1/*
2 * validator/val_anchor.h - validator trust anchor storage.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
| 1/*
2 * validator/val_anchor.h - validator trust anchor storage.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
| 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
34 */
35
36/**
37 * \file
38 *
39 * This file contains storage for the trust anchors for the validator.
40 */
41
42#ifndef VALIDATOR_VAL_ANCHOR_H
43#define VALIDATOR_VAL_ANCHOR_H
44#include "util/rbtree.h"
45#include "util/locks.h"
46struct trust_anchor;
47struct config_file;
48struct ub_packed_rrset_key;
49struct autr_point_data;
50struct autr_global_data;
| 34 */
35
36/**
37 * \file
38 *
39 * This file contains storage for the trust anchors for the validator.
40 */
41
42#ifndef VALIDATOR_VAL_ANCHOR_H
43#define VALIDATOR_VAL_ANCHOR_H
44#include "util/rbtree.h"
45#include "util/locks.h"
46struct trust_anchor;
47struct config_file;
48struct ub_packed_rrset_key;
49struct autr_point_data;
50struct autr_global_data;
|
| 51struct sldns_buffer;
|
51
52/**
53 * Trust anchor store.
54 * The tree must be locked, while no other locks (from trustanchors) are held.
55 * And then an anchor searched for. Which can be locked or deleted. Then
56 * the tree can be unlocked again. This means you have to release the lock
57 * on a trust anchor and look it up again to delete it.
58 */
59struct val_anchors {
60 /** lock on trees */
61 lock_basic_t lock;
62 /**
63 * Anchors are store in this tree. Sort order is chosen, so that
64 * dnames are in nsec-like order. A lookup on class, name will return
65 * an exact match of the closest match, with the ancestor needed.
66 * contents of type trust_anchor.
67 */
68 rbtree_t* tree;
69 /** The DLV trust anchor (if one is configured, else NULL) */
70 struct trust_anchor* dlv_anchor;
71 /** Autotrust global data, anchors sorted by next probe time */
72 struct autr_global_data* autr;
73};
74
75/**
76 * Trust anchor key
77 */
78struct ta_key {
79 /** next in list */
80 struct ta_key* next;
81 /** rdata, in wireformat of the key RR. starts with rdlength. */
82 uint8_t* data;
83 /** length of the rdata (including rdlength). */
84 size_t len;
85 /** DNS type (host format) of the key, DS or DNSKEY */
86 uint16_t type;
87};
88
89/**
90 * A trust anchor in the trust anchor store.
91 * Unique by name, class.
92 */
93struct trust_anchor {
94 /** rbtree node, key is this structure */
95 rbnode_t node;
96 /** lock on the entire anchor and its keys; for autotrust changes */
97 lock_basic_t lock;
98 /** name of this trust anchor */
99 uint8_t* name;
100 /** length of name */
101 size_t namelen;
102 /** number of labels in name of rrset */
103 int namelabs;
104 /** the ancestor in the trustanchor tree */
105 struct trust_anchor* parent;
106 /**
107 * List of DS or DNSKEY rrs that form the trust anchor.
108 */
109 struct ta_key* keylist;
110 /** Autotrust anchor point data, or NULL */
111 struct autr_point_data* autr;
112 /** number of DSs in the keylist */
113 size_t numDS;
114 /** number of DNSKEYs in the keylist */
115 size_t numDNSKEY;
116 /** the DS RRset */
117 struct ub_packed_rrset_key* ds_rrset;
118 /** The DNSKEY RRset */
119 struct ub_packed_rrset_key* dnskey_rrset;
120 /** class of the trust anchor */
121 uint16_t dclass;
122};
123
124/**
125 * Create trust anchor storage
126 * @return new storage or NULL on error.
127 */
128struct val_anchors* anchors_create(void);
129
130/**
131 * Delete trust anchor storage.
132 * @param anchors: to delete.
133 */
134void anchors_delete(struct val_anchors* anchors);
135
136/**
137 * Process trust anchor config.
138 * @param anchors: struct anchor storage
139 * @param cfg: config options.
140 * @return 0 on error.
141 */
142int anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg);
143
144/**
145 * Recalculate parent pointers. The caller must hold the lock on the
146 * anchors structure (say after removing an item from the rbtree).
147 * Caller must not hold any locks on trust anchors.
148 * After the call is complete the parent pointers are updated and an item
149 * just removed is no longer referenced in parent pointers.
150 * @param anchors: the structure to update.
151 */
152void anchors_init_parents_locked(struct val_anchors* anchors);
153
154/**
155 * Given a qname/qclass combination, find the trust anchor closest above it.
156 * Or return NULL if none exists.
157 *
158 * @param anchors: struct anchor storage
159 * @param qname: query name, uncompressed wireformat.
160 * @param qname_len: length of qname.
161 * @param qclass: class to query for.
162 * @return the trust anchor or NULL if none is found. The anchor is locked.
163 */
164struct trust_anchor* anchors_lookup(struct val_anchors* anchors,
165 uint8_t* qname, size_t qname_len, uint16_t qclass);
166
167/**
168 * Find a trust anchor. Exact matching.
169 * @param anchors: anchor storage.
170 * @param name: name of trust anchor (wireformat)
171 * @param namelabs: labels in name
172 * @param namelen: length of name
173 * @param dclass: class of trust anchor
174 * @return NULL if not found. The anchor is locked.
175 */
176struct trust_anchor* anchor_find(struct val_anchors* anchors,
177 uint8_t* name, int namelabs, size_t namelen, uint16_t dclass);
178
179/**
180 * Store one string as trust anchor RR.
181 * @param anchors: anchor storage.
182 * @param buffer: parsing buffer, to generate the RR wireformat in.
183 * @param str: string.
184 * @return NULL on error.
185 */
186struct trust_anchor* anchor_store_str(struct val_anchors* anchors,
| 52
53/**
54 * Trust anchor store.
55 * The tree must be locked, while no other locks (from trustanchors) are held.
56 * And then an anchor searched for. Which can be locked or deleted. Then
57 * the tree can be unlocked again. This means you have to release the lock
58 * on a trust anchor and look it up again to delete it.
59 */
60struct val_anchors {
61 /** lock on trees */
62 lock_basic_t lock;
63 /**
64 * Anchors are store in this tree. Sort order is chosen, so that
65 * dnames are in nsec-like order. A lookup on class, name will return
66 * an exact match of the closest match, with the ancestor needed.
67 * contents of type trust_anchor.
68 */
69 rbtree_t* tree;
70 /** The DLV trust anchor (if one is configured, else NULL) */
71 struct trust_anchor* dlv_anchor;
72 /** Autotrust global data, anchors sorted by next probe time */
73 struct autr_global_data* autr;
74};
75
76/**
77 * Trust anchor key
78 */
79struct ta_key {
80 /** next in list */
81 struct ta_key* next;
82 /** rdata, in wireformat of the key RR. starts with rdlength. */
83 uint8_t* data;
84 /** length of the rdata (including rdlength). */
85 size_t len;
86 /** DNS type (host format) of the key, DS or DNSKEY */
87 uint16_t type;
88};
89
90/**
91 * A trust anchor in the trust anchor store.
92 * Unique by name, class.
93 */
94struct trust_anchor {
95 /** rbtree node, key is this structure */
96 rbnode_t node;
97 /** lock on the entire anchor and its keys; for autotrust changes */
98 lock_basic_t lock;
99 /** name of this trust anchor */
100 uint8_t* name;
101 /** length of name */
102 size_t namelen;
103 /** number of labels in name of rrset */
104 int namelabs;
105 /** the ancestor in the trustanchor tree */
106 struct trust_anchor* parent;
107 /**
108 * List of DS or DNSKEY rrs that form the trust anchor.
109 */
110 struct ta_key* keylist;
111 /** Autotrust anchor point data, or NULL */
112 struct autr_point_data* autr;
113 /** number of DSs in the keylist */
114 size_t numDS;
115 /** number of DNSKEYs in the keylist */
116 size_t numDNSKEY;
117 /** the DS RRset */
118 struct ub_packed_rrset_key* ds_rrset;
119 /** The DNSKEY RRset */
120 struct ub_packed_rrset_key* dnskey_rrset;
121 /** class of the trust anchor */
122 uint16_t dclass;
123};
124
125/**
126 * Create trust anchor storage
127 * @return new storage or NULL on error.
128 */
129struct val_anchors* anchors_create(void);
130
131/**
132 * Delete trust anchor storage.
133 * @param anchors: to delete.
134 */
135void anchors_delete(struct val_anchors* anchors);
136
137/**
138 * Process trust anchor config.
139 * @param anchors: struct anchor storage
140 * @param cfg: config options.
141 * @return 0 on error.
142 */
143int anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg);
144
145/**
146 * Recalculate parent pointers. The caller must hold the lock on the
147 * anchors structure (say after removing an item from the rbtree).
148 * Caller must not hold any locks on trust anchors.
149 * After the call is complete the parent pointers are updated and an item
150 * just removed is no longer referenced in parent pointers.
151 * @param anchors: the structure to update.
152 */
153void anchors_init_parents_locked(struct val_anchors* anchors);
154
155/**
156 * Given a qname/qclass combination, find the trust anchor closest above it.
157 * Or return NULL if none exists.
158 *
159 * @param anchors: struct anchor storage
160 * @param qname: query name, uncompressed wireformat.
161 * @param qname_len: length of qname.
162 * @param qclass: class to query for.
163 * @return the trust anchor or NULL if none is found. The anchor is locked.
164 */
165struct trust_anchor* anchors_lookup(struct val_anchors* anchors,
166 uint8_t* qname, size_t qname_len, uint16_t qclass);
167
168/**
169 * Find a trust anchor. Exact matching.
170 * @param anchors: anchor storage.
171 * @param name: name of trust anchor (wireformat)
172 * @param namelabs: labels in name
173 * @param namelen: length of name
174 * @param dclass: class of trust anchor
175 * @return NULL if not found. The anchor is locked.
176 */
177struct trust_anchor* anchor_find(struct val_anchors* anchors,
178 uint8_t* name, int namelabs, size_t namelen, uint16_t dclass);
179
180/**
181 * Store one string as trust anchor RR.
182 * @param anchors: anchor storage.
183 * @param buffer: parsing buffer, to generate the RR wireformat in.
184 * @param str: string.
185 * @return NULL on error.
186 */
187struct trust_anchor* anchor_store_str(struct val_anchors* anchors,
|
187 ldns_buffer* buffer, const char* str);
| 188 struct sldns_buffer* buffer, const char* str);
|
188
189/**
190 * Get memory in use by the trust anchor storage
191 * @param anchors: anchor storage.
192 * @return memory in use in bytes.
193 */
194size_t anchors_get_mem(struct val_anchors* anchors);
195
196/** compare two trust anchors */
197int anchor_cmp(const void* k1, const void* k2);
198
199/**
200 * Add insecure point trust anchor. For external use (locks and init_parents)
201 * @param anchors: anchor storage.
202 * @param c: class.
203 * @param nm: name of insecure trust point.
204 * @return false on alloc failure.
205 */
206int anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm);
207
208/**
209 * Delete insecure point trust anchor. Does not remove if no such point.
210 * For external use (locks and init_parents)
211 * @param anchors: anchor storage.
212 * @param c: class.
213 * @param nm: name of insecure trust point.
214 */
215void anchors_delete_insecure(struct val_anchors* anchors, uint16_t c,
216 uint8_t* nm);
217
218#endif /* VALIDATOR_VAL_ANCHOR_H */
| 189
190/**
191 * Get memory in use by the trust anchor storage
192 * @param anchors: anchor storage.
193 * @return memory in use in bytes.
194 */
195size_t anchors_get_mem(struct val_anchors* anchors);
196
197/** compare two trust anchors */
198int anchor_cmp(const void* k1, const void* k2);
199
200/**
201 * Add insecure point trust anchor. For external use (locks and init_parents)
202 * @param anchors: anchor storage.
203 * @param c: class.
204 * @param nm: name of insecure trust point.
205 * @return false on alloc failure.
206 */
207int anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm);
208
209/**
210 * Delete insecure point trust anchor. Does not remove if no such point.
211 * For external use (locks and init_parents)
212 * @param anchors: anchor storage.
213 * @param c: class.
214 * @param nm: name of insecure trust point.
215 */
216void anchors_delete_insecure(struct val_anchors* anchors, uint16_t c,
217 uint8_t* nm);
218
219#endif /* VALIDATOR_VAL_ANCHOR_H */
|