/contrib/bind9/lib/dns/nsec.c

  1/*
  2 * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  3 * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  4 *
  5 * Permission to use, copy, modify, and/or distribute this software for any
  6 * purpose with or without fee is hereby granted, provided that the above
  7 * copyright notice and this permission notice appear in all copies.
  8 *
  9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 11 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 15 * PERFORMANCE OF THIS SOFTWARE.
 16 */
 17
 18/* $Id$ */
 19
 20/*! \file */
 21
 22#include <config.h>
 23
 24#include <isc/string.h>
 25#include <isc/util.h>
 26
 27#include <dns/db.h>
 28#include <dns/nsec.h>
 29#include <dns/rdata.h>
 30#include <dns/rdatalist.h>
 31#include <dns/rdataset.h>
 32#include <dns/rdatasetiter.h>
 33#include <dns/rdatastruct.h>
 34#include <dns/result.h>
 35
 36#include <dst/dst.h>
 37
 38#define RETERR(x) do { \
 39	result = (x); \
 40	if (result != ISC_R_SUCCESS) \
 41		goto failure; \
 42	} while (0)
 43
 44static void
 45set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
 46	unsigned int shift, mask;
 47
 48	shift = 7 - (index % 8);
 49	mask = 1 << shift;
 50
 51	if (bit != 0)
 52		array[index / 8] |= mask;
 53	else
 54		array[index / 8] &= (~mask & 0xFF);
 55}
 56
 57static unsigned int
 58bit_isset(unsigned char *array, unsigned int index) {
 59	unsigned int byte, shift, mask;
 60
 61	byte = array[index / 8];
 62	shift = 7 - (index % 8);
 63	mask = 1 << shift;
 64
 65	return ((byte & mask) != 0);
 66}
 67
 68isc_result_t
 69dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 70		    dns_dbnode_t *node, dns_name_t *target,
 71		    unsigned char *buffer, dns_rdata_t *rdata)
 72{
 73	isc_result_t result;
 74	dns_rdataset_t rdataset;
 75	isc_region_t r;
 76	unsigned int i, window;
 77	int octet;
 78
 79	unsigned char *nsec_bits, *bm;
 80	unsigned int max_type;
 81	dns_rdatasetiter_t *rdsiter;
 82
 83	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
 84	dns_name_toregion(target, &r);
 85	memcpy(buffer, r.base, r.length);
 86	r.base = buffer;
 87	/*
 88	 * Use the end of the space for a raw bitmap leaving enough
 89	 * space for the window identifiers and length octets.
 90	 */
 91	bm = r.base + r.length + 512;
 92	nsec_bits = r.base + r.length;
 93	set_bit(bm, dns_rdatatype_rrsig, 1);
 94	set_bit(bm, dns_rdatatype_nsec, 1);
 95	max_type = dns_rdatatype_nsec;
 96	dns_rdataset_init(&rdataset);
 97	rdsiter = NULL;
 98	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
 99	if (result != ISC_R_SUCCESS)
100		return (result);
101	for (result = dns_rdatasetiter_first(rdsiter);
102	     result == ISC_R_SUCCESS;
103	     result = dns_rdatasetiter_next(rdsiter))
104	{
105		dns_rdatasetiter_current(rdsiter, &rdataset);
106		if (rdataset.type != dns_rdatatype_nsec &&
107		    rdataset.type != dns_rdatatype_nsec3 &&
108		    rdataset.type != dns_rdatatype_rrsig) {
109			if (rdataset.type > max_type)
110				max_type = rdataset.type;
111			set_bit(bm, rdataset.type, 1);
112		}
113		dns_rdataset_disassociate(&rdataset);
114	}
115
116	/*
117	 * At zone cuts, deny the existence of glue in the parent zone.
118	 */
119	if (bit_isset(bm, dns_rdatatype_ns) &&
120	    ! bit_isset(bm, dns_rdatatype_soa)) {
121		for (i = 0; i <= max_type; i++) {
122			if (bit_isset(bm, i) &&
123			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
124				set_bit(bm, i, 0);
125		}
126	}
127
128	dns_rdatasetiter_destroy(&rdsiter);
129	if (result != ISC_R_NOMORE)
130		return (result);
131
132	for (window = 0; window < 256; window++) {
133		if (window * 256 > max_type)
134			break;
135		for (octet = 31; octet >= 0; octet--)
136			if (bm[window * 32 + octet] != 0)
137				break;
138		if (octet < 0)
139			continue;
140		nsec_bits[0] = window;
141		nsec_bits[1] = octet + 1;
142		/*
143		 * Note: potential overlapping move.
144		 */
145		memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
146		nsec_bits += 3 + octet;
147	}
148	r.length = nsec_bits - r.base;
149	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
150	dns_rdata_fromregion(rdata,
151			     dns_db_class(db),
152			     dns_rdatatype_nsec,
153			     &r);
154
155	return (ISC_R_SUCCESS);
156}
157
158
159isc_result_t
160dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
161	       dns_name_t *target, dns_ttl_t ttl)
162{
163	isc_result_t result;
164	dns_rdata_t rdata = DNS_RDATA_INIT;
165	unsigned char data[DNS_NSEC_BUFFERSIZE];
166	dns_rdatalist_t rdatalist;
167	dns_rdataset_t rdataset;
168
169	dns_rdataset_init(&rdataset);
170	dns_rdata_init(&rdata);
171
172	RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
173
174	rdatalist.rdclass = dns_db_class(db);
175	rdatalist.type = dns_rdatatype_nsec;
176	rdatalist.covers = 0;
177	rdatalist.ttl = ttl;
178	ISC_LIST_INIT(rdatalist.rdata);
179	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
180	RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
181	result = dns_db_addrdataset(db, node, version, 0, &rdataset,
182				    0, NULL);
183	if (result == DNS_R_UNCHANGED)
184		result = ISC_R_SUCCESS;
185
186 failure:
187	if (dns_rdataset_isassociated(&rdataset))
188		dns_rdataset_disassociate(&rdataset);
189	return (result);
190}
191
192isc_boolean_t
193dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
194	dns_rdata_nsec_t nsecstruct;
195	isc_result_t result;
196	isc_boolean_t present;
197	unsigned int i, len, window;
198
199	REQUIRE(nsec != NULL);
200	REQUIRE(nsec->type == dns_rdatatype_nsec);
201
202	/* This should never fail */
203	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
204	INSIST(result == ISC_R_SUCCESS);
205
206	present = ISC_FALSE;
207	for (i = 0; i < nsecstruct.len; i += len) {
208		INSIST(i + 2 <= nsecstruct.len);
209		window = nsecstruct.typebits[i];
210		len = nsecstruct.typebits[i + 1];
211		INSIST(len > 0 && len <= 32);
212		i += 2;
213		INSIST(i + len <= nsecstruct.len);
214		if (window * 256 > type)
215			break;
216		if ((window + 1) * 256 <= type)
217			continue;
218		if (type < (window * 256) + len * 8)
219			present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
220						   type % 256));
221		break;
222	}
223	dns_rdata_freestruct(&nsecstruct);
224	return (present);
225}
226
227isc_result_t
228dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
229		  isc_boolean_t *answer)
230{
231	dns_dbnode_t *node = NULL;
232	dns_rdataset_t rdataset;
233	dns_rdata_dnskey_t dnskey;
234	isc_result_t result;
235
236	REQUIRE(answer != NULL);
237
238	dns_rdataset_init(&rdataset);
239
240	result = dns_db_getoriginnode(db, &node);
241	if (result != ISC_R_SUCCESS)
242		return (result);
243
244	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
245				     0, 0, &rdataset, NULL);
246	dns_db_detachnode(db, &node);
247
248	if (result == ISC_R_NOTFOUND) {
249		*answer = ISC_FALSE;
250		return (ISC_R_SUCCESS);
251	}
252	if (result != ISC_R_SUCCESS)
253		return (result);
254	for (result = dns_rdataset_first(&rdataset);
255	     result == ISC_R_SUCCESS;
256	     result = dns_rdataset_next(&rdataset)) {
257		dns_rdata_t rdata = DNS_RDATA_INIT;
258
259		dns_rdataset_current(&rdataset, &rdata);
260		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
261		RUNTIME_CHECK(result == ISC_R_SUCCESS);
262
263		if (dnskey.algorithm == DST_ALG_RSAMD5 ||
264		    dnskey.algorithm == DST_ALG_RSASHA1 ||
265		    dnskey.algorithm == DST_ALG_DSA ||
266		    dnskey.algorithm == DST_ALG_ECC)
267			break;
268	}
269	dns_rdataset_disassociate(&rdataset);
270	if (result == ISC_R_SUCCESS)
271		*answer = ISC_TRUE;
272	if (result == ISC_R_NOMORE) {
273		*answer = ISC_FALSE;
274		result = ISC_R_SUCCESS;
275	}
276	return (result);
277}