2 * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
20 * This implements external update-policy rules. This allows permission
21 * to update a zone to be checked by consulting an external daemon (e.g.,
29 #ifdef ISC_PLATFORM_HAVESYSUNH
30 #include <sys/socket.h>
34 #include <isc/magic.h>
36 #include <isc/netaddr.h>
37 #include <isc/result.h>
38 #include <isc/string.h>
40 #include <isc/strerror.h>
42 #include <dns/fixedname.h>
46 #include <dns/rdatatype.h>
52 ssu_e_log(int level, const char *fmt, ...) {
56 isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_SECURITY,
57 DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(level), fmt, ap);
63 * Connect to a UNIX domain socket.
66 ux_socket_connect(const char *path) {
68 #ifdef ISC_PLATFORM_HAVESYSUNH
69 struct sockaddr_un addr;
71 REQUIRE(path != NULL);
73 if (strlen(path) > sizeof(addr.sun_path)) {
74 ssu_e_log(3, "ssu_external: socket path '%s' "
75 "longer than system maximum %u",
76 path, sizeof(addr.sun_path));
80 memset(&addr, 0, sizeof(addr));
81 addr.sun_family = AF_UNIX;
82 strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
84 fd = socket(AF_UNIX, SOCK_STREAM, 0);
86 char strbuf[ISC_STRERRORSIZE];
87 isc__strerror(errno, strbuf, sizeof(strbuf));
88 ssu_e_log(3, "ssu_external: unable to create socket - %s",
93 if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
94 char strbuf[ISC_STRERRORSIZE];
95 isc__strerror(errno, strbuf, sizeof(strbuf));
96 ssu_e_log(3, "ssu_external: unable to connect to "
106 /* Change this version if you update the format of the request */
107 #define SSU_EXTERNAL_VERSION 1
110 * Perform an update-policy rule check against an external application
113 * This currently only supports local: for unix domain datagram sockets.
115 * Note that by using a datagram socket and creating a new socket each
116 * time we avoid the need for locking and allow for parallel access to
117 * the authorization server.
120 dns_ssu_external_match(dns_name_t *identity,
121 dns_name_t *signer, dns_name_t *name,
122 isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
123 const dst_key_t *key, isc_mem_t *mctx)
125 char b_identity[DNS_NAME_FORMATSIZE];
126 char b_signer[DNS_NAME_FORMATSIZE];
127 char b_name[DNS_NAME_FORMATSIZE];
128 char b_addr[ISC_NETADDR_FORMATSIZE];
129 char b_type[DNS_RDATATYPE_FORMATSIZE];
130 char b_key[DST_KEY_FORMATSIZE];
131 isc_buffer_t *tkey_token = NULL;
133 const char *sock_path;
134 unsigned int req_len;
135 isc_region_t token_region;
138 isc_uint32_t token_len = 0;
142 /* The identity contains local:/path/to/socket */
143 dns_name_format(identity, b_identity, sizeof(b_identity));
145 /* For now only local: is supported */
146 if (strncmp(b_identity, "local:", 6) != 0) {
147 ssu_e_log(3, "ssu_external: invalid socket path '%s'",
151 sock_path = &b_identity[6];
153 fd = ux_socket_connect(sock_path);
158 dst_key_format(key, b_key, sizeof(b_key));
159 tkey_token = dst_key_tkeytoken(key);
163 if (tkey_token != NULL) {
164 isc_buffer_region(tkey_token, &token_region);
165 token_len = token_region.length;
168 /* Format the request elements */
170 dns_name_format(signer, b_signer, sizeof(b_signer));
174 dns_name_format(name, b_name, sizeof(b_name));
177 isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
181 dns_rdatatype_format(type, b_type, sizeof(b_type));
183 /* Work out how big the request will be */
184 req_len = sizeof(isc_uint32_t) + /* Format version */
185 sizeof(isc_uint32_t) + /* Length */
186 strlen(b_signer) + 1 + /* Signer */
187 strlen(b_name) + 1 + /* Name */
188 strlen(b_addr) + 1 + /* Address */
189 strlen(b_type) + 1 + /* Type */
190 strlen(b_key) + 1 + /* Key */
191 sizeof(isc_uint32_t) + /* tkey_token length */
192 token_len; /* tkey_token */
195 /* format the buffer */
196 data = isc_mem_allocate(mctx, req_len);
202 isc_buffer_init(&buf, data, req_len);
203 isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
204 isc_buffer_putuint32(&buf, req_len);
206 /* Strings must be null-terminated */
207 isc_buffer_putstr(&buf, b_signer);
208 isc_buffer_putuint8(&buf, 0);
209 isc_buffer_putstr(&buf, b_name);
210 isc_buffer_putuint8(&buf, 0);
211 isc_buffer_putstr(&buf, b_addr);
212 isc_buffer_putuint8(&buf, 0);
213 isc_buffer_putstr(&buf, b_type);
214 isc_buffer_putuint8(&buf, 0);
215 isc_buffer_putstr(&buf, b_key);
216 isc_buffer_putuint8(&buf, 0);
218 isc_buffer_putuint32(&buf, token_len);
219 if (tkey_token && token_len != 0)
220 isc_buffer_putmem(&buf, token_region.base, token_len);
222 ENSURE(isc_buffer_availablelength(&buf) == 0);
224 /* Send the request */
225 ret = write(fd, data, req_len);
226 isc_mem_free(mctx, data);
227 if (ret != (ssize_t) req_len) {
228 char strbuf[ISC_STRERRORSIZE];
229 isc__strerror(errno, strbuf, sizeof(strbuf));
230 ssu_e_log(3, "ssu_external: unable to send request - %s",
236 /* Receive the reply */
237 ret = read(fd, &reply, sizeof(isc_uint32_t));
238 if (ret != (ssize_t) sizeof(isc_uint32_t)) {
239 char strbuf[ISC_STRERRORSIZE];
240 isc__strerror(errno, strbuf, sizeof(strbuf));
241 ssu_e_log(3, "ssu_external: unable to receive reply - %s",
249 reply = ntohl(reply);
252 ssu_e_log(3, "ssu_external: denied external auth for '%s'",
255 } else if (reply == 1) {
256 ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
261 ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);