OpenDNSSEC-signer  1.4.6
denial.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 NLNet Labs. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  * notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  * notice, this list of conditions and the following disclaimer in the
11  * documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
32 #include "config.h"
33 #include "shared/log.h"
34 #include "signer/denial.h"
35 #include "signer/domain.h"
36 #include "signer/zone.h"
37 
38 #define SE_MAX_RRTYPE_COUNT 65536
39 
40 static const char* denial_str = "denial";
41 
42 
48 denial_create(void* zoneptr, ldns_rdf* dname)
49 {
50  denial_type* denial = NULL;
51  zone_type* zone = (zone_type*) zoneptr;
52  if (!dname || !zoneptr) {
53  return NULL;
54  }
55  denial = (denial_type*) allocator_alloc(
56  zone->allocator, sizeof(denial_type));
57  if (!denial) {
58  ods_log_error("[%s] unable to create denial: allocator_alloc() "
59  "failed", denial_str);
60  return NULL;
61  }
62  denial->dname = dname;
63  denial->zone = zoneptr;
64  denial->domain = NULL; /* no back reference yet */
65  denial->node = NULL; /* not in db yet */
66  denial->rrset = NULL;
67  denial->bitmap_changed = 0;
68  denial->nxt_changed = 0;
69  return denial;
70 }
71 
72 
77 static void
78 denial_create_bitmap(denial_type* denial, ldns_rr_type types[],
79  size_t* types_count)
80 {
81  domain_type* domain = NULL;
82  rrset_type* rrset = NULL;
83 
84  ods_log_assert(denial);
85  ods_log_assert(denial->domain);
86 
87  domain = (domain_type*) denial->domain;
88  rrset = domain->rrsets;
89  while (rrset) {
90  ldns_rr_type dstatus = domain_is_occluded(domain);
91  if (dstatus == LDNS_RR_TYPE_SOA) {
92  /* Authoritative or delegation */
93  dstatus = domain_is_delegpt(domain);
94  if (dstatus == LDNS_RR_TYPE_SOA ||
95  rrset->rrtype == LDNS_RR_TYPE_NS ||
96  rrset->rrtype == LDNS_RR_TYPE_DS) {
97 
98  types[*types_count] = rrset->rrtype;
99  *types_count = *types_count + 1;
100  }
101  }
102  rrset = rrset->next;
103  }
104  return;
105 }
106 
107 
112 static ldns_rdf*
113 denial_create_nsec3_nxt(ldns_rdf* nxt)
114 {
115  ldns_status status = LDNS_STATUS_OK;
116  ldns_rdf* next_owner_label = NULL;
117  ldns_rdf* next_owner_rdf = NULL;
118  char* next_owner_string = NULL;
119 
120  ods_log_assert(nxt);
121  next_owner_label = ldns_dname_label(nxt, 0);
122  if (!next_owner_label) {
123  ods_log_alert("[%s] unable to create NSEC3 Next: "
124  "ldns_dname_label() failed", denial_str);
125  return NULL;
126  }
127  next_owner_string = ldns_rdf2str(next_owner_label);
128  if (!next_owner_string) {
129  ods_log_alert("[%s] unable to create NSEC3 Next: "
130  "ldns_rdf2str() failed", denial_str);
131  ldns_rdf_deep_free(next_owner_label);
132  return NULL;
133  }
134  if (next_owner_string[strlen(next_owner_string)-1] == '.') {
135  next_owner_string[strlen(next_owner_string)-1] = '\0';
136  }
137  status = ldns_str2rdf_b32_ext(&next_owner_rdf, next_owner_string);
138  if (status != LDNS_STATUS_OK) {
139  ods_log_alert("[%s] unable to create NSEC3 Next: "
140  "ldns_str2rdf_b32_ext() failed", denial_str);
141  }
142  free((void*)next_owner_string);
143  ldns_rdf_deep_free(next_owner_label);
144  return next_owner_rdf;
145 }
146 
147 
152 static ldns_rr*
153 denial_create_nsec(denial_type* denial, denial_type* nxt, uint32_t ttl,
154  ldns_rr_class klass, nsec3params_type* n3p)
155 {
156  ldns_rr* nsec_rr = NULL;
157  ldns_rr_type rrtype = LDNS_RR_TYPE_NSEC;
158  ldns_rr_type dstatus = LDNS_RR_TYPE_FIRST;
159  ldns_rdf* rdf = NULL;
160  domain_type* domain = NULL;
161  ldns_rr_type types[SE_MAX_RRTYPE_COUNT];
162  size_t types_count = 0;
163  int i = 0;
164  ods_log_assert(denial);
165  ods_log_assert(denial->dname);
166  ods_log_assert(nxt);
167  ods_log_assert(nxt->dname);
168  nsec_rr = ldns_rr_new();
169  if (!nsec_rr) {
170  ods_log_alert("[%s] unable to create NSEC(3) RR: "
171  "ldns_rr_new() failed", denial_str);
172  return NULL;
173  }
174  /* RRtype */
175  if (n3p) {
176  rrtype = LDNS_RR_TYPE_NSEC3;
177  }
178  ldns_rr_set_type(nsec_rr, rrtype);
179  /* owner */
180  rdf = ldns_rdf_clone(denial->dname);
181  if (!rdf) {
182  ods_log_alert("[%s] unable to create NSEC(3) RR: "
183  "ldns_rdf_clone(owner) failed", denial_str);
184  ldns_rr_free(nsec_rr);
185  return NULL;
186  }
187  ldns_rr_set_owner(nsec_rr, rdf);
188  /* NSEC3 parameters */
189  if (n3p) {
190  /* set all to NULL first, then call nsec3_add_param_rdfs. */
191  for (i=0; i < SE_NSEC3_RDATA_NSEC3PARAMS; i++) {
192  ldns_rr_push_rdf(nsec_rr, NULL);
193  }
194  ldns_nsec3_add_param_rdfs(nsec_rr, n3p->algorithm, n3p->flags,
195  n3p->iterations, n3p->salt_len, n3p->salt_data);
196  }
197  /* NXT */
198  if (n3p) {
199  rdf = denial_create_nsec3_nxt(nxt->dname);
200  } else {
201  rdf = ldns_rdf_clone(nxt->dname);
202  }
203  if (!rdf) {
204  ods_log_alert("[%s] unable to create NSEC(3) RR: "
205  "create next field failed", denial_str);
206  ldns_rr_free(nsec_rr);
207  return NULL;
208  }
209  ldns_rr_push_rdf(nsec_rr, rdf);
210  /* Type Bit Maps */
211  denial_create_bitmap(denial, types, &types_count);
212  if (n3p) {
213  domain = (domain_type*) denial->domain;
214  dstatus = domain_is_occluded(domain);
215  if (dstatus == LDNS_RR_TYPE_SOA) {
216  dstatus = domain_is_delegpt(domain);
217  if (dstatus != LDNS_RR_TYPE_NS && domain->rrsets) {
218  /* Authoritative domain, not empty: add RRSIGs */
219  types[types_count] = LDNS_RR_TYPE_RRSIG;
220  types_count++;
221  }
222  }
223  /* and don't add NSEC3 type... */
224  } else {
225  types[types_count] = LDNS_RR_TYPE_RRSIG;
226  types_count++;
227  types[types_count] = LDNS_RR_TYPE_NSEC;
228  types_count++;
229  }
230  rdf = ldns_dnssec_create_nsec_bitmap(types, types_count, rrtype);
231  if (!rdf) {
232  ods_log_alert("[%s] unable to create NSEC(3) RR: "
233  "ldns_dnssec_create_nsec_bitmap() failed", denial_str);
234  ldns_rr_free(nsec_rr);
235  return NULL;
236  }
237  ldns_rr_push_rdf(nsec_rr, rdf);
238  ldns_rr_set_ttl(nsec_rr, ttl);
239  ldns_rr_set_class(nsec_rr, klass);
240  return nsec_rr;
241 }
242 
243 
248 void
250 {
251  if (denial && denial->rrset) {
252  rrset_diff(denial->rrset, 0, 0);
253  }
254  return;
255 }
256 
257 
262 void
263 denial_add_rr(denial_type* denial, ldns_rr* rr)
264 {
265  rr_type* record = NULL;
266  zone_type* zone = NULL;
267  ods_log_assert(denial);
268  ods_log_assert(rr);
269  zone = (zone_type*) denial->zone;
270  ods_log_assert(zone);
271  ods_log_assert(zone->signconf);
272  if (!denial->rrset) {
273  if (zone->signconf->nsec3params) {
274  denial->rrset = rrset_create(denial->zone, LDNS_RR_TYPE_NSEC3);
275  } else {
276  denial->rrset = rrset_create(denial->zone, LDNS_RR_TYPE_NSEC);
277  }
278  if (!denial->rrset) {
279  ods_fatal_exit("[%s] unable to nsecify: rrset_create() failed",
280  denial_str);
281  }
282  }
283  ods_log_assert(denial->rrset);
284  record = rrset_add_rr(denial->rrset, rr);
285  ods_log_assert(record);
286  ods_log_assert(record->rr);
287  record->owner = (void*) denial;
288  denial_diff(denial);
289  denial->bitmap_changed = 0;
290  denial->nxt_changed = 0;
291  return;
292 }
293 
294 
299 void
300 denial_nsecify(denial_type* denial, denial_type* nxt, uint32_t* num_added)
301 {
302  ldns_rr* nsec_rr = NULL;
303  zone_type* zone = NULL;
304  ods_log_assert(denial);
305  ods_log_assert(nxt);
306  zone = (zone_type*) denial->zone;
307  ods_log_assert(zone);
308  ods_log_assert(zone->signconf);
309  if (denial->nxt_changed || denial->bitmap_changed) {
310  /* create new NSEC(3) rr */
311  nsec_rr = denial_create_nsec(denial, nxt, zone->default_ttl,
312  zone->klass, zone->signconf->nsec3params);
313  if (!nsec_rr) {
314  ods_fatal_exit("[%s] unable to nsecify: denial_create_nsec() "
315  "failed", denial_str);
316  }
317  denial_add_rr(denial, nsec_rr);
318  if (num_added) {
319  (*num_added)++;
320  }
321  }
322  return;
323 }
324 
325 
330 void
331 denial_print(FILE* fd, denial_type* denial, ods_status* status)
332 {
333  if (!denial || !fd) {
334  if (status) {
335  ods_log_crit("[%s] unable to print denial: denial of fd missing",
336  denial_str);
337  *status = ODS_STATUS_ASSERT_ERR;
338  }
339  return;
340  }
341  if (denial->rrset) {
342  rrset_print(fd, denial->rrset, 0, status);
343  }
344  return;
345 }
346 
347 
352 void
354 {
355  zone_type* zone = NULL;
356  if (!denial) {
357  return;
358  }
359  zone = (zone_type*) denial->zone;
360  ldns_rdf_deep_free(denial->dname);
361  rrset_cleanup(denial->rrset);
362  allocator_deallocate(zone->allocator, (void*) denial);
363  return;
364 }
void ods_log_alert(const char *format,...)
Definition: log.c:366
uint32_t default_ttl
Definition: zone.h:70
rrset_type * rrset
Definition: denial.h:54
void rrset_cleanup(rrset_type *rrset)
Definition: rrset.c:852
denial_type * denial_create(void *zoneptr, ldns_rdf *dname)
Definition: denial.c:48
void denial_cleanup(denial_type *denial)
Definition: denial.c:353
void * allocator_alloc(allocator_type *allocator, size_t size)
Definition: allocator.c:66
uint16_t iterations
Definition: nsec3params.h:57
void * domain
Definition: denial.h:51
void ods_fatal_exit(const char *format,...)
Definition: log.c:382
rrset_type * rrset_create(void *zoneptr, ldns_rr_type type)
Definition: rrset.c:187
enum ods_enum_status ods_status
Definition: status.h:90
rr_type * rrset_add_rr(rrset_type *rrset, ldns_rr *rr)
Definition: rrset.c:269
void ods_log_error(const char *format,...)
Definition: log.c:334
ldns_rr_type rrtype
Definition: rrset.h:76
void * zone
Definition: denial.h:50
rrset_type * next
Definition: rrset.h:73
void ods_log_crit(const char *format,...)
Definition: log.c:350
uint8_t * salt_data
Definition: nsec3params.h:59
unsigned nxt_changed
Definition: denial.h:56
void denial_print(FILE *fd, denial_type *denial, ods_status *status)
Definition: denial.c:331
ldns_rr_type domain_is_delegpt(domain_type *domain)
Definition: domain.c:439
signconf_type * signconf
Definition: zone.h:84
ldns_rr_type domain_is_occluded(domain_type *domain)
Definition: domain.c:464
#define SE_NSEC3_RDATA_NSEC3PARAMS
Definition: domain.h:45
void denial_add_rr(denial_type *denial, ldns_rr *rr)
Definition: denial.c:263
void * owner
Definition: rrset.h:61
allocator_type * allocator
Definition: zone.h:67
void denial_diff(denial_type *denial)
Definition: denial.c:249
ldns_rr * rr
Definition: rrset.h:60
ldns_rr_class klass
Definition: zone.h:69
nsec3params_type * nsec3params
Definition: signconf.h:68
#define SE_MAX_RRTYPE_COUNT
Definition: denial.c:38
void allocator_deallocate(allocator_type *allocator, void *data)
Definition: allocator.c:135
ldns_rdf * dname
Definition: denial.h:53
void rrset_diff(rrset_type *rrset, unsigned is_ixfr, unsigned more_coming)
Definition: rrset.c:344
ldns_rbnode_t * node
Definition: denial.h:52
rrset_type * rrsets
Definition: domain.h:60
unsigned bitmap_changed
Definition: denial.h:55
#define ods_log_assert(x)
Definition: log.h:154
void denial_nsecify(denial_type *denial, denial_type *nxt, uint32_t *num_added)
Definition: denial.c:300
void rrset_print(FILE *fd, rrset_type *rrset, int skip_rrsigs, ods_status *status)
Definition: rrset.c:797