OpenDNSSEC-signer 1.2.1

/build/buildd-opendnssec_1.2.1.dfsg-1-mips-p9AT07/opendnssec-1.2.1.dfsg/signer/src/signer/denial.c

Go to the documentation of this file.
00001 /*
00002  * $Id$
00003  *
00004  * Copyright (c) 2011 NLNet Labs. All rights reserved.
00005  *
00006  * Redistribution and use in source and binary forms, with or without
00007  * modification, are permitted provided that the following conditions
00008  * are met:
00009  * 1. Redistributions of source code must retain the above copyright
00010  *    notice, this list of conditions and the following disclaimer.
00011  * 2. Redistributions in binary form must reproduce the above copyright
00012  *    notice, this list of conditions and the following disclaimer in the
00013  *    documentation and/or other materials provided with the distribution.
00014  *
00015  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
00016  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
00017  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
00018  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
00019  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
00020  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
00021  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
00022  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
00023  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
00024  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
00025  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
00026  *
00027  */
00028 
00034 #include "config.h"
00035 #include "signer/backup.h"
00036 #include "signer/denial.h"
00037 #include "signer/domain.h"
00038 #include "signer/nsec3params.h"
00039 #include "util/log.h"
00040 #include "util/se_malloc.h"
00041 
00042 #include <ldns/ldns.h>
00043 
00044 #define SE_MAX_RRTYPE_COUNT 65536
00045 
00046 static const char* denial_str = "denial";
00047 
00048 
00053 denial_type*
00054 denial_create(ldns_rdf* owner)
00055 {
00056     denial_type* denial = NULL;
00057     char* str = NULL;
00058 
00059     if (!owner) {
00060         se_log_error("[%s] unable to create denial of existence data point: "
00061             "no owner name", denial_str);
00062         return NULL;
00063     }
00064     se_log_assert(owner);
00065 
00066     denial = (denial_type*) se_malloc(sizeof(denial_type));
00067     if (!denial) {
00068         str = ldns_rdf2str(denial->owner);
00069         se_log_error("[%s] unable to create denial of existence data point: "
00070             "%s: allocator failed", denial_str, str?str:"(null)");
00071         free((void*)str);
00072         free((void*)denial);
00073         return NULL;
00074     }
00075     se_log_assert(denial);
00076 
00077     denial->owner = ldns_rdf_clone(owner);
00078     denial->bitmap_changed = 0;
00079     denial->nxt_changed = 0;
00080     denial->rrset = NULL;
00081     denial->domain = NULL;
00082     return denial;
00083 }
00084 
00085 
00090 denial_type*
00091 denial_recover_from_backup(FILE* fd)
00092 {
00093     denial_type* denial = NULL;
00094     const char* name = NULL;
00095     uint32_t internal_serial = 0;
00096     uint32_t outbound_serial = 0;
00097     int domain_status = DOMAIN_STATUS_NONE;
00098     size_t subdomain_count = 0;
00099     size_t subdomain_auth = 0;
00100     int nsec_bitmap_changed = 0;
00101     int nsec_nxt_changed = 0;
00102 
00103     se_log_assert(fd);
00104 
00105     /* Read everything, don't use everything */
00106     if (!backup_read_str(fd, &name) ||
00107         !backup_read_uint32_t(fd, &internal_serial) ||
00108         !backup_read_uint32_t(fd, &outbound_serial) ||
00109         !backup_read_int(fd, &domain_status) ||
00110         !backup_read_size_t(fd, &subdomain_count) ||
00111         !backup_read_size_t(fd, &subdomain_auth) ||
00112         !backup_read_int(fd, &nsec_bitmap_changed) ||
00113         !backup_read_int(fd, &nsec_nxt_changed)) {
00114         se_log_error("domain part in backup file is corrupted");
00115         if (name) {
00116             se_free((void*)name);
00117         }
00118         return NULL;
00119     }
00120 
00121     denial = (denial_type*) se_malloc(sizeof(denial_type));
00122     se_log_assert(name);
00123     denial->owner = ldns_dname_new_frm_str(name);
00124     if (!denial->owner) {
00125         se_log_error("failed to create owner for denial");
00126         se_free((void*)name);
00127         se_free((void*)denial);
00128         return NULL;
00129     }
00130     denial->domain = NULL;
00131     denial->rrset = NULL;
00132     denial->bitmap_changed = nsec_bitmap_changed;
00133     denial->nxt_changed = nsec_nxt_changed;
00134 
00135     se_free((void*)name);
00136     return denial;
00137 }
00138 
00139 
00144 int
00145 denial_recover_rrsig_from_backup(denial_type* denial, ldns_rr* rrsig,
00146     ldns_rr_type type_covered, const char* locator, uint32_t flags)
00147 {
00148     se_log_assert(rrsig);
00149     se_log_assert(denial);
00150     se_log_assert(denial->owner);
00151     se_log_assert(denial->rrset);
00152     se_log_assert((ldns_dname_compare(denial->owner,
00153         ldns_rr_owner(rrsig)) == 0));
00154 
00155     if (type_covered == LDNS_RR_TYPE_NSEC ||
00156         type_covered == LDNS_RR_TYPE_NSEC3) {
00157         return rrset_recover_rrsig_from_backup(denial->rrset,
00158             rrsig, locator, flags);
00159     } else {
00160         se_log_error("unable to recover RRSIG to denial: type covered not NSEC(3)");
00161     }
00162     return 1;
00163 }
00164 
00165 
00170 static void
00171 denial_create_bitmap(denial_type* denial, ldns_rr_type types[],
00172     size_t* types_count)
00173 {
00174     ldns_rbnode_t* node = LDNS_RBTREE_NULL;
00175     domain_type* domain = NULL;
00176     rrset_type* rrset = NULL;
00177 
00178     se_log_assert(denial->domain);
00179 
00180     domain = (domain_type*) denial->domain;
00181     node = ldns_rbtree_first(domain->rrsets);
00182 
00183     while (node && node != LDNS_RBTREE_NULL) {
00184         rrset = (rrset_type*) node->data;
00185         types[*types_count] = rrset->rr_type;
00186         *types_count = *types_count + 1;
00187         node = ldns_rbtree_next(node);
00188     }
00189     return;
00190 }
00191 
00192 
00197 static ldns_rr*
00198 denial_create_nsec(denial_type* denial, denial_type* nxt, uint32_t ttl,
00199     ldns_rr_class klass)
00200 {
00201     ldns_rr* nsec_rr = NULL;
00202     ldns_rdf* rdf = NULL;
00203     ldns_rr_type types[SE_MAX_RRTYPE_COUNT];
00204     size_t types_count = 0;
00205 
00206     se_log_assert(denial);
00207     se_log_assert(denial->owner);
00208     se_log_assert(nxt);
00209     se_log_assert(nxt->owner);
00210 
00211     nsec_rr = ldns_rr_new();
00212     if (!nsec_rr) {
00213         se_log_alert("[%s] unable to create NSEC RR: ldns error",
00214             denial_str);
00215         return NULL;
00216     }
00217     se_log_assert(nsec_rr);
00218 
00219     ldns_rr_set_type(nsec_rr, LDNS_RR_TYPE_NSEC);
00220     rdf = ldns_rdf_clone(denial->owner);
00221     if (!rdf) {
00222         se_log_alert("[%s] unable to create NSEC RR: failed to clone owner",
00223             denial_str);
00224         ldns_rr_free(nsec_rr);
00225         return NULL;
00226     }
00227     ldns_rr_set_owner(nsec_rr, rdf);
00228 
00229     rdf = ldns_rdf_clone(nxt->owner);
00230     if (!rdf) {
00231         se_log_alert("[%s] unable to create NSEC RR: failed to clone nxt",
00232             denial_str);
00233         ldns_rr_free(nsec_rr);
00234         return NULL;
00235     }
00236     ldns_rr_push_rdf(nsec_rr, rdf);
00237 
00238     /* create types bitmap */
00239     denial_create_bitmap(denial, types, &types_count);
00240     types[types_count] = LDNS_RR_TYPE_RRSIG;
00241     types_count++;
00242     types[types_count] = LDNS_RR_TYPE_NSEC;
00243     types_count++;
00244 
00245     rdf = ldns_dnssec_create_nsec_bitmap(types,
00246         types_count, LDNS_RR_TYPE_NSEC);
00247     if (!rdf) {
00248         se_log_alert("[%s] unable to create NSEC RR: failed to create bitmap",
00249             denial_str);
00250         ldns_rr_free(nsec_rr);
00251         return NULL;
00252     }
00253     ldns_rr_push_rdf(nsec_rr, rdf);
00254     ldns_rr_set_ttl(nsec_rr, ttl);
00255     ldns_rr_set_class(nsec_rr, klass);
00256     return nsec_rr;
00257 }
00258 
00259 
00264 int
00265 denial_nsecify(denial_type* denial, denial_type* nxt, uint32_t ttl,
00266     ldns_rr_class klass)
00267 {
00268     ldns_rr* nsec_rr = NULL;
00269     int error = 0;
00270 
00271     if (!denial) {
00272         se_log_error("[%s] unable to nsecify: no data point", denial_str);
00273         return 1;
00274     }
00275     se_log_assert(denial);
00276 
00277     if (!nxt) {
00278         se_log_error("[%s] unable to nsecify: no next", denial_str);
00279         return 1;
00280     }
00281     se_log_assert(nxt);
00282 
00283     if (denial->nxt_changed || denial->bitmap_changed) {
00284         /* assert there is a NSEC RRset */
00285         if (!denial->rrset) {
00286             denial->rrset = rrset_create(LDNS_RR_TYPE_NSEC);
00287             if (!denial->rrset) {
00288                  se_log_alert("[%s] unable to nsecify: failed to "
00289                 "create NSEC RRset", denial_str);
00290                 return 1;
00291             }
00292         }
00293         se_log_assert(denial->rrset);
00294         /* create new NSEC rr */
00295         nsec_rr = denial_create_nsec(denial, nxt, ttl, klass);
00296         if (!nsec_rr) {
00297             se_log_alert("[%s] unable to nsecify: failed to "
00298                 "create NSEC RR", denial_str);
00299             return 1;
00300         }
00301         /* delete old NSEC RR(s)... */
00302         error = rrset_del_rrs(denial->rrset);
00303         if (error) {
00304             se_log_alert("[%s] unable to nsecify: failed to "
00305                 "wipe out NSEC RRset", denial_str);
00306             ldns_rr_free(nsec_rr);
00307             return error;
00308         }
00309         /* ...and add the new one */
00310         error = rrset_add_rr(denial->rrset, nsec_rr);
00311         if (error) {
00312             se_log_alert("[%s] unable to nsecify: failed to "
00313                 "add NSEC to RRset", denial_str);
00314             ldns_rr_free(nsec_rr);
00315             return error;
00316         }
00317         /* commit */
00318         denial->rrset->initialized = 0; /* hack */
00319         error = rrset_update(denial->rrset, 0);
00320         if (error) {
00321             se_log_alert("[%s] unable to nsecify: failed to "
00322                 "commit the NSEC RRset", denial_str);
00323             return error;
00324         }
00325         /* ok */
00326         denial->bitmap_changed = 0;
00327         denial->nxt_changed = 0;
00328     }
00329     return 0;
00330 }
00331 
00332 
00337 static ldns_rr*
00338 denial_create_nsec3(denial_type* denial, denial_type* nxt, uint32_t ttl,
00339     ldns_rr_class klass, nsec3params_type* nsec3params)
00340 {
00341     ldns_status status = LDNS_STATUS_OK;
00342     ldns_rr* nsec_rr = NULL;
00343     ldns_rdf* rdf = NULL;
00344     ldns_rdf* next_owner_label = NULL;
00345     ldns_rdf* next_owner_rdf = NULL;
00346     char* next_owner_string = NULL;
00347     domain_type* domain = NULL;
00348     ldns_rr_type types[SE_MAX_RRTYPE_COUNT];
00349     size_t types_count = 0;
00350     int i = 0;
00351 
00352     se_log_assert(denial);
00353     se_log_assert(denial->owner);
00354     se_log_assert(nxt);
00355     se_log_assert(nxt->owner);
00356     se_log_assert(nsec3params);
00357 
00358     nsec_rr = ldns_rr_new();
00359     if (!nsec_rr) {
00360         se_log_alert("[%s] unable to create NSEC3 RR: ldns error",
00361             denial_str);
00362         return NULL;
00363     }
00364     se_log_assert(nsec_rr);
00365 
00366     ldns_rr_set_type(nsec_rr, LDNS_RR_TYPE_NSEC3);
00367     rdf = ldns_rdf_clone(denial->owner);
00368     if (!rdf) {
00369         se_log_alert("[%s] unable to create NSEC3 RR: failed to clone owner",
00370             denial_str);
00371         ldns_rr_free(nsec_rr);
00372         return NULL;
00373     }
00374     ldns_rr_set_owner(nsec_rr, rdf);
00375 
00376     /* set all to NULL first, then call nsec3_add_param_rdfs. */
00377     for (i=0; i < SE_NSEC3_RDATA_NSEC3PARAMS; i++) {
00378         ldns_rr_push_rdf(nsec_rr, NULL);
00379     }
00380     ldns_nsec3_add_param_rdfs(nsec_rr, nsec3params->algorithm,
00381         nsec3params->flags, nsec3params->iterations,
00382         nsec3params->salt_len, nsec3params->salt_data);
00383     /* nxt owner label */
00384     next_owner_label = ldns_dname_label(nxt->owner, 0);
00385     if (!next_owner_label) {
00386         se_log_alert("[%s] unable to create NSEC3 RR: failed to get nxt "
00387             "owner label", denial_str);
00388         ldns_rr_free(nsec_rr);
00389         return NULL;
00390     }
00391     next_owner_string = ldns_rdf2str(next_owner_label);
00392     if (!next_owner_string) {
00393         se_log_alert("[%s] unable to create NSEC3 RR: failed to get nxt "
00394             "owner string", denial_str);
00395         ldns_rdf_deep_free(next_owner_label);
00396         ldns_rr_free(nsec_rr);
00397         return NULL;
00398     }
00399     if (next_owner_string[strlen(next_owner_string)-1] == '.') {
00400         next_owner_string[strlen(next_owner_string)-1] = '\0';
00401     }
00402     status = ldns_str2rdf_b32_ext(&next_owner_rdf, next_owner_string);
00403     free((void*)next_owner_string);
00404     ldns_rdf_deep_free(next_owner_label);
00405     if (status != LDNS_STATUS_OK) {
00406         se_log_alert("[%s] unable to create NSEC3 RR: failed to create nxt "
00407             "owner rdf: %s", denial_str, ldns_get_errorstr_by_id(status));
00408         ldns_rr_free(nsec_rr);
00409         return NULL;
00410     }
00411     ldns_rr_push_rdf(nsec_rr, next_owner_rdf);
00412 
00413     /* create types bitmap */
00414     denial_create_bitmap(denial, types, &types_count);
00415     /* only add RRSIG type if we have authoritative data to sign */
00416     domain = (domain_type*) denial->domain;
00417     if (domain_count_rrset(domain) > 0 &&
00418         (domain->domain_status == DOMAIN_STATUS_APEX ||
00419          domain->domain_status == DOMAIN_STATUS_AUTH ||
00420          domain->domain_status == DOMAIN_STATUS_DS)) {
00421         types[types_count] = LDNS_RR_TYPE_RRSIG;
00422         types_count++;
00423     }
00424     /* and don't add NSEC3 type... */
00425     rdf = ldns_dnssec_create_nsec_bitmap(types,
00426         types_count, LDNS_RR_TYPE_NSEC3);
00427     if (!rdf) {
00428         se_log_alert("[%s] unable to create NSEC3 RR: failed to create "
00429             "bitmap", denial_str);
00430         ldns_rr_free(nsec_rr);
00431         return NULL;
00432     }
00433     ldns_rr_push_rdf(nsec_rr, rdf);
00434     ldns_rr_set_ttl(nsec_rr, ttl);
00435     ldns_rr_set_class(nsec_rr, klass);
00436     return nsec_rr;
00437 }
00438 
00439 
00444 int
00445 denial_nsecify3(denial_type* denial, denial_type* nxt, uint32_t ttl,
00446     ldns_rr_class klass, nsec3params_type* nsec3params)
00447 {
00448     ldns_rr* nsec_rr = NULL;
00449     int error = 0;
00450 
00451     if (!denial) {
00452         se_log_error("[%s] unable to nsecify3: no data point", denial_str);
00453         return 1;
00454     }
00455     se_log_assert(denial);
00456 
00457     if (!nxt) {
00458         se_log_error("[%s] unable to nsecify3: no next", denial_str);
00459         return 1;
00460     }
00461     se_log_assert(nxt);
00462 
00463     if (denial->nxt_changed || denial->bitmap_changed) {
00464         /* assert there is a NSEC RRset */
00465         if (!denial->rrset) {
00466             denial->rrset = rrset_create(LDNS_RR_TYPE_NSEC3);
00467             if (!denial->rrset) {
00468                  se_log_alert("[%s] unable to nsecify3: failed to "
00469                 "create NSEC3 RRset", denial_str);
00470                 return 1;
00471             }
00472         }
00473         se_log_assert(denial->rrset);
00474         /* create new NSEC3 rr */
00475         nsec_rr = denial_create_nsec3(denial, nxt, ttl, klass, nsec3params);
00476         if (!nsec_rr) {
00477             se_log_alert("[%s] unable to nsecify3: failed to "
00478                 "create NSEC3 RR", denial_str);
00479             return 1;
00480         }
00481         se_log_assert(nsec_rr);
00482         /* delete old NSEC RR(s) */
00483         error = rrset_del_rrs(denial->rrset);
00484         if (error) {
00485             se_log_alert("[%s] unable to nsecify3: failed to "
00486                 "wipe out NSEC3 RRset", denial_str);
00487             return error;
00488         }
00489        /* add the new one */
00490         error = rrset_add_rr(denial->rrset, nsec_rr);
00491         if (error) {
00492             se_log_alert("[%s] unable to nsecify3: failed to "
00493                 "add NSEC3 to RRset", denial_str);
00494             return error;
00495         }
00496         /* commit */
00497         denial->rrset->initialized = 0; /* hack */
00498         error = rrset_update(denial->rrset, 0);
00499         if (error) {
00500             se_log_alert("[%s] unable to nsecify3: failed to "
00501                 "commit the NSEC3 RRset", denial_str);
00502             return error;
00503         }
00504         /* ok */
00505         denial->bitmap_changed = 0;
00506         denial->nxt_changed = 0;
00507     }
00508     return 0;
00509 }
00510 
00511 
00516 void
00517 denial_cleanup(denial_type* denial)
00518 {
00519     if (!denial) {
00520         return;
00521     }
00522     if (denial->owner) {
00523         ldns_rdf_deep_free(denial->owner);
00524         denial->owner = NULL;
00525     }
00526     if (denial->rrset) {
00527         rrset_cleanup(denial->rrset);
00528         denial->rrset = NULL;
00529     }
00530     free((void*)denial);
00531     return;
00532 
00533 }