import libdummyrpz test library for DNSRPS

libdummyrpz is a limited version of the fastrpz library for use in
testing the dnsrps API.

bin/tests/system/Makefile.am

@@ -11,11 +11,17 @@ dist-hook:
 
 SUBDIRS = dyndb/driver dlzexternal/driver hooks/driver
 
+if DNSRPS
+SUBDIRS += rpz/testlib
+endif
+
 AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)
+	$(LIBISC_CFLAGS) 	\
+	$(LIBDNS_CFLAGS)
 
 LDADD +=			\
-	$(LIBISC_LIBS)
+	$(LIBISC_LIBS)		\
+	$(LIBDNS_LIBS)
 
 if HAVE_PERL
 
@@ -48,11 +54,13 @@ pipelined_pipequeries_LDADD =	\
 
 rpz_dnsrps_CPPFLAGS =		\
 	$(AM_CPPFLAGS)		\
-	$(LIBDNS_CFLAGS)
+	$(LIBDNS_CFLAGS)	\
+	-DLIBRPZ_LIB_OPEN=\"$(abs_builddir)/rpz/testlib/.libs/libdummyrpz.so\"
 
 rpz_dnsrps_LDADD =		\
 	$(LDADD)		\
-	$(LIBDNS_LIBS)
+	$(LIBDNS_LIBS)		\
+	-ldl
 
 TESTS =
 

bin/tests/system/rpz/dnsrps.c

@@ -36,7 +36,6 @@
 #include <isc/util.h>
 
 #ifdef USE_DNSRPS
-#define LIBRPZ_LIB_OPEN DNSRPS_LIB_OPEN
 #include <dns/librpz.h>
 
 librpz_t *librpz;

bin/tests/system/rpz/testlib/Makefile.am

@@ -0,0 +1,12 @@
+include $(top_srcdir)/Makefile.top
+
+AM_CPPFLAGS +=			\
+	$(LIBISC_CFLAGS)	\
+	$(LIBDNS_CFLAGS)
+
+AM_CFLAGS += -Wall -pedantic
+
+check_LTLIBRARIES = libdummyrpz.la
+libdummyrpz_la_SOURCES= dummylib.c test-data.c trpz.h test-data.h
+libdummyrpz_la_LDFLAGS = -avoid-version -module -shared -export-dynamic -rpath $(abs_builddir)
+LDADD += -lpthread -ldl

bin/tests/system/rpz/testlib/test-data.h

@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Limited implementation of the DNSRPS API for testing purposes.
+ *
+ * Copyright (c) 2016-2017 Farsight Security, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LIBRPZ_LIB_OPEN 2
+#include <dns/librpz.h>
+
+#include "trpz.h"
+
+#define NODE_FLAG_IPV6_ADDRESS 0x1
+#define NODE_FLAG_STATIC_DATA  0x2
+
+#define ZOPT_POLICY_PASSTHRU 0x0001
+#define ZOPT_POLICY_DROP     0x0002
+#define ZOPT_POLICY_TCP_ONLY 0x0004
+#define ZOPT_POLICY_NXDOMAIN 0x0008
+#define ZOPT_POLICY_NODATA   0x0010
+#define ZOPT_POLICY_GIVEN    0x0020
+#define ZOPT_POLICY_DISABLED 0x0040
+
+#define ZOPT_RECURSIVE_ONLY	0x0100
+#define ZOPT_NOT_RECURSIVE_ONLY 0x0200
+#define ZOPT_QNAME_AS_NS	0x0400
+#define ZOPT_IP_AS_NS		0x0800
+
+#define ZOPT_QNAME_WAIT_RECURSE	   0x1000
+#define ZOPT_NO_QNAME_WAIT_RECURSE 0x2000
+#define ZOPT_NO_NSIP_WAIT_RECURSE  0x4000
+
+typedef struct {
+	char name[256];
+	uint32_t serial;
+	int has_update;
+	size_t rollback;
+	int has_triggers[2][LIBRPZ_TRIG_NSIP + 1];
+	bool forgotten;
+	bool qname_as_ns, ip_as_ns;
+	bool not_recursive_only;
+	bool no_qname_wait_recurse, no_nsip_wait_recurse;
+	unsigned long flags;
+} trpz_zone_t;
+
+typedef struct {
+	uint16_t type;
+	uint16_t class;
+	uint32_t ttl;
+	uint16_t rdlength;
+	uint8_t *rdata;
+	unsigned int rrn;
+} trpz_rr_t;
+
+typedef struct {
+	char *canonical;
+	char *dname;
+	librpz_result_t result;
+	uint32_t ttl;
+	trpz_rr_t *rrs;
+	size_t nrrs, rridx;
+	librpz_policy_t poverride, hidden_policy;
+	unsigned long flags;
+	librpz_trig_t match_trig;
+} trpz_result_t;
+
+#define DECL_NODE(canon, name, policy, znum, trig) \
+	{ canon, name, { 0, 0, policy, policy, znum, znum, trig, true } },
+
+#define NUM_ZONES_SNAPSHOT1 20
+
+extern const rpz_soa_t g_soa_record;
+
+#define WDNS_PRESLEN_NAME 1025
+extern size_t
+wdns_domain_to_str(const uint8_t *src, size_t src_len, char *dst);
+extern int
+wdns_str_to_name(const char *str, uint8_t **pbuf, bool downcase);
+
+extern void
+reverse_labels(const char *str, char *pbuf);
+
+extern rpz_soa_t *
+parse_serial(unsigned char *rdata, size_t rdlen);
+
+extern int
+load_all_updates(const char *fname, trpz_result_t **presults, size_t *pnresults,
+		 trpz_zone_t **pzones, size_t *pnzones, char **errp);
+extern int
+apply_update(const char *updstr, trpz_result_t **presults, size_t *pnresults,
+	     trpz_zone_t **pzones, size_t *pnzones, int is_static,
+	     unsigned long flags, char **errp);
+extern int
+sanity_check_data_file(const char *fname, char **errp);
+
+extern unsigned long
+parse_zone_options(const char *str);
+
+extern int
+get_address_info(const char *astr, int *pfamily, char *pbuf,
+		 const char *optname, char **errp);

bin/tests/system/rpz/testlib/trpz.h

@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Limited implementation of the DNSRPS API for testing purposes.
+ *
+ * Copyright (c) 2016-2017 Farsight Security, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef TRPZ_H
+#define TRPZ_H
+
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#define TARGET_ZONE "rpz-test.example.com"
+
+/* This should be in the librpz.h include. */
+union socku {
+	struct sockaddr sa;
+	struct sockaddr_in ipv4;
+	struct sockaddr_in6 ipv6;
+	struct sockaddr_un sun;
+};
+
+typedef struct {
+	const char *mname;
+	const char *rname;
+	uint32_t serial;
+	uint32_t refresh;
+	uint32_t retry;
+	uint32_t expire;
+	uint32_t minimum;
+} rpz_soa_t;
+
+#endif

configure.ac

@@ -1430,7 +1430,7 @@ no)
 	AC_MSG_RESULT(no)
 	;;
 *)
-	AC_MSG_ERROR("--enable-querytrace requires yes or no (not $enable_querytrace)")
+	AC_MSG_ERROR(["--enable-querytrace requires yes or no (not $enable_querytrace)"])
 	;;
 esac
 
@@ -1522,6 +1522,8 @@ AS_IF([test "$enable_dnsrps" != "no"],[
 	AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API])
       ])
 
+AM_CONDITIONAL([DNSRPS], [test "$enable_dnsrps" != "no"])
+
 AC_CHECK_HEADERS([glob.h])
 
 #
@@ -1590,7 +1592,9 @@ AC_CONFIG_FILES([bin/tests/Makefile
 		 bin/tests/system/conf.sh
 		 bin/tests/system/dyndb/driver/Makefile
 		 bin/tests/system/dlzexternal/driver/Makefile
-		 bin/tests/system/hooks/driver/Makefile])
+		 bin/tests/system/hooks/driver/Makefile
+		 bin/tests/system/rpz/testlib/Makefile
+                 ])
 
 AC_CONFIG_FILES([bin/tests/system/ifconfig.sh],
 		[chmod +x bin/tests/system/ifconfig.sh])

lib/dns/dnsrps.c

@@ -98,12 +98,6 @@ dnsrps_log_fnc(librpz_log_level_t level, void *ctxt, const char *buf) {
 	}
 
 	switch (level) {
-	case LIBRPZ_LOG_FATAL:
-	case LIBRPZ_LOG_ERROR: /* errors */
-	default:
-		isc_level = DNS_RPZ_ERROR_LEVEL;
-		break;
-
 	case LIBRPZ_LOG_TRACE1: /* big events such as dnsrpzd starts */
 		isc_level = DNS_RPZ_INFO_LEVEL;
 		break;
@@ -119,6 +113,12 @@ dnsrps_log_fnc(librpz_log_level_t level, void *ctxt, const char *buf) {
 	case LIBRPZ_LOG_TRACE4: /* librpz lookups */
 		isc_level = DNS_RPZ_DEBUG_LEVEL3;
 		break;
+
+	case LIBRPZ_LOG_FATAL:
+	case LIBRPZ_LOG_ERROR: /* errors */
+	default:
+		isc_level = DNS_RPZ_ERROR_LEVEL;
+		break;
 	}
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB,
 		      isc_level, "dnsrps: %s", buf);
@@ -319,9 +319,6 @@ dns_dnsrps_2policy(librpz_policy_t rps_policy) {
 dns_rpz_type_t
 dns_dnsrps_trig2type(librpz_trig_t trig) {
 	switch (trig) {
-	case LIBRPZ_TRIG_BAD:
-	default:
-		return (DNS_RPZ_TYPE_BAD);
 	case LIBRPZ_TRIG_CLIENT_IP:
 		return (DNS_RPZ_TYPE_CLIENT_IP);
 	case LIBRPZ_TRIG_QNAME:
@@ -332,6 +329,9 @@ dns_dnsrps_trig2type(librpz_trig_t trig) {
 		return (DNS_RPZ_TYPE_NSDNAME);
 	case LIBRPZ_TRIG_NSIP:
 		return (DNS_RPZ_TYPE_NSIP);
+	case LIBRPZ_TRIG_BAD:
+	default:
+		return (DNS_RPZ_TYPE_BAD);
 	}
 }
 
@@ -341,9 +341,6 @@ dns_dnsrps_trig2type(librpz_trig_t trig) {
 librpz_trig_t
 dns_dnsrps_type2trig(dns_rpz_type_t type) {
 	switch (type) {
-	case DNS_RPZ_TYPE_BAD:
-	default:
-		return (LIBRPZ_TRIG_BAD);
 	case DNS_RPZ_TYPE_CLIENT_IP:
 		return (LIBRPZ_TRIG_CLIENT_IP);
 	case DNS_RPZ_TYPE_QNAME:
@@ -354,6 +351,9 @@ dns_dnsrps_type2trig(dns_rpz_type_t type) {
 		return (LIBRPZ_TRIG_NSDNAME);
 	case DNS_RPZ_TYPE_NSIP:
 		return (LIBRPZ_TRIG_NSIP);
+	case DNS_RPZ_TYPE_BAD:
+	default:
+		return (LIBRPZ_TRIG_BAD);
 	}
 }
 
@@ -493,6 +493,16 @@ rpsdb_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	REQUIRE(node == &rpsdb->data_node);
 
 	switch (rpsdb->result.policy) {
+	case LIBRPZ_POLICY_NXDOMAIN:
+		return (DNS_R_NXDOMAIN);
+
+	case LIBRPZ_POLICY_NODATA:
+		return (DNS_R_NXRRSET);
+
+	case LIBRPZ_POLICY_RECORD:
+	case LIBRPZ_POLICY_CNAME:
+		break;
+
 	case LIBRPZ_POLICY_UNDEFINED:
 	case LIBRPZ_POLICY_DELETED:
 	case LIBRPZ_POLICY_PASSTHRU:
@@ -505,16 +515,6 @@ rpsdb_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			    "impossible dnsrps policy %d at %s:%d",
 			    rpsdb->result.policy, __FILE__, __LINE__);
 		return (DNS_R_SERVFAIL);
-
-	case LIBRPZ_POLICY_NXDOMAIN:
-		return (DNS_R_NXDOMAIN);
-
-	case LIBRPZ_POLICY_NODATA:
-		return (DNS_R_NXRRSET);
-
-	case LIBRPZ_POLICY_RECORD:
-	case LIBRPZ_POLICY_CNAME:
-		break;
 	}
 
 	if (type == dns_rdatatype_soa) {

lib/dns/include/dns/librpz.h

@@ -55,6 +55,8 @@
 #define LIBDEF_F(f)
 #endif /* ifdef LIBRPZ_INTERNAL */
 
+#define LIBRPZ_MAXDOMAIN 255
+
 /*
  * Response Policy Zone triggers.
  *	Comparisons of trigger precedences require
@@ -125,7 +127,7 @@ typedef struct librpz_prefix {
 typedef uint8_t librpz_dsize_t;
 typedef struct librpz_domain {
 	librpz_dsize_t size; /* of only .d */
-	uint8_t	       d[0]; /* variable length wire format */
+	uint8_t	       d[];  /* variable length wire format */
 } librpz_domain_t;
 
 /*
@@ -133,7 +135,7 @@ typedef struct librpz_domain {
  */
 typedef struct librpz_domain_buf {
 	librpz_dsize_t size;
-	uint8_t	       d[NS_MAXCDNAME];
+	uint8_t	       d[LIBRPZ_MAXDOMAIN];
 } librpz_domain_buf_t;
 
 /*
@@ -145,7 +147,7 @@ typedef struct {
 	uint16_t class;	   /* network byte order */
 	uint32_t ttl;	   /* network byte order */
 	uint16_t rdlength; /* network byte order */
-	uint8_t	 rdata[0]; /* variable length */
+	uint8_t	 rdata[];  /* variable length */
 } librpz_rr_t;
 
 /*
@@ -169,8 +171,7 @@ typedef struct librpz_result {
 	librpz_dznum_t	   dznum;   /* dnsrpzd zone number */
 	librpz_cznum_t	   cznum;   /* librpz client zone number */
 	librpz_trig_t	   trig : LIBRPZ_TRIG_SIZE;
-	bool		   log : 1; /* log rewrite given librpz_log_level
-				     * */
+	bool		   log : 1; /* log rewrite at given log level */
 } librpz_result_t;
 
 /**

lib/ns/query.c

@@ -3348,6 +3348,8 @@ dnsrps_ck(librpz_emsg_t *emsg, ns_client_t *client, rpsdb_t *rpsdb,
 	isc_region_t region;
 	librpz_domain_buf_t pname_buf;
 
+	CTRACE(ISC_LOG_DEBUG(3), "dnsrps_ck");
+
 	if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) {
 		return (-1);
 	}
@@ -3396,18 +3398,18 @@ static bool
 dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st,
 	     dns_rdatatype_t qtype, dns_rdataset_t **p_rdatasetp,
 	     bool recursed) {
-	rpsdb_t *rpsdb;
+	rpsdb_t *rpsdb = NULL;
 	librpz_domain_buf_t pname_buf;
 	isc_region_t region;
-	dns_zone_t *p_zone;
-	dns_db_t *p_db;
-	dns_dbnode_t *p_node;
+	dns_zone_t *p_zone = NULL;
+	dns_db_t *p_db = NULL;
+	dns_dbnode_t *p_node = NULL;
 	dns_rpz_policy_t policy;
-	dns_fixedname_t foundf;
-	dns_name_t *found;
 	dns_rdatatype_t foundtype, searchtype;
 	isc_result_t result;
 
+	CTRACE(ISC_LOG_DEBUG(3), "dnsrps_set_p");
+
 	rpsdb = (rpsdb_t *)st->rpsdb;
 
 	if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) {
@@ -3437,9 +3439,6 @@ dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st,
 	region.length = pname_buf.size;
 	dns_name_fromregion(st->p_name, &region);
 
-	p_zone = NULL;
-	p_db = NULL;
-	p_node = NULL;
 	rpz_ready(client, p_rdatasetp);
 	dns_db_attach(st->rpsdb, &p_db);
 	policy = dns_dnsrps_2policy(rpsdb->result.policy);
@@ -3453,6 +3452,9 @@ dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st,
 		result = DNS_R_NXRRSET;
 		policy = DNS_RPZ_POLICY_NODATA;
 	} else {
+		dns_fixedname_t foundf;
+		dns_name_t *found = NULL;
+
 		/*
 		 * Get the next (and so first) RR from the policy node.
 		 * If it is a CNAME, then look for it regardless of the
@@ -3464,6 +3466,7 @@ dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st,
 		{
 			return (false);
 		}
+
 		if (foundtype == dns_rdatatype_cname) {
 			searchtype = dns_rdatatype_cname;
 		} else {
@@ -3511,6 +3514,8 @@ dnsrps_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr,
 	librpz_emsg_t emsg;
 	isc_result_t result;
 
+	CTRACE(ISC_LOG_DEBUG(3), "dnsrps_rewrite_ip");
+
 	st = client->query.rpz_st;
 	rpsdb = (rpsdb_t *)st->rpsdb;
 
@@ -3567,6 +3572,8 @@ dnsrps_rewrite_name(ns_client_t *client, dns_name_t *trig_name, bool recursed,
 	librpz_emsg_t emsg;
 	isc_result_t result;
 
+	CTRACE(ISC_LOG_DEBUG(3), "dnsrps_rewrite_name");
+
 	st = client->query.rpz_st;
 	rpsdb = (rpsdb_t *)st->rpsdb;
 
@@ -4201,6 +4208,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 			if (st->rpsdb != NULL) {
 				dns_db_detach(&st->rpsdb);
 			}
+			CTRACE(ISC_LOG_DEBUG(3), "dns_dnsrps_rewrite_init");
 			result = dns_dnsrps_rewrite_init(
 				&emsg, st, rpzs, client->query.qname,
 				client->manager->mctx, RECURSIONOK(client));