val_anchor.h revision 269257 
1219820Sjeff/*
2219820Sjeff * validator/val_anchor.h - validator trust anchor storage.
3219820Sjeff *
4219820Sjeff * Copyright (c) 2007, NLnet Labs. All rights reserved.
5219820Sjeff *
6219820Sjeff * This software is open source.
7219820Sjeff *
8219820Sjeff * Redistribution and use in source and binary forms, with or without
9219820Sjeff * modification, are permitted provided that the following conditions
10219820Sjeff * are met:
11219820Sjeff *
12219820Sjeff * Redistributions of source code must retain the above copyright notice,
13219820Sjeff * this list of conditions and the following disclaimer.
14219820Sjeff *
15219820Sjeff * Redistributions in binary form must reproduce the above copyright notice,
16219820Sjeff * this list of conditions and the following disclaimer in the documentation
17219820Sjeff * and/or other materials provided with the distribution.
18219820Sjeff *
19219820Sjeff * Neither the name of the NLNET LABS nor the names of its contributors may
20219820Sjeff * be used to endorse or promote products derived from this software without
21219820Sjeff * specific prior written permission.
22219820Sjeff *
23219820Sjeff * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24219820Sjeff * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25219820Sjeff * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26219820Sjeff * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27219820Sjeff * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28219820Sjeff * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29219820Sjeff * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30219820Sjeff * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31219820Sjeff * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32219820Sjeff * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33219820Sjeff * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34219820Sjeff */
35219820Sjeff
36219820Sjeff/**
37219820Sjeff * \file
38219820Sjeff *
39219820Sjeff * This file contains storage for the trust anchors for the validator.
40219820Sjeff */
41219820Sjeff
42219820Sjeff#ifndef VALIDATOR_VAL_ANCHOR_H
43219820Sjeff#define VALIDATOR_VAL_ANCHOR_H
44219820Sjeff#include "util/rbtree.h"
45219820Sjeff#include "util/locks.h"
46219820Sjeffstruct trust_anchor;
47219820Sjeffstruct config_file;
48219820Sjeffstruct ub_packed_rrset_key;
49219820Sjeffstruct autr_point_data;
50219820Sjeffstruct autr_global_data;
51219820Sjeffstruct sldns_buffer;
52219820Sjeff
53219820Sjeff/**
54219820Sjeff * Trust anchor store.
55219820Sjeff * The tree must be locked, while no other locks (from trustanchors) are held.
56219820Sjeff * And then an anchor searched for.  Which can be locked or deleted.  Then
57219820Sjeff * the tree can be unlocked again.  This means you have to release the lock
58219820Sjeff * on a trust anchor and look it up again to delete it.
59219820Sjeff */
60219820Sjeffstruct val_anchors {
61219820Sjeff	/** lock on trees */
62219820Sjeff	lock_basic_t lock;
63219820Sjeff	/**
64219820Sjeff	 * Anchors are store in this tree. Sort order is chosen, so that
65219820Sjeff	 * dnames are in nsec-like order. A lookup on class, name will return
66219820Sjeff	 * an exact match of the closest match, with the ancestor needed.
67219820Sjeff	 * contents of type trust_anchor.
68219820Sjeff	 */
69219820Sjeff	rbtree_t* tree;
70219820Sjeff	/** The DLV trust anchor (if one is configured, else NULL) */
71219820Sjeff	struct trust_anchor* dlv_anchor;
72219820Sjeff	/** Autotrust global data, anchors sorted by next probe time */
73219820Sjeff	struct autr_global_data* autr;
74219820Sjeff};
75219820Sjeff
76219820Sjeff/**
77219820Sjeff * Trust anchor key
78219820Sjeff */
79219820Sjeffstruct ta_key {
80219820Sjeff	/** next in list */
81219820Sjeff	struct ta_key* next;
82219820Sjeff	/** rdata, in wireformat of the key RR. starts with rdlength. */
83219820Sjeff	uint8_t* data;
84219820Sjeff	/** length of the rdata (including rdlength). */
85219820Sjeff	size_t len;
86219820Sjeff	/** DNS type (host format) of the key, DS or DNSKEY */
87219820Sjeff	uint16_t type;
88219820Sjeff};
89219820Sjeff
90219820Sjeff/**
91219820Sjeff * A trust anchor in the trust anchor store.
92219820Sjeff * Unique by name, class.
93219820Sjeff */
94219820Sjeffstruct trust_anchor {
95219820Sjeff	/** rbtree node, key is this structure */
96219820Sjeff	rbnode_t node;
97219820Sjeff	/** lock on the entire anchor and its keys; for autotrust changes */
98219820Sjeff	lock_basic_t lock;
99219820Sjeff	/** name of this trust anchor */
100219820Sjeff	uint8_t* name;
101219820Sjeff	/** length of name */
102219820Sjeff	size_t namelen;
103219820Sjeff	/** number of labels in name of rrset */
104219820Sjeff	int namelabs;
105219820Sjeff	/** the ancestor in the trustanchor tree */
106219820Sjeff	struct trust_anchor* parent;
107219820Sjeff	/**
108219820Sjeff	 * List of DS or DNSKEY rrs that form the trust anchor.
109219820Sjeff	 */
110219820Sjeff	struct ta_key* keylist;
111219820Sjeff	/** Autotrust anchor point data, or NULL */
112219820Sjeff	struct autr_point_data* autr;
113219820Sjeff	/** number of DSs in the keylist */
114219820Sjeff	size_t numDS;
115219820Sjeff	/** number of DNSKEYs in the keylist */
116219820Sjeff	size_t numDNSKEY;
117219820Sjeff	/** the DS RRset */
118219820Sjeff	struct ub_packed_rrset_key* ds_rrset;
119219820Sjeff	/** The DNSKEY RRset */
120219820Sjeff	struct ub_packed_rrset_key* dnskey_rrset;
121219820Sjeff	/** class of the trust anchor */
122219820Sjeff	uint16_t dclass;
123219820Sjeff};
124219820Sjeff
125219820Sjeff/**
126219820Sjeff * Create trust anchor storage
127219820Sjeff * @return new storage or NULL on error.
128219820Sjeff */
129219820Sjeffstruct val_anchors* anchors_create(void);
130219820Sjeff
131219820Sjeff/**
132219820Sjeff * Delete trust anchor storage.
133219820Sjeff * @param anchors: to delete.
134219820Sjeff */
135219820Sjeffvoid anchors_delete(struct val_anchors* anchors);
136219820Sjeff
137219820Sjeff/**
138219820Sjeff * Process trust anchor config.
139219820Sjeff * @param anchors: struct anchor storage
140219820Sjeff * @param cfg: config options.
141219820Sjeff * @return 0 on error.
142219820Sjeff */
143219820Sjeffint anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg);
144219820Sjeff
145219820Sjeff/**
146219820Sjeff * Recalculate parent pointers.  The caller must hold the lock on the
147219820Sjeff * anchors structure (say after removing an item from the rbtree).
148219820Sjeff * Caller must not hold any locks on trust anchors.
149219820Sjeff * After the call is complete the parent pointers are updated and an item
150219820Sjeff * just removed is no longer referenced in parent pointers.
151219820Sjeff * @param anchors: the structure to update.
152219820Sjeff */
153219820Sjeffvoid anchors_init_parents_locked(struct val_anchors* anchors);
154219820Sjeff
155219820Sjeff/**
156219820Sjeff * Given a qname/qclass combination, find the trust anchor closest above it.
157219820Sjeff * Or return NULL if none exists.
158219820Sjeff *
159219820Sjeff * @param anchors: struct anchor storage
160219820Sjeff * @param qname: query name, uncompressed wireformat.
161219820Sjeff * @param qname_len: length of qname.
162219820Sjeff * @param qclass: class to query for.
163219820Sjeff * @return the trust anchor or NULL if none is found. The anchor is locked.
164219820Sjeff */
165219820Sjeffstruct trust_anchor* anchors_lookup(struct val_anchors* anchors,
166219820Sjeff	uint8_t* qname, size_t qname_len, uint16_t qclass);
167219820Sjeff
168219820Sjeff/**
169219820Sjeff * Find a trust anchor. Exact matching.
170219820Sjeff * @param anchors: anchor storage.
171219820Sjeff * @param name: name of trust anchor (wireformat)
172219820Sjeff * @param namelabs: labels in name
173219820Sjeff * @param namelen: length of name
174219820Sjeff * @param dclass: class of trust anchor
175219820Sjeff * @return NULL if not found. The anchor is locked.
176219820Sjeff */
177219820Sjeffstruct trust_anchor* anchor_find(struct val_anchors* anchors,
178219820Sjeff	uint8_t* name, int namelabs, size_t namelen, uint16_t dclass);
179219820Sjeff
180219820Sjeff/**
181219820Sjeff * Store one string as trust anchor RR.
182219820Sjeff * @param anchors: anchor storage.
183219820Sjeff * @param buffer: parsing buffer, to generate the RR wireformat in.
184219820Sjeff * @param str: string.
185219820Sjeff * @return NULL on error.
186219820Sjeff */
187219820Sjeffstruct trust_anchor* anchor_store_str(struct val_anchors* anchors,
188219820Sjeff	struct sldns_buffer* buffer, const char* str);
189219820Sjeff
190219820Sjeff/**
191219820Sjeff * Get memory in use by the trust anchor storage
192219820Sjeff * @param anchors: anchor storage.
193219820Sjeff * @return memory in use in bytes.
194219820Sjeff */
195219820Sjeffsize_t anchors_get_mem(struct val_anchors* anchors);
196219820Sjeff
197219820Sjeff/** compare two trust anchors */
198219820Sjeffint anchor_cmp(const void* k1, const void* k2);
199219820Sjeff
200219820Sjeff/**
201219820Sjeff * Add insecure point trust anchor.  For external use (locks and init_parents)
202219820Sjeff * @param anchors: anchor storage.
203219820Sjeff * @param c: class.
204219820Sjeff * @param nm: name of insecure trust point.
205219820Sjeff * @return false on alloc failure.
206219820Sjeff */
207219820Sjeffint anchors_add_insecure(struct val_anchors* anchors, uint16_t c, uint8_t* nm);
208219820Sjeff
209219820Sjeff/**
210219820Sjeff * Delete insecure point trust anchor.  Does not remove if no such point.
211219820Sjeff * For external use (locks and init_parents)
212219820Sjeff * @param anchors: anchor storage.
213219820Sjeff * @param c: class.
214219820Sjeff * @param nm: name of insecure trust point.
215219820Sjeff */
216219820Sjeffvoid anchors_delete_insecure(struct val_anchors* anchors, uint16_t c,
217219820Sjeff	uint8_t* nm);
218219820Sjeff
219219820Sjeff#endif /* VALIDATOR_VAL_ANCHOR_H */
220219820Sjeff