/contrib/bind9/lib/dns/nsec.c

https://bitbucket.org/freebsd/freebsd-head/ · C · 277 lines · 210 code · 38 blank · 29 comment · 56 complexity · 9c5270e98fc86cbb75145cba0d475779 MD5 · raw file

  1. /*
  2. * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
  3. * Copyright (C) 1999-2001, 2003 Internet Software Consortium.
  4. *
  5. * Permission to use, copy, modify, and/or distribute this software for any
  6. * purpose with or without fee is hereby granted, provided that the above
  7. * copyright notice and this permission notice appear in all copies.
  8. *
  9. * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10. * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11. * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12. * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13. * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14. * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15. * PERFORMANCE OF THIS SOFTWARE.
  16. */
  17. /* $Id$ */
  18. /*! \file */
  19. #include <config.h>
  20. #include <isc/string.h>
  21. #include <isc/util.h>
  22. #include <dns/db.h>
  23. #include <dns/nsec.h>
  24. #include <dns/rdata.h>
  25. #include <dns/rdatalist.h>
  26. #include <dns/rdataset.h>
  27. #include <dns/rdatasetiter.h>
  28. #include <dns/rdatastruct.h>
  29. #include <dns/result.h>
  30. #include <dst/dst.h>
  31. #define RETERR(x) do { \
  32. result = (x); \
  33. if (result != ISC_R_SUCCESS) \
  34. goto failure; \
  35. } while (0)
  36. static void
  37. set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
  38. unsigned int shift, mask;
  39. shift = 7 - (index % 8);
  40. mask = 1 << shift;
  41. if (bit != 0)
  42. array[index / 8] |= mask;
  43. else
  44. array[index / 8] &= (~mask & 0xFF);
  45. }
  46. static unsigned int
  47. bit_isset(unsigned char *array, unsigned int index) {
  48. unsigned int byte, shift, mask;
  49. byte = array[index / 8];
  50. shift = 7 - (index % 8);
  51. mask = 1 << shift;
  52. return ((byte & mask) != 0);
  53. }
  54. isc_result_t
  55. dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
  56. dns_dbnode_t *node, dns_name_t *target,
  57. unsigned char *buffer, dns_rdata_t *rdata)
  58. {
  59. isc_result_t result;
  60. dns_rdataset_t rdataset;
  61. isc_region_t r;
  62. unsigned int i, window;
  63. int octet;
  64. unsigned char *nsec_bits, *bm;
  65. unsigned int max_type;
  66. dns_rdatasetiter_t *rdsiter;
  67. memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
  68. dns_name_toregion(target, &r);
  69. memcpy(buffer, r.base, r.length);
  70. r.base = buffer;
  71. /*
  72. * Use the end of the space for a raw bitmap leaving enough
  73. * space for the window identifiers and length octets.
  74. */
  75. bm = r.base + r.length + 512;
  76. nsec_bits = r.base + r.length;
  77. set_bit(bm, dns_rdatatype_rrsig, 1);
  78. set_bit(bm, dns_rdatatype_nsec, 1);
  79. max_type = dns_rdatatype_nsec;
  80. dns_rdataset_init(&rdataset);
  81. rdsiter = NULL;
  82. result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
  83. if (result != ISC_R_SUCCESS)
  84. return (result);
  85. for (result = dns_rdatasetiter_first(rdsiter);
  86. result == ISC_R_SUCCESS;
  87. result = dns_rdatasetiter_next(rdsiter))
  88. {
  89. dns_rdatasetiter_current(rdsiter, &rdataset);
  90. if (rdataset.type != dns_rdatatype_nsec &&
  91. rdataset.type != dns_rdatatype_nsec3 &&
  92. rdataset.type != dns_rdatatype_rrsig) {
  93. if (rdataset.type > max_type)
  94. max_type = rdataset.type;
  95. set_bit(bm, rdataset.type, 1);
  96. }
  97. dns_rdataset_disassociate(&rdataset);
  98. }
  99. /*
  100. * At zone cuts, deny the existence of glue in the parent zone.
  101. */
  102. if (bit_isset(bm, dns_rdatatype_ns) &&
  103. ! bit_isset(bm, dns_rdatatype_soa)) {
  104. for (i = 0; i <= max_type; i++) {
  105. if (bit_isset(bm, i) &&
  106. ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
  107. set_bit(bm, i, 0);
  108. }
  109. }
  110. dns_rdatasetiter_destroy(&rdsiter);
  111. if (result != ISC_R_NOMORE)
  112. return (result);
  113. for (window = 0; window < 256; window++) {
  114. if (window * 256 > max_type)
  115. break;
  116. for (octet = 31; octet >= 0; octet--)
  117. if (bm[window * 32 + octet] != 0)
  118. break;
  119. if (octet < 0)
  120. continue;
  121. nsec_bits[0] = window;
  122. nsec_bits[1] = octet + 1;
  123. /*
  124. * Note: potential overlapping move.
  125. */
  126. memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
  127. nsec_bits += 3 + octet;
  128. }
  129. r.length = nsec_bits - r.base;
  130. INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
  131. dns_rdata_fromregion(rdata,
  132. dns_db_class(db),
  133. dns_rdatatype_nsec,
  134. &r);
  135. return (ISC_R_SUCCESS);
  136. }
  137. isc_result_t
  138. dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
  139. dns_name_t *target, dns_ttl_t ttl)
  140. {
  141. isc_result_t result;
  142. dns_rdata_t rdata = DNS_RDATA_INIT;
  143. unsigned char data[DNS_NSEC_BUFFERSIZE];
  144. dns_rdatalist_t rdatalist;
  145. dns_rdataset_t rdataset;
  146. dns_rdataset_init(&rdataset);
  147. dns_rdata_init(&rdata);
  148. RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
  149. rdatalist.rdclass = dns_db_class(db);
  150. rdatalist.type = dns_rdatatype_nsec;
  151. rdatalist.covers = 0;
  152. rdatalist.ttl = ttl;
  153. ISC_LIST_INIT(rdatalist.rdata);
  154. ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
  155. RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
  156. result = dns_db_addrdataset(db, node, version, 0, &rdataset,
  157. 0, NULL);
  158. if (result == DNS_R_UNCHANGED)
  159. result = ISC_R_SUCCESS;
  160. failure:
  161. if (dns_rdataset_isassociated(&rdataset))
  162. dns_rdataset_disassociate(&rdataset);
  163. return (result);
  164. }
  165. isc_boolean_t
  166. dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
  167. dns_rdata_nsec_t nsecstruct;
  168. isc_result_t result;
  169. isc_boolean_t present;
  170. unsigned int i, len, window;
  171. REQUIRE(nsec != NULL);
  172. REQUIRE(nsec->type == dns_rdatatype_nsec);
  173. /* This should never fail */
  174. result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
  175. INSIST(result == ISC_R_SUCCESS);
  176. present = ISC_FALSE;
  177. for (i = 0; i < nsecstruct.len; i += len) {
  178. INSIST(i + 2 <= nsecstruct.len);
  179. window = nsecstruct.typebits[i];
  180. len = nsecstruct.typebits[i + 1];
  181. INSIST(len > 0 && len <= 32);
  182. i += 2;
  183. INSIST(i + len <= nsecstruct.len);
  184. if (window * 256 > type)
  185. break;
  186. if ((window + 1) * 256 <= type)
  187. continue;
  188. if (type < (window * 256) + len * 8)
  189. present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
  190. type % 256));
  191. break;
  192. }
  193. dns_rdata_freestruct(&nsecstruct);
  194. return (present);
  195. }
  196. isc_result_t
  197. dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
  198. isc_boolean_t *answer)
  199. {
  200. dns_dbnode_t *node = NULL;
  201. dns_rdataset_t rdataset;
  202. dns_rdata_dnskey_t dnskey;
  203. isc_result_t result;
  204. REQUIRE(answer != NULL);
  205. dns_rdataset_init(&rdataset);
  206. result = dns_db_getoriginnode(db, &node);
  207. if (result != ISC_R_SUCCESS)
  208. return (result);
  209. result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
  210. 0, 0, &rdataset, NULL);
  211. dns_db_detachnode(db, &node);
  212. if (result == ISC_R_NOTFOUND) {
  213. *answer = ISC_FALSE;
  214. return (ISC_R_SUCCESS);
  215. }
  216. if (result != ISC_R_SUCCESS)
  217. return (result);
  218. for (result = dns_rdataset_first(&rdataset);
  219. result == ISC_R_SUCCESS;
  220. result = dns_rdataset_next(&rdataset)) {
  221. dns_rdata_t rdata = DNS_RDATA_INIT;
  222. dns_rdataset_current(&rdataset, &rdata);
  223. result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
  224. RUNTIME_CHECK(result == ISC_R_SUCCESS);
  225. if (dnskey.algorithm == DST_ALG_RSAMD5 ||
  226. dnskey.algorithm == DST_ALG_RSASHA1 ||
  227. dnskey.algorithm == DST_ALG_DSA ||
  228. dnskey.algorithm == DST_ALG_ECC)
  229. break;
  230. }
  231. dns_rdataset_disassociate(&rdataset);
  232. if (result == ISC_R_SUCCESS)
  233. *answer = ISC_TRUE;
  234. if (result == ISC_R_NOMORE) {
  235. *answer = ISC_FALSE;
  236. result = ISC_R_SUCCESS;
  237. }
  238. return (result);
  239. }