diff options
Diffstat (limited to 'contrib/bind9/lib/dns/ssu.c')
-rw-r--r-- | contrib/bind9/lib/dns/ssu.c | 613 |
1 files changed, 0 insertions, 613 deletions
diff --git a/contrib/bind9/lib/dns/ssu.c b/contrib/bind9/lib/dns/ssu.c deleted file mode 100644 index 49a777a..0000000 --- a/contrib/bind9/lib/dns/ssu.c +++ /dev/null @@ -1,613 +0,0 @@ -/* - * Copyright (C) 2004-2008, 2010, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/*! \file */ -/* - * $Id: ssu.c,v 1.38 2011/01/06 23:47:00 tbox Exp $ - * Principal Author: Brian Wellington - */ - -#include <config.h> - -#include <isc/magic.h> -#include <isc/mem.h> -#include <isc/netaddr.h> -#include <isc/result.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dns/dlz.h> -#include <dns/fixedname.h> -#include <dns/name.h> -#include <dns/ssu.h> - -#include <dst/gssapi.h> -#include <dst/dst.h> - -#define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T') -#define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC) - -#define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R') -#define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC) - -struct dns_ssurule { - unsigned int magic; - isc_boolean_t grant; /*%< is this a grant or a deny? */ - unsigned int matchtype; /*%< which type of pattern match? */ - dns_name_t *identity; /*%< the identity to match */ - dns_name_t *name; /*%< the name being updated */ - unsigned int ntypes; /*%< number of data types covered */ - dns_rdatatype_t *types; /*%< the data types. Can include ANY, */ - /*%< defaults to all but SIG,SOA,NS if NULL */ - ISC_LINK(dns_ssurule_t) link; -}; - -struct dns_ssutable { - unsigned int magic; - isc_mem_t *mctx; - unsigned int references; - isc_mutex_t lock; - dns_dlzdb_t *dlzdatabase; - ISC_LIST(dns_ssurule_t) rules; -}; - -isc_result_t -dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) { - isc_result_t result; - dns_ssutable_t *table; - - REQUIRE(tablep != NULL && *tablep == NULL); - REQUIRE(mctx != NULL); - - table = isc_mem_get(mctx, sizeof(dns_ssutable_t)); - if (table == NULL) - return (ISC_R_NOMEMORY); - result = isc_mutex_init(&table->lock); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, table, sizeof(dns_ssutable_t)); - return (result); - } - table->references = 1; - table->mctx = NULL; - isc_mem_attach(mctx, &table->mctx); - ISC_LIST_INIT(table->rules); - table->magic = SSUTABLEMAGIC; - *tablep = table; - return (ISC_R_SUCCESS); -} - -static inline void -destroy(dns_ssutable_t *table) { - isc_mem_t *mctx; - - REQUIRE(VALID_SSUTABLE(table)); - - mctx = table->mctx; - while (!ISC_LIST_EMPTY(table->rules)) { - dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules); - if (rule->identity != NULL) { - dns_name_free(rule->identity, mctx); - isc_mem_put(mctx, rule->identity, sizeof(dns_name_t)); - } - if (rule->name != NULL) { - dns_name_free(rule->name, mctx); - isc_mem_put(mctx, rule->name, sizeof(dns_name_t)); - } - if (rule->types != NULL) - isc_mem_put(mctx, rule->types, - rule->ntypes * sizeof(dns_rdatatype_t)); - ISC_LIST_UNLINK(table->rules, rule, link); - rule->magic = 0; - isc_mem_put(mctx, rule, sizeof(dns_ssurule_t)); - } - DESTROYLOCK(&table->lock); - table->magic = 0; - isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t)); -} - -void -dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) { - REQUIRE(VALID_SSUTABLE(source)); - REQUIRE(targetp != NULL && *targetp == NULL); - - LOCK(&source->lock); - - INSIST(source->references > 0); - source->references++; - INSIST(source->references != 0); - - UNLOCK(&source->lock); - - *targetp = source; -} - -void -dns_ssutable_detach(dns_ssutable_t **tablep) { - dns_ssutable_t *table; - isc_boolean_t done = ISC_FALSE; - - REQUIRE(tablep != NULL); - table = *tablep; - REQUIRE(VALID_SSUTABLE(table)); - - LOCK(&table->lock); - - INSIST(table->references > 0); - if (--table->references == 0) - done = ISC_TRUE; - UNLOCK(&table->lock); - - *tablep = NULL; - - if (done) - destroy(table); -} - -isc_result_t -dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant, - dns_name_t *identity, unsigned int matchtype, - dns_name_t *name, unsigned int ntypes, - dns_rdatatype_t *types) -{ - dns_ssurule_t *rule; - isc_mem_t *mctx; - isc_result_t result; - - REQUIRE(VALID_SSUTABLE(table)); - REQUIRE(dns_name_isabsolute(identity)); - REQUIRE(dns_name_isabsolute(name)); - REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX); - if (matchtype == DNS_SSUMATCHTYPE_WILDCARD) - REQUIRE(dns_name_iswildcard(name)); - if (ntypes > 0) - REQUIRE(types != NULL); - - mctx = table->mctx; - rule = isc_mem_get(mctx, sizeof(dns_ssurule_t)); - if (rule == NULL) - return (ISC_R_NOMEMORY); - - rule->identity = NULL; - rule->name = NULL; - rule->types = NULL; - - rule->grant = grant; - - rule->identity = isc_mem_get(mctx, sizeof(dns_name_t)); - if (rule->identity == NULL) { - result = ISC_R_NOMEMORY; - goto failure; - } - dns_name_init(rule->identity, NULL); - result = dns_name_dup(identity, mctx, rule->identity); - if (result != ISC_R_SUCCESS) - goto failure; - - rule->name = isc_mem_get(mctx, sizeof(dns_name_t)); - if (rule->name == NULL) { - result = ISC_R_NOMEMORY; - goto failure; - } - dns_name_init(rule->name, NULL); - result = dns_name_dup(name, mctx, rule->name); - if (result != ISC_R_SUCCESS) - goto failure; - - rule->matchtype = matchtype; - - rule->ntypes = ntypes; - if (ntypes > 0) { - rule->types = isc_mem_get(mctx, - ntypes * sizeof(dns_rdatatype_t)); - if (rule->types == NULL) { - result = ISC_R_NOMEMORY; - goto failure; - } - memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t)); - } else - rule->types = NULL; - - rule->magic = SSURULEMAGIC; - ISC_LIST_INITANDAPPEND(table->rules, rule, link); - - return (ISC_R_SUCCESS); - - failure: - if (rule->identity != NULL) { - if (dns_name_dynamic(rule->identity)) - dns_name_free(rule->identity, mctx); - isc_mem_put(mctx, rule->identity, sizeof(dns_name_t)); - } - if (rule->name != NULL) { - if (dns_name_dynamic(rule->name)) - dns_name_free(rule->name, mctx); - isc_mem_put(mctx, rule->name, sizeof(dns_name_t)); - } - if (rule->types != NULL) - isc_mem_put(mctx, rule->types, - ntypes * sizeof(dns_rdatatype_t)); - isc_mem_put(mctx, rule, sizeof(dns_ssurule_t)); - - return (result); -} - -static inline isc_boolean_t -isusertype(dns_rdatatype_t type) { - return (ISC_TF(type != dns_rdatatype_ns && - type != dns_rdatatype_soa && - type != dns_rdatatype_rrsig)); -} - -static void -reverse_from_address(dns_name_t *tcpself, isc_netaddr_t *tcpaddr) { - char buf[16 * 4 + sizeof("IP6.ARPA.")]; - isc_result_t result; - unsigned char *ap; - isc_buffer_t b; - unsigned long l; - - switch (tcpaddr->family) { - case AF_INET: - l = ntohl(tcpaddr->type.in.s_addr); - result = isc_string_printf(buf, sizeof(buf), - "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.", - (l >> 0) & 0xff, (l >> 8) & 0xff, - (l >> 16) & 0xff, (l >> 24) & 0xff); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - break; - case AF_INET6: - ap = tcpaddr->type.in6.s6_addr; - result = isc_string_printf(buf, sizeof(buf), - "%x.%x.%x.%x.%x.%x.%x.%x." - "%x.%x.%x.%x.%x.%x.%x.%x." - "%x.%x.%x.%x.%x.%x.%x.%x." - "%x.%x.%x.%x.%x.%x.%x.%x." - "IP6.ARPA.", - ap[15] & 0x0f, (ap[15] >> 4) & 0x0f, - ap[14] & 0x0f, (ap[14] >> 4) & 0x0f, - ap[13] & 0x0f, (ap[13] >> 4) & 0x0f, - ap[12] & 0x0f, (ap[12] >> 4) & 0x0f, - ap[11] & 0x0f, (ap[11] >> 4) & 0x0f, - ap[10] & 0x0f, (ap[10] >> 4) & 0x0f, - ap[9] & 0x0f, (ap[9] >> 4) & 0x0f, - ap[8] & 0x0f, (ap[8] >> 4) & 0x0f, - ap[7] & 0x0f, (ap[7] >> 4) & 0x0f, - ap[6] & 0x0f, (ap[6] >> 4) & 0x0f, - ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, - ap[4] & 0x0f, (ap[4] >> 4) & 0x0f, - ap[3] & 0x0f, (ap[3] >> 4) & 0x0f, - ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, - ap[1] & 0x0f, (ap[1] >> 4) & 0x0f, - ap[0] & 0x0f, (ap[0] >> 4) & 0x0f); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - break; - default: - INSIST(0); - } - isc_buffer_init(&b, buf, strlen(buf)); - isc_buffer_add(&b, strlen(buf)); - result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); -} - -static void -stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) { - char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")]; - isc_result_t result; - unsigned char *ap; - isc_buffer_t b; - unsigned long l; - - switch(tcpaddr->family) { - case AF_INET: - l = ntohl(tcpaddr->type.in.s_addr); - result = isc_string_printf(buf, sizeof(buf), - "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx" - "2.0.0.2.IP6.ARPA.", - l & 0xf, (l >> 4) & 0xf, - (l >> 8) & 0xf, (l >> 12) & 0xf, - (l >> 16) & 0xf, (l >> 20) & 0xf, - (l >> 24) & 0xf, (l >> 28) & 0xf); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - break; - case AF_INET6: - ap = tcpaddr->type.in6.s6_addr; - result = isc_string_printf(buf, sizeof(buf), - "%x.%x.%x.%x.%x.%x.%x.%x." - "%x.%x.%x.%x.IP6.ARPA.", - ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, - ap[4] & 0x0f, (ap[4] >> 4) & 0x0f, - ap[3] & 0x0f, (ap[3] >> 4) & 0x0f, - ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, - ap[1] & 0x0f, (ap[1] >> 4) & 0x0f, - ap[0] & 0x0f, (ap[0] >> 4) & 0x0f); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - break; - default: - INSIST(0); - } - isc_buffer_init(&b, buf, strlen(buf)); - isc_buffer_add(&b, strlen(buf)); - result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); -} - -isc_boolean_t -dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer, - dns_name_t *name, isc_netaddr_t *tcpaddr, - dns_rdatatype_t type, - const dst_key_t *key) -{ - dns_ssurule_t *rule; - unsigned int i; - dns_fixedname_t fixed; - dns_name_t *wildcard; - dns_name_t *tcpself; - dns_name_t *stfself; - isc_result_t result; - - REQUIRE(VALID_SSUTABLE(table)); - REQUIRE(signer == NULL || dns_name_isabsolute(signer)); - REQUIRE(dns_name_isabsolute(name)); - - if (signer == NULL && tcpaddr == NULL) - return (ISC_FALSE); - - for (rule = ISC_LIST_HEAD(table->rules); - rule != NULL; - rule = ISC_LIST_NEXT(rule, link)) - { - switch (rule->matchtype) { - case DNS_SSUMATCHTYPE_NAME: - case DNS_SSUMATCHTYPE_SUBDOMAIN: - case DNS_SSUMATCHTYPE_WILDCARD: - case DNS_SSUMATCHTYPE_SELF: - case DNS_SSUMATCHTYPE_SELFSUB: - case DNS_SSUMATCHTYPE_SELFWILD: - if (signer == NULL) - continue; - if (dns_name_iswildcard(rule->identity)) { - if (!dns_name_matcheswildcard(signer, - rule->identity)) - continue; - } else { - if (!dns_name_equal(signer, rule->identity)) - continue; - } - break; - case DNS_SSUMATCHTYPE_SELFKRB5: - case DNS_SSUMATCHTYPE_SELFMS: - case DNS_SSUMATCHTYPE_SUBDOMAINKRB5: - case DNS_SSUMATCHTYPE_SUBDOMAINMS: - if (signer == NULL) - continue; - break; - case DNS_SSUMATCHTYPE_TCPSELF: - case DNS_SSUMATCHTYPE_6TO4SELF: - if (tcpaddr == NULL) - continue; - break; - } - - switch (rule->matchtype) { - case DNS_SSUMATCHTYPE_NAME: - if (!dns_name_equal(name, rule->name)) - continue; - break; - case DNS_SSUMATCHTYPE_SUBDOMAIN: - if (!dns_name_issubdomain(name, rule->name)) - continue; - break; - case DNS_SSUMATCHTYPE_WILDCARD: - if (!dns_name_matcheswildcard(name, rule->name)) - continue; - break; - case DNS_SSUMATCHTYPE_SELF: - if (!dns_name_equal(signer, name)) - continue; - break; - case DNS_SSUMATCHTYPE_SELFSUB: - if (!dns_name_issubdomain(name, signer)) - continue; - break; - case DNS_SSUMATCHTYPE_SELFWILD: - dns_fixedname_init(&fixed); - wildcard = dns_fixedname_name(&fixed); - result = dns_name_concatenate(dns_wildcardname, signer, - wildcard, NULL); - if (result != ISC_R_SUCCESS) - continue; - if (!dns_name_matcheswildcard(name, wildcard)) - continue; - break; - case DNS_SSUMATCHTYPE_SELFKRB5: - if (!dst_gssapi_identitymatchesrealmkrb5(signer, name, - rule->identity)) - continue; - break; - case DNS_SSUMATCHTYPE_SELFMS: - if (!dst_gssapi_identitymatchesrealmms(signer, name, - rule->identity)) - continue; - break; - case DNS_SSUMATCHTYPE_SUBDOMAINKRB5: - if (!dns_name_issubdomain(name, rule->name)) - continue; - if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL, - rule->identity)) - continue; - break; - case DNS_SSUMATCHTYPE_SUBDOMAINMS: - if (!dns_name_issubdomain(name, rule->name)) - continue; - if (!dst_gssapi_identitymatchesrealmms(signer, NULL, - rule->identity)) - continue; - break; - case DNS_SSUMATCHTYPE_TCPSELF: - dns_fixedname_init(&fixed); - tcpself = dns_fixedname_name(&fixed); - reverse_from_address(tcpself, tcpaddr); - if (dns_name_iswildcard(rule->identity)) { - if (!dns_name_matcheswildcard(tcpself, - rule->identity)) - continue; - } else { - if (!dns_name_equal(tcpself, rule->identity)) - continue; - } - if (!dns_name_equal(tcpself, name)) - continue; - break; - case DNS_SSUMATCHTYPE_6TO4SELF: - dns_fixedname_init(&fixed); - stfself = dns_fixedname_name(&fixed); - stf_from_address(stfself, tcpaddr); - if (dns_name_iswildcard(rule->identity)) { - if (!dns_name_matcheswildcard(stfself, - rule->identity)) - continue; - } else { - if (!dns_name_equal(stfself, rule->identity)) - continue; - } - if (!dns_name_equal(stfself, name)) - continue; - break; - case DNS_SSUMATCHTYPE_EXTERNAL: - if (!dns_ssu_external_match(rule->identity, signer, - name, tcpaddr, type, key, - table->mctx)) - continue; - break; - case DNS_SSUMATCHTYPE_DLZ: - if (!dns_dlz_ssumatch(table->dlzdatabase, signer, - name, tcpaddr, type, key)) - continue; - break; - } - - if (rule->ntypes == 0) { - /* - * If this is a DLZ rule, then the DLZ ssu - * checks will have already checked - * the type. - */ - if (rule->matchtype != DNS_SSUMATCHTYPE_DLZ && - !isusertype(type)) - continue; - } else { - for (i = 0; i < rule->ntypes; i++) { - if (rule->types[i] == dns_rdatatype_any || - rule->types[i] == type) - break; - } - if (i == rule->ntypes) - continue; - } - return (rule->grant); - } - - return (ISC_FALSE); -} - -isc_boolean_t -dns_ssurule_isgrant(const dns_ssurule_t *rule) { - REQUIRE(VALID_SSURULE(rule)); - return (rule->grant); -} - -dns_name_t * -dns_ssurule_identity(const dns_ssurule_t *rule) { - REQUIRE(VALID_SSURULE(rule)); - return (rule->identity); -} - -unsigned int -dns_ssurule_matchtype(const dns_ssurule_t *rule) { - REQUIRE(VALID_SSURULE(rule)); - return (rule->matchtype); -} - -dns_name_t * -dns_ssurule_name(const dns_ssurule_t *rule) { - REQUIRE(VALID_SSURULE(rule)); - return (rule->name); -} - -unsigned int -dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) { - REQUIRE(VALID_SSURULE(rule)); - REQUIRE(types != NULL && *types != NULL); - *types = rule->types; - return (rule->ntypes); -} - -isc_result_t -dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) { - REQUIRE(VALID_SSUTABLE(table)); - REQUIRE(rule != NULL && *rule == NULL); - *rule = ISC_LIST_HEAD(table->rules); - return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE); -} - -isc_result_t -dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) { - REQUIRE(VALID_SSURULE(rule)); - REQUIRE(nextrule != NULL && *nextrule == NULL); - *nextrule = ISC_LIST_NEXT(rule, link); - return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE); -} - -/* - * Create a specialised SSU table that points at an external DLZ database - */ -isc_result_t -dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, - dns_dlzdb_t *dlzdatabase) -{ - isc_result_t result; - dns_ssurule_t *rule; - dns_ssutable_t *table = NULL; - - REQUIRE(tablep != NULL && *tablep == NULL); - - result = dns_ssutable_create(mctx, &table); - if (result != ISC_R_SUCCESS) - return (result); - - table->dlzdatabase = dlzdatabase; - - rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t)); - if (rule == NULL) { - dns_ssutable_detach(&table); - return (ISC_R_NOMEMORY); - } - - rule->identity = NULL; - rule->name = NULL; - rule->types = NULL; - rule->grant = ISC_TRUE; - rule->matchtype = DNS_SSUMATCHTYPE_DLZ; - rule->ntypes = 0; - rule->types = NULL; - rule->magic = SSURULEMAGIC; - - ISC_LIST_INITANDAPPEND(table->rules, rule, link); - *tablep = table; - return (ISC_R_SUCCESS); -} |