsigned)tp->autr->last_queried, buf); + ctime_r(&tp->autr->last_success, buf); + if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */ + log_info("last_success: %u %s", (unsigned)tp->autr->last_success, buf); + ctime_r(&tp->autr->next_probe_time, buf); + if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */ + log_info("next_probe_time: %u %s", (unsigned)tp->autr->next_probe_time, + buf); + log_info("query_interval: %u", (unsigned)tp->autr->query_interval); + log_info("retry_time: %u", (unsigned)tp->autr->retry_time); + log_info("query_failed: %u", (unsigned)tp->autr->query_failed); + + for(ta=tp->autr->keys; ta; ta=ta->next) { + autr_debug_print_ta(ta); + } +} + +void +autr_debug_print(struct val_anchors* anchors) +{ + struct trust_anchor* tp; + lock_basic_lock(&anchors->lock); + RBTREE_FOR(tp, struct trust_anchor*, anchors->tree) { + lock_basic_lock(&tp->lock); + autr_debug_print_tp(tp); + lock_basic_unlock(&tp->lock); + } + lock_basic_unlock(&anchors->lock); +} + +void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode), + sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec), + char* ATTR_UNUSED(why_bogus)) +{ + /* retry was set before the query was done, + * re-querytime is set when query succeeded, but that may not + * have reset this timer because the query could have been + * handled by another thread. In that case, this callback would + * get called after the original timeout is done. + * By not resetting the timer, it may probe more often, but not + * less often. + * Unless the new lookup resulted in smaller TTLs and thus smaller + * timeout values. In that case one old TTL could be mistakenly done. + */ + struct module_env* env = (struct module_env*)arg; + verbose(VERB_ALGO, "autotrust probe answer cb"); + reset_worker_timer(env); +} + +/** probe a trust anchor DNSKEY and unlocks tp */ +static void +probe_anchor(struct module_env* env, struct trust_anchor* tp) +{ + struct query_info qinfo; + uint16_t qflags = BIT_RD; + struct edns_data edns; + sldns_buffer* buf = env->scratch_buffer; + qinfo.qname = regional_alloc_init(env->scratch, tp->name, tp->namelen); + if(!qinfo.qname) { + log_err("out of memory making 5011 probe"); + return; + } + qinfo.qname_len = tp->namelen; + qinfo.qtype = LDNS_RR_TYPE_DNSKEY; + qinfo.qclass = tp->dclass; + log_query_info(VERB_ALGO, "autotrust probe", &qinfo); + verbose(VERB_ALGO, "retry probe set in %d seconds", + (int)tp->autr->next_probe_time - (int)*env->now); + edns.edns_present = 1; + edns.ext_rcode = 0; + edns.edns_version = 0; + edns.bits = EDNS_DO; + if(sldns_buffer_capacity(buf) < 65535) + edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); + else edns.udp_size = 65535; + + /* can't hold the lock while mesh_run is processing */ + lock_basic_unlock(&tp->lock); + + /* delete the DNSKEY from rrset and key cache so an active probe + * is done. First the rrset so another thread does not use it + * to recreate the key entry in a race condition. */ + rrset_cache_remove(env->rrset_cache, qinfo.qname, qinfo.qname_len, + qinfo.qtype, qinfo.qclass, 0); + key_cache_remove(env->key_cache, qinfo.qname, qinfo.qname_len, + qinfo.qclass); + + if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, + &probe_answer_cb, env)) { + log_err("out of memory making 5011 probe"); + } +} + +/** fetch first to-probe trust-anchor and lock it and set retrytime */ +static struct trust_anchor* +todo_probe(struct module_env* env, time_t* next) +{ + struct trust_anchor* tp; + rbnode_t* el; + /* get first one */ + lock_basic_lock(&env->anchors->lock); + if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) { + /* in case of revoked anchors */ + lock_basic_unlock(&env->anchors->lock); + return NULL; + } + tp = (struct trust_anchor*)el->key; + lock_basic_lock(&tp->lock); + + /* is it eligible? */ + if((time_t)tp->autr->next_probe_time > *env->now) { + /* no more to probe */ + *next = (time_t)tp->autr->next_probe_time - *env->now; + lock_basic_unlock(&tp->lock); + lock_basic_unlock(&env->anchors->lock); + return NULL; + } + + /* reset its next probe time */ + (void)rbtree_delete(&env->anchors->autr->probe, tp); + tp->autr->next_probe_time = calc_next_probe(env, tp->autr->retry_time); + (void)rbtree_insert(&env->anchors->autr->probe, &tp->autr->pnode); + lock_basic_unlock(&env->anchors->lock); + + return tp; +} + +time_t +autr_probe_timer(struct module_env* env) +{ + struct trust_anchor* tp; + time_t next_probe = 3600; + int num = 0; + verbose(VERB_ALGO, "autotrust probe timer callback"); + /* while there are still anchors to probe */ + while( (tp = todo_probe(env, &next_probe)) ) { + /* make a probe for this anchor */ + probe_anchor(env, tp); + num++; + } + regional_free_all(env->scratch); + if(num == 0) + return 0; /* no trust points to probe */ + verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num); + return next_probe; +} |