OpenDNSSEC-signer  1.4.1
denial.c
Go to the documentation of this file.
1 /*
2  * $Id$
3  *
4  * Copyright (c) 2011 NLNet Labs. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in the
13  * documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
19  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
21  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
23  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
25  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  *
27  */
28 
34 #include "config.h"
35 #include "shared/log.h"
36 #include "signer/denial.h"
37 #include "signer/domain.h"
38 #include "signer/zone.h"
39 
40 #define SE_MAX_RRTYPE_COUNT 65536
41 
42 static const char* denial_str = "denial";
43 
44 
50 denial_create(void* zoneptr, ldns_rdf* dname)
51 {
52  denial_type* denial = NULL;
53  zone_type* zone = (zone_type*) zoneptr;
54  if (!dname || !zoneptr) {
55  return NULL;
56  }
57  denial = (denial_type*) allocator_alloc(
58  zone->allocator, sizeof(denial_type));
59  if (!denial) {
60  ods_log_error("[%s] unable to create denial: allocator_alloc() "
61  "failed", denial_str);
62  return NULL;
63  }
64  denial->dname = dname;
65  denial->zone = zoneptr;
66  denial->domain = NULL; /* no back reference yet */
67  denial->node = NULL; /* not in db yet */
68  denial->rrset = NULL;
69  denial->bitmap_changed = 0;
70  denial->nxt_changed = 0;
71  return denial;
72 }
73 
74 
79 static void
80 denial_create_bitmap(denial_type* denial, ldns_rr_type types[],
81  size_t* types_count)
82 {
83  domain_type* domain = NULL;
84  rrset_type* rrset = NULL;
85 
86  ods_log_assert(denial);
87  ods_log_assert(denial->domain);
88 
89  domain = (domain_type*) denial->domain;
90  rrset = domain->rrsets;
91  while (rrset) {
92  ldns_rr_type dstatus = domain_is_occluded(domain);
93  if (dstatus == LDNS_RR_TYPE_SOA) {
94  /* Authoritative or delegation */
95  dstatus = domain_is_delegpt(domain);
96  if (dstatus == LDNS_RR_TYPE_SOA ||
97  rrset->rrtype == LDNS_RR_TYPE_NS ||
98  rrset->rrtype == LDNS_RR_TYPE_DS) {
99 
100  types[*types_count] = rrset->rrtype;
101  *types_count = *types_count + 1;
102  }
103  }
104  rrset = rrset->next;
105  }
106  return;
107 }
108 
109 
114 static ldns_rdf*
115 denial_create_nsec3_nxt(ldns_rdf* nxt)
116 {
117  ldns_status status = LDNS_STATUS_OK;
118  ldns_rdf* next_owner_label = NULL;
119  ldns_rdf* next_owner_rdf = NULL;
120  char* next_owner_string = NULL;
121 
122  ods_log_assert(nxt);
123  next_owner_label = ldns_dname_label(nxt, 0);
124  if (!next_owner_label) {
125  ods_log_alert("[%s] unable to create NSEC3 Next: "
126  "ldns_dname_label() failed", denial_str);
127  return NULL;
128  }
129  next_owner_string = ldns_rdf2str(next_owner_label);
130  if (!next_owner_string) {
131  ods_log_alert("[%s] unable to create NSEC3 Next: "
132  "ldns_rdf2str() failed", denial_str);
133  ldns_rdf_deep_free(next_owner_label);
134  return NULL;
135  }
136  if (next_owner_string[strlen(next_owner_string)-1] == '.') {
137  next_owner_string[strlen(next_owner_string)-1] = '\0';
138  }
139  status = ldns_str2rdf_b32_ext(&next_owner_rdf, next_owner_string);
140  if (status != LDNS_STATUS_OK) {
141  ods_log_alert("[%s] unable to create NSEC3 Next: "
142  "ldns_str2rdf_b32_ext() failed", denial_str);
143  }
144  free((void*)next_owner_string);
145  ldns_rdf_deep_free(next_owner_label);
146  return next_owner_rdf;
147 }
148 
149 
154 static ldns_rr*
155 denial_create_nsec(denial_type* denial, denial_type* nxt, uint32_t ttl,
156  ldns_rr_class klass, nsec3params_type* n3p)
157 {
158  ldns_rr* nsec_rr = NULL;
159  ldns_rr_type rrtype = LDNS_RR_TYPE_NSEC;
160  ldns_rr_type dstatus = LDNS_RR_TYPE_FIRST;
161  ldns_rdf* rdf = NULL;
162  domain_type* domain = NULL;
163  ldns_rr_type types[SE_MAX_RRTYPE_COUNT];
164  size_t types_count = 0;
165  int i = 0;
166  ods_log_assert(denial);
167  ods_log_assert(denial->dname);
168  ods_log_assert(nxt);
169  ods_log_assert(nxt->dname);
170  nsec_rr = ldns_rr_new();
171  if (!nsec_rr) {
172  ods_log_alert("[%s] unable to create NSEC(3) RR: "
173  "ldns_rr_new() failed", denial_str);
174  return NULL;
175  }
176  /* RRtype */
177  if (n3p) {
178  rrtype = LDNS_RR_TYPE_NSEC3;
179  }
180  ldns_rr_set_type(nsec_rr, rrtype);
181  /* owner */
182  rdf = ldns_rdf_clone(denial->dname);
183  if (!rdf) {
184  ods_log_alert("[%s] unable to create NSEC(3) RR: "
185  "ldns_rdf_clone(owner) failed", denial_str);
186  ldns_rr_free(nsec_rr);
187  return NULL;
188  }
189  ldns_rr_set_owner(nsec_rr, rdf);
190  /* NSEC3 parameters */
191  if (n3p) {
192  /* set all to NULL first, then call nsec3_add_param_rdfs. */
193  for (i=0; i < SE_NSEC3_RDATA_NSEC3PARAMS; i++) {
194  ldns_rr_push_rdf(nsec_rr, NULL);
195  }
196  ldns_nsec3_add_param_rdfs(nsec_rr, n3p->algorithm, n3p->flags,
197  n3p->iterations, n3p->salt_len, n3p->salt_data);
198  }
199  /* NXT */
200  if (n3p) {
201  rdf = denial_create_nsec3_nxt(nxt->dname);
202  } else {
203  rdf = ldns_rdf_clone(nxt->dname);
204  }
205  if (!rdf) {
206  ods_log_alert("[%s] unable to create NSEC(3) RR: "
207  "create next field failed", denial_str);
208  ldns_rr_free(nsec_rr);
209  return NULL;
210  }
211  ldns_rr_push_rdf(nsec_rr, rdf);
212  /* Type Bit Maps */
213  denial_create_bitmap(denial, types, &types_count);
214  if (n3p) {
215  domain = (domain_type*) denial->domain;
216  dstatus = domain_is_occluded(domain);
217  if (dstatus == LDNS_RR_TYPE_SOA) {
218  dstatus = domain_is_delegpt(domain);
219  if (dstatus != LDNS_RR_TYPE_NS && domain->rrsets) {
220  /* Authoritative domain, not empty: add RRSIGs */
221  types[types_count] = LDNS_RR_TYPE_RRSIG;
222  types_count++;
223  }
224  }
225  /* and don't add NSEC3 type... */
226  } else {
227  types[types_count] = LDNS_RR_TYPE_RRSIG;
228  types_count++;
229  types[types_count] = LDNS_RR_TYPE_NSEC;
230  types_count++;
231  }
232  rdf = ldns_dnssec_create_nsec_bitmap(types, types_count, rrtype);
233  if (!rdf) {
234  ods_log_alert("[%s] unable to create NSEC(3) RR: "
235  "ldns_dnssec_create_nsec_bitmap() failed", denial_str);
236  ldns_rr_free(nsec_rr);
237  return NULL;
238  }
239  ldns_rr_push_rdf(nsec_rr, rdf);
240  ldns_rr_set_ttl(nsec_rr, ttl);
241  ldns_rr_set_class(nsec_rr, klass);
242  return nsec_rr;
243 }
244 
245 
250 void
252 {
253  if (denial && denial->rrset) {
254  rrset_diff(denial->rrset, 0, 0);
255  }
256  return;
257 }
258 
259 
264 void
265 denial_add_rr(denial_type* denial, ldns_rr* rr)
266 {
267  rr_type* record = NULL;
268  zone_type* zone = NULL;
269  ods_log_assert(denial);
270  ods_log_assert(rr);
271  zone = (zone_type*) denial->zone;
272  ods_log_assert(zone);
273  ods_log_assert(zone->signconf);
274  if (!denial->rrset) {
275  if (zone->signconf->nsec3params) {
276  denial->rrset = rrset_create(denial->zone, LDNS_RR_TYPE_NSEC3);
277  } else {
278  denial->rrset = rrset_create(denial->zone, LDNS_RR_TYPE_NSEC);
279  }
280  if (!denial->rrset) {
281  ods_fatal_exit("[%s] unable to nsecify: rrset_create() failed",
282  denial_str);
283  }
284  }
285  ods_log_assert(denial->rrset);
286  record = rrset_add_rr(denial->rrset, rr);
287  ods_log_assert(record);
288  ods_log_assert(record->rr);
289  record->owner = (void*) denial;
290  denial_diff(denial);
291  denial->bitmap_changed = 0;
292  denial->nxt_changed = 0;
293  return;
294 }
295 
296 
301 void
302 denial_nsecify(denial_type* denial, denial_type* nxt, uint32_t* num_added)
303 {
304  ldns_rr* nsec_rr = NULL;
305  zone_type* zone = NULL;
306  ods_log_assert(denial);
307  ods_log_assert(nxt);
308  zone = (zone_type*) denial->zone;
309  ods_log_assert(zone);
310  ods_log_assert(zone->signconf);
311  if (denial->nxt_changed || denial->bitmap_changed) {
312  /* create new NSEC(3) rr */
313  nsec_rr = denial_create_nsec(denial, nxt, zone->default_ttl,
314  zone->klass, zone->signconf->nsec3params);
315  if (!nsec_rr) {
316  ods_fatal_exit("[%s] unable to nsecify: denial_create_nsec() "
317  "failed", denial_str);
318  }
319  denial_add_rr(denial, nsec_rr);
320  if (num_added) {
321  (*num_added)++;
322  }
323  }
324  return;
325 }
326 
327 
332 void
333 denial_print(FILE* fd, denial_type* denial, ods_status* status)
334 {
335  if (!denial || !fd) {
336  if (status) {
337  ods_log_crit("[%s] unable to print denial: denial of fd missing",
338  denial_str);
339  *status = ODS_STATUS_ASSERT_ERR;
340  }
341  return;
342  }
343  if (denial->rrset) {
344  rrset_print(fd, denial->rrset, 0, status);
345  }
346  return;
347 }
348 
349 
354 void
356 {
357  zone_type* zone = NULL;
358  if (!denial) {
359  return;
360  }
361  zone = (zone_type*) denial->zone;
362  ldns_rdf_deep_free(denial->dname);
363  rrset_cleanup(denial->rrset);
364  allocator_deallocate(zone->allocator, (void*) denial);
365  return;
366 }