1541. [func] NSEC now uses new bitmap format.

2025-09-04 00:25:29 +00:00 · 2003-12-13 04:20:44 +00:00
parent 62bdc6103b
commit 185fd22738
6 changed files with 198 additions and 79 deletions
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 1542.	[placeholder]
-1541.	[placeholder]	rt10038
+1541.	[func]		NSEC now uses new bitmap format.
 1540.	[placeholder]	rt8934
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -17,7 +17,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: dnssec-signzone.c,v 1.170 2003/10/01 04:10:26 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.171 2003/12/13 04:20:42 marka Exp $ */
 #include <config.h>
@@ -652,11 +652,11 @@ nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_nsec_t nsec;
 	unsigned int newlen;
-	unsigned char bitmap[16];
+	unsigned char bitmap[8192 + 512];
-	unsigned char nsecdata[16 + DNS_NAME_MAXWIRE];
+	unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE];
 	isc_boolean_t answer = ISC_FALSE;
-
+	unsigned int i, len, window;
-	INSIST(type < 128);
+	int octet;
 	result = dns_rdataset_first(rdataset);
 	check_result(result, "dns_rdataset_first()");
@@ -666,14 +666,34 @@ nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
 	INSIST(nsec.len <= sizeof(bitmap));
-	newlen = sizeof(bitmap);
+	newlen = 0;
 	memset(bitmap, 0, sizeof(bitmap));
-	memcpy(bitmap, nsec.typebits, nsec.len);
+	for (i = 0; i < nsec.len; i += len) {
-	set_bit(bitmap, type, val);
+		INSIST(i + 2 <= nsec.len);
-
+		window = nsec.typebits[i];
-	while (newlen > 0 && bitmap[newlen - 1] == 0)
+		len = nsec.typebits[i+1];
-		newlen--;
+		i += 2;
 		INSIST(len > 0 && len <= 32);
 		INSIST(i + len <= nsec.len);
 		memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len);
 	}
 	set_bit(bitmap + 512, type, val);
 	for (window = 0; window < 256; window++) {
 		for (octet = 31; octet >= 0; octet--)
 			if (bitmap[window * 32 + 512 + octet] != 0)
 				break;
 		if (octet < 0)
 			continue;
 		bitmap[newlen] = window;
 		bitmap[newlen + 1] = octet + 1;
 		newlen += 2;
 		/*
 		 * Overlapping move.
 		 */
 		memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1);
 		newlen += octet + 1;
 	}
 	if (newlen != nsec.len ||
 	    memcmp(nsec.typebits, bitmap, newlen) != 0) {
 		dns_rdata_t newrdata = DNS_RDATA_INIT;
--- a/lib/dns/include/dns/nsec.h
+++ b/lib/dns/include/dns/nsec.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: nsec.h,v 1.2 2003/09/30 06:00:39 marka Exp $ */
+/* $Id: nsec.h,v 1.3 2003/12/13 04:20:43 marka Exp $ */
 #ifndef DNS_NSEC_H
 #define DNS_NSEC_H 1
@@ -23,8 +23,9 @@
 #include <isc/lang.h>
 #include <dns/types.h>
 #include <dns/name.h>
-#define DNS_NSEC_BUFFERSIZE (256 + 16)
+#define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512)
 ISC_LANG_BEGINDECLS
@@ -59,8 +60,6 @@ dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
 *
 * Requires:
 *	'nsec' points to a valid rdataset of type NSEC
 *	'type' < 128
 *
 */
 ISC_LANG_ENDDECLS
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: nsec.c,v 1.3 2003/10/01 04:07:27 marka Exp $ */
+/* $Id: nsec.c,v 1.4 2003/12/13 04:20:43 marka Exp $ */
 #include <config.h>
@@ -69,9 +69,10 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	isc_result_t result;
 	dns_rdataset_t rdataset;
 	isc_region_t r;
-	int i;
+	unsigned int i, window;
 	int octet;
-	unsigned char *nsec_bits;
+	unsigned char *nsec_bits, *bm;
 	unsigned int max_type;
 	dns_rdatasetiter_t *rdsiter;
@@ -79,8 +80,13 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	dns_name_toregion(target, &r);
 	memcpy(buffer, r.base, r.length);
 	r.base = buffer;
 	/*
 	 * Use the end of the space for a raw bitmap leaving enough
 	 * space for the window identifiers and length octets.
 	 */
 	bm = r.base + r.length + 512;
 	nsec_bits = r.base + r.length;
-	set_bit(nsec_bits, dns_rdatatype_nsec, 1);
+	set_bit(bm, dns_rdatatype_nsec, 1);
 	max_type = dns_rdatatype_nsec;
 	dns_rdataset_init(&rdataset);
 	rdsiter = NULL;
@@ -92,13 +98,10 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	     result = dns_rdatasetiter_next(rdsiter))
 	{
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		if (rdataset.type > 127)
 			/* XXX "rdataset type too large" */
 			return (ISC_R_RANGE);
 		if (rdataset.type != dns_rdatatype_nsec) {
 			if (rdataset.type > max_type)
 				max_type = rdataset.type;
-			set_bit(nsec_bits, rdataset.type, 1);
+			set_bit(bm, rdataset.type, 1);
 		}
 		dns_rdataset_disassociate(&rdataset);
 	}
@@ -106,12 +109,12 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	/*
 	 * At zone cuts, deny the existence of glue in the parent zone.
 	 */
-	if (bit_isset(nsec_bits, dns_rdatatype_ns) &&
+	if (bit_isset(bm, dns_rdatatype_ns) &&
-	    ! bit_isset(nsec_bits, dns_rdatatype_soa)) {
+	    ! bit_isset(bm, dns_rdatatype_soa)) {
-		for (i = 0; i < 128; i++) {
+		for (i = 0; i <= max_type; i++) {
-			if (bit_isset(nsec_bits, i) &&
+			if (bit_isset(bm, i) &&
 			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
-				set_bit(nsec_bits, i, 0);
+				set_bit(bm, i, 0);
 		}
 	}
@@ -119,7 +122,23 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	if (result != ISC_R_NOMORE)
 		return (result);
-	r.length += max_type / 8 + 1;
+	for (window = 0; window < 256; window++) {
 		if (window * 256 > max_type)
 			break;
 		for (octet = 31; octet >= 0; octet--)
 			if (bm[window * 32 + octet] != 0)
 				break;
 		if (octet < 0)
 			continue;
 		nsec_bits[0] = window;
 		nsec_bits[1] = octet + 1;
 		/*
 		 * Note: potential overlapping move.
 		 */
 		memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
 		nsec_bits += 3 + octet;
 	}
 	r.length = nsec_bits - r.base;
 	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
 	dns_rdata_fromregion(rdata,
 			     dns_db_class(db),
@@ -168,19 +187,32 @@ dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
 	dns_rdata_nsec_t nsecstruct;
 	isc_result_t result;
 	isc_boolean_t present;
 	unsigned int i, len, window;
 	REQUIRE(nsec != NULL);
 	REQUIRE(nsec->type == dns_rdatatype_nsec);
 	REQUIRE(type < 128);
 	/* This should never fail */
 	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
 	INSIST(result == ISC_R_SUCCESS);
-	if (type >= nsecstruct.len * 8)
+	present = ISC_FALSE;
-		present = ISC_FALSE;
+	for (i = 0; i < nsecstruct.len; i += len) {
-	else
+		INSIST(i + 2 <= nsecstruct.len);
-		present = ISC_TF(bit_isset(nsecstruct.typebits, type));
+		window = nsecstruct.typebits[i];
 		len = nsecstruct.typebits[i + 1];
 		INSIST(len > 0 && len <= 32);
 		i += 2;
 		INSIST(i + len <= nsecstruct.len);
 		if (window * 256 > type)
 			break;
 		if ((window + 1) * 256 <= type)
 			continue;
 		if (type < (window * 256) + len * 8)
 			present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
 						   type % 256));
 		break;
 	}
 	dns_rdata_freestruct(&nsec);
 	return (present);
 }
--- a/lib/dns/rdata/generic/nsec_47.c
+++ b/lib/dns/rdata/generic/nsec_47.c
@@ -15,11 +15,11 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: nsec_47.c,v 1.2 2003/09/30 06:00:40 marka Exp $ */
+/* $Id: nsec_47.c,v 1.3 2003/12/13 04:20:43 marka Exp $ */
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
-/* RFC 2535 */
+/* draft-ietf-dnsext-nsec-rdata-01.txt */
 #ifndef RDATA_GENERIC_NSEC_47_C
 #define RDATA_GENERIC_NSEC_47_C
@@ -38,9 +38,9 @@ fromtext_nsec(ARGS_FROMTEXT) {
 	char *e;
 	unsigned char bm[8*1024]; /* 64k bits */
 	dns_rdatatype_t covered;
 	dns_rdatatype_t maxcovered = 0;
 	isc_boolean_t first = ISC_TRUE;
 	long n;
 	int octet;
 	int window;
 	REQUIRE(type == 47);
@@ -64,36 +64,35 @@ fromtext_nsec(ARGS_FROMTEXT) {
 					      isc_tokentype_string, ISC_TRUE));
 		if (token.type != isc_tokentype_string)
 			break;
-		n = strtol(DNS_AS_STR(token), &e, 10);
+		RETTOK(dns_rdatatype_fromtext(&covered,
-		if (e != DNS_AS_STR(token) && *e == '\0') {
+					      &token.value.as_textregion));
 			covered = (dns_rdatatype_t)n;
 		} else if (dns_rdatatype_fromtext(&covered,
 				&token.value.as_textregion) == DNS_R_UNKNOWN)
 			RETTOK(DNS_R_UNKNOWN);
 		/*
 		 * NSEC is only specified for types 1..127.
 		 */
 		if (covered < 1 || covered > 127)
 			return (ISC_R_RANGE);
 		if (first || covered > maxcovered)
 			maxcovered = covered;
 		first = ISC_FALSE;
 		bm[covered/8] |= (0x80>>(covered%8));
 	} while (1);
 	isc_lex_ungettoken(lexer, &token);
-	if (first)
+	for (window = 0; window < 256 ; window++) {
-		return (ISC_R_SUCCESS);
+		/*
-	n = (maxcovered + 8) / 8;
+		 * Find if we have a type in this window.
-	return (mem_tobuffer(target, bm, n));
+		 */
 		for (octet = 31; octet >= 0; octet--)
 			if (bm[window * 32 + octet] != 0)
 				break;
 		if (octet < 0)
 			continue;
 		RETERR(uint8_tobuffer(window, target));
 		RETERR(uint8_tobuffer(octet + 1, target));
 		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
 	}
 	return (ISC_R_SUCCESS);
 }
 static inline isc_result_t
 totext_nsec(ARGS_TOTEXT) {
 	isc_region_t sr;
-	unsigned int i, j;
+	unsigned int i, j, k;
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
 	unsigned int window, len;
 	REQUIRE(rdata->type == 47);
 	REQUIRE(rdata->length != 0);
@@ -106,30 +105,44 @@ totext_nsec(ARGS_TOTEXT) {
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	RETERR(dns_name_totext(&prefix, sub, target));
-	for (i = 0; i < sr.length; i++) {
+
-		if (sr.base[i] != 0)
+	for (i = 0; i < sr.length; i += len) {
-			for (j = 0; j < 8; j++)
+		INSIST(i + 2 <= sr.length);
-				if ((sr.base[i] & (0x80 >> j)) != 0) {
+		window = sr.base[i];
-					dns_rdatatype_t t = i * 8 + j;
+		len = sr.base[i + 1];
-					RETERR(str_totext(" ", target));
+		INSIST(len > 0 && len <= 32);
-					if (dns_rdatatype_isknown(t)) {
+		i += 2;
-						RETERR(dns_rdatatype_totext(t,
+		INSIST(i + len <= sr.length);
-								      target));
+		for (j = 0; j < len; j++) {
-					} else {
+			dns_rdatatype_t t;
-						char buf[sizeof("65535")];
+			if (sr.base[i + j] == 0)
-						sprintf(buf, "%u", t);
+				continue;
-						RETERR(str_totext(buf,
+			for (k = 0; k < 8; k++) {
-								  target));
+				if ((sr.base[i + j] & (0x80 >> k)) == 0)
-					}
+					continue;
 				t = window * 256 + j * 8 + k;
 				RETERR(str_totext(" ", target));
 				if (dns_rdatatype_isknown(t)) {
 					RETERR(dns_rdatatype_totext(t, target));
 				} else {
 					char buf[sizeof("TYPE65535")];
 					sprintf(buf, "TYPE%u", t);
 					RETERR(str_totext(buf, target));
 				}
 			}
 		}
 	}
 	return (ISC_R_SUCCESS);
 }
-static inline isc_result_t
+static /* inline */ isc_result_t
 fromwire_nsec(ARGS_FROMWIRE) {
 	isc_region_t sr;
 	dns_name_t name;
 	unsigned int window, lastwindow = 0;
 	unsigned int len;
 	isc_boolean_t first = ISC_TRUE;
 	unsigned int i;
 	REQUIRE(type == 47);
@@ -142,9 +155,47 @@ fromwire_nsec(ARGS_FROMWIRE) {
 	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
 	isc_buffer_activeregion(source, &sr);
-	/* XXXRTH  Enforce RFC 2535 length rules if bit 0 is not set. */
+	for (i = 0; i < sr.length; i += len) {
-	if (sr.length > 8 * 1024)
+		/*
 		 * Check for overflow.
 		 */
 		if (i + 2 > sr.length)
 			RETERR(DNS_R_FORMERR);
 		window = sr.base[i];
 		len = sr.base[i + 1];
 		i += 2;
 		/*
 		 * Check that bitmap windows are in the correct order.
 		 */
 		if (!first && window <= lastwindow)
 			RETERR(DNS_R_FORMERR);
 		/*
 		 * Check for legal lengths.
 		 */
 		if (len < 1 || len > 32)
 			RETERR(DNS_R_FORMERR);
 		/*
 		 * Check for overflow.
 		 */
 		if (i + len > sr.length)
 			RETERR(DNS_R_FORMERR);
 		/*
 		 * The last octet of the bitmap must be non zero.
 		 */
 		if (sr.base[i + len - 1] == 0)
 			RETERR(DNS_R_FORMERR);
 		/*
 		 * Type 0 is not valid.
 		 */
 		if (window == 0 && (sr.base[0] & 0x80) != 0)
 			RETERR(DNS_R_FORMERR);
 		lastwindow = window;
 		first = ISC_FALSE;
 	}
 	if (i != sr.length)
 		return (DNS_R_EXTRADATA);
 	if (first)
 		RETERR(DNS_R_FORMERR);
 	RETERR(mem_tobuffer(target, sr.base, sr.length));
 	isc_buffer_forward(source, sr.length);
 	return (ISC_R_SUCCESS);
@@ -189,6 +240,8 @@ static inline isc_result_t
 fromstruct_nsec(ARGS_FROMSTRUCT) {
 	dns_rdata_nsec_t *nsec = source;
 	isc_region_t region;
 	unsigned int i, len, window, lastwindow = 0;
 	isc_boolean_t first = ISC_TRUE;
 	REQUIRE(type == 47);
 	REQUIRE(source != NULL);
@@ -201,7 +254,22 @@ fromstruct_nsec(ARGS_FROMSTRUCT) {
 	dns_name_toregion(&nsec->next, &region);
 	RETERR(isc_buffer_copyregion(target, &region));
-
+	/*
 	 * Perform sanity check.
 	 */
 	for (i = 0; i < nsec->len ; i += len) {
 		INSIST(i + 2 <= nsec->len);
 		window = nsec->typebits[i];
 		len = nsec->typebits[i+1];
 		i += 2;
 		INSIST(first || window > lastwindow); 
 		INSIST(len > 0 && len <= 32);
 		INSIST(i + len <= nsec->len);
 		INSIST(nsec->typebits[i + len - 1] != 0);
 		lastwindow = window;
 		first = ISC_FALSE;
 	}
 	INSIST(!first);
 	return (mem_tobuffer(target, nsec->typebits, nsec->len));
 }
--- a/lib/dns/rdata/generic/nsec_47.h
+++ b/lib/dns/rdata/generic/nsec_47.h
@@ -18,9 +18,9 @@
 #ifndef GENERIC_NSEC_47_H
 #define GENERIC_NSEC_47_H 1
-/* $Id: nsec_47.h,v 1.2 2003/09/30 06:00:40 marka Exp $ */
+/* $Id: nsec_47.h,v 1.3 2003/12/13 04:20:44 marka Exp $ */
-/* RFC 2535 */
+/* draft-ietf-dnsext-nsec-rdata-01.txt */
 typedef struct dns_rdata_nsec {
 	dns_rdatacommon_t	common;