resolved-dns-trust-anchor.c revision 0c8570287400ba57d3705a2f62dd26039121ea6f
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2015 Lennart Poettering
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <sd-messages.h>
#include "alloc-util.h"
#include "conf-files.h"
#include "def.h"
#include "dns-domain.h"
#include "fd-util.h"
#include "fileio.h"
#include "hexdecoct.h"
#include "parse-util.h"
#include "resolved-dns-trust-anchor.h"
#include "resolved-dns-dnssec.h"
#include "set.h"
#include "string-util.h"
#include "strv.h"
/* The DS RR from https://data.iana.org/root-anchors/root-anchors.xml, retrieved December 2015 */
static const uint8_t root_digest[] =
{ 0x49, 0xAA, 0xC1, 0x1D, 0x7B, 0x6F, 0x64, 0x46, 0x70, 0x2E, 0x54, 0xA1, 0x60, 0x73, 0x71, 0x60,
0x7A, 0x1A, 0x41, 0x85, 0x52, 0x00, 0xFD, 0x2C, 0xE1, 0xCD, 0xDE, 0x32, 0xF2, 0x4E, 0x8F, 0xB5 };
static int dns_trust_anchor_add_builtin(DnsTrustAnchor *d) {
int r;
assert(d);
if (r < 0)
return r;
return 0;
/* Add the RR from https://data.iana.org/root-anchors/root-anchors.xml */
if (!rr)
return -ENOMEM;
return -ENOMEM;
if (!answer)
return -ENOMEM;
if (r < 0)
return r;
if (r < 0)
return r;
return 0;
}
static int dns_trust_anchor_load_positive(DnsTrustAnchor *d, const char *path, unsigned line, const char *s) {
const char *p = s;
int r;
assert(d);
if (r < 0)
if (!dns_name_is_valid(domain)) {
return -EINVAL;
}
if (r < 0)
if (r != 2) {
return -EINVAL;
}
return -EINVAL;
}
int a, dt;
size_t l;
if (r < 0) {
return -EINVAL;
}
if (r != 4) {
return -EINVAL;
}
if (r < 0)
return log_warning_errno(r, "Failed to parse DS key tag %s on line %s:%u: %m", key_tag, path, line);
if (a < 0) {
return -EINVAL;
}
if (dt < 0) {
return -EINVAL;
}
if (r < 0) {
return -EINVAL;
}
if (!rr)
return log_oom();
_cleanup_free_ void *k = NULL;
uint16_t f;
size_t l;
int a;
if (r < 0)
if (r != 4) {
return -EINVAL;
}
return -EINVAL;
}
r = safe_atou16(flags, &f);
if (r < 0)
return log_warning_errno(r, "Failed to parse DNSKEY flags field %s on line %s:%u", flags, path, line);
if ((f & DNSKEY_FLAG_ZONE_KEY) == 0) {
return -EINVAL;
}
if ((f & DNSKEY_FLAG_REVOKE)) {
return -EINVAL;
}
if (a < 0) {
return -EINVAL;
}
if (r < 0)
if (!rr)
return log_oom();
k = NULL;
} else {
return -EINVAL;
}
if (!isempty(p)) {
return -EINVAL;
}
if (r < 0)
return r;
if (r < 0)
return log_error_errno(r, "Failed to add trust anchor RR: %m");
if (r < 0)
return log_error_errno(r, "Failed to add answer to trust anchor: %m");
return 0;
}
static int dns_trust_anchor_load_negative(DnsTrustAnchor *d, const char *path, unsigned line, const char *s) {
const char *p = s;
int r;
assert(d);
if (r < 0)
if (!dns_name_is_valid(domain)) {
return -EINVAL;
}
if (!isempty(p)) {
return -EINVAL;
}
if (r < 0)
return r;
if (r < 0)
return log_oom();
if (r > 0)
return 0;
}
static int dns_trust_anchor_load_files(
DnsTrustAnchor *d,
const char *suffix,
char **f;
int r;
assert(d);
if (r < 0)
STRV_FOREACH(f, files) {
unsigned n = 0;
g = fopen(*f, "r");
if (!g) {
continue;
continue;
}
char *l;
n++;
if (isempty(l))
continue;
if (*l == ';')
continue;
(void) loader(d, *f, n, l);
}
}
return 0;
}
static void dns_trust_anchor_dump(DnsTrustAnchor *d) {
DnsAnswer *a;
Iterator i;
assert(d);
log_info("Positive Trust Anchors:");
HASHMAP_FOREACH(a, d->positive_by_key, i) {
DNS_ANSWER_FOREACH(rr, a)
}
if (!set_isempty(d->negative_by_name)) {
char *n;
log_info("Negative trust anchors:");
SET_FOREACH(n, d->negative_by_name, i)
}
}
int dns_trust_anchor_load(DnsTrustAnchor *d) {
int r;
assert(d);
/* If loading things from disk fails, we don't consider this fatal */
/* However, if the built-in DS fails, then we have a problem. */
r = dns_trust_anchor_add_builtin(d);
if (r < 0)
return log_error_errno(r, "Failed to add trust anchor built-in: %m");
return 0;
}
void dns_trust_anchor_flush(DnsTrustAnchor *d) {
DnsAnswer *a;
assert(d);
while ((a = hashmap_steal_first(d->positive_by_key)))
dns_answer_unref(a);
}
int dns_trust_anchor_lookup_positive(DnsTrustAnchor *d, const DnsResourceKey *key, DnsAnswer **ret) {
DnsAnswer *a;
assert(d);
/* We only serve DS and DNSKEY RRs. */
return 0;
if (!a)
return 0;
*ret = dns_answer_ref(a);
return 1;
}
assert(d);
}
int r;
if (!old_answer)
return 0;
if (r <= 0)
return r;
/* We found the key! Warn the user */
LOG_MESSAGE("DNSSEC Trust anchor %s has been revoked. Please update the trust anchor, or upgrade your operating system."), strna(dns_resource_record_to_string(rr)),
NULL);
if (dns_answer_size(new_answer) <= 0) {
return 1;
}
if (r < 0)
return r;
new_answer = NULL;
return 1;
}
static int dns_trust_anchor_check_revoked_one(DnsTrustAnchor *d, DnsResourceRecord *revoked_dnskey) {
DnsAnswer *a;
int r;
assert(d);
if (a) {
/* First, look for the precise DNSKEY in our trust anchor database */
DNS_ANSWER_FOREACH(anchor, a) {
continue;
continue;
continue;
if (((anchor->dnskey.flags ^ revoked_dnskey->dnskey.flags) | DNSKEY_FLAG_REVOKE) != DNSKEY_FLAG_REVOKE)
continue;
continue;
break;
}
}
a = hashmap_get(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(revoked_dnskey->key->class, DNS_TYPE_DS, DNS_RESOURCE_KEY_NAME(revoked_dnskey->key)));
if (a) {
/* Second, look for DS RRs matching this DNSKEY in our trust anchor database */
DNS_ANSWER_FOREACH(anchor, a) {
if (r < 0)
return r;
if (r == 0)
continue;
break;
}
}
return 0;
}
assert(d);
/* Returns true if there's an entry for the specified domain
* name in our trust anchor */
return
hashmap_contains(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DNSKEY, name)) ||
}
int r;
assert(d);
/* Looks for self-signed DNSKEY RRs in "rrs" that have been revoked. */
return 0;
if (r < 0)
return r;
if (r == 0)
continue;
/* Is this DNSKEY revoked? */
continue;
/* Could this be interesting to us at all? If not,
* there's no point in looking for and verifying a
* self-signed RRSIG. */
continue;
/* Look for a self-signed RRSIG */
continue;
if (r < 0)
return r;
if (r == 0)
continue;
if (r < 0)
return r;
if (result != DNSSEC_VALIDATED)
continue;
/* Bingo! Now, act! */
r = dns_trust_anchor_check_revoked_one(d, dnskey);
if (r < 0)
return r;
}
}
return 0;
}