contrib/bind9/lib/dns/ssu.c

   1 /*
   2  * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
   3  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
   4  *
   5  * Permission to use, copy, modify, and distribute this software for any
   6  * purpose with or without fee is hereby granted, provided that the above
   7  * copyright notice and this permission notice appear in all copies.
   8  *
   9  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15  * PERFORMANCE OF THIS SOFTWARE.
  16  */
  17
  18 /*! \file */
  19 /*
  20  * $Id: ssu.c,v 1.24.18.4 2006/02/16 23:51:32 marka Exp $
  21  * Principal Author: Brian Wellington
  22  */
  23
  24 #include <config.h>
  25
  26 #include <isc/magic.h>
  27 #include <isc/mem.h>
  28 #include <isc/result.h>
  29 #include <isc/string.h>         /* Required for HP/UX (and others?) */
  30 #include <isc/util.h>
  31
  32 #include <dns/fixedname.h>
  33 #include <dns/name.h>
  34 #include <dns/ssu.h>
  35
  36 #define SSUTABLEMAGIC           ISC_MAGIC('S', 'S', 'U', 'T')
  37 #define VALID_SSUTABLE(table)   ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
  38
  39 #define SSURULEMAGIC            ISC_MAGIC('S', 'S', 'U', 'R')
  40 #define VALID_SSURULE(table)    ISC_MAGIC_VALID(table, SSURULEMAGIC)
  41
  42 struct dns_ssurule {
  43         unsigned int magic;
  44         isc_boolean_t grant;    /*%< is this a grant or a deny? */
  45         unsigned int matchtype; /*%< which type of pattern match? */
  46         dns_name_t *identity;   /*%< the identity to match */
  47         dns_name_t *name;       /*%< the name being updated */
  48         unsigned int ntypes;    /*%< number of data types covered */
  49         dns_rdatatype_t *types; /*%< the data types.  Can include ANY, */
  50                                 /*%< defaults to all but SIG,SOA,NS if NULL */
  51         ISC_LINK(dns_ssurule_t) link;
  52 };
  53
  54 struct dns_ssutable {
  55         unsigned int magic;
  56         isc_mem_t *mctx;
  57         unsigned int references;
  58         isc_mutex_t lock;
  59         ISC_LIST(dns_ssurule_t) rules;
  60 };
  61
  62 isc_result_t
  63 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
  64         isc_result_t result;
  65         dns_ssutable_t *table;
  66
  67         REQUIRE(tablep != NULL && *tablep == NULL);
  68         REQUIRE(mctx != NULL);
  69
  70         table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
  71         if (table == NULL)
  72                 return (ISC_R_NOMEMORY);
  73         result = isc_mutex_init(&table->lock);
  74         if (result != ISC_R_SUCCESS) {
  75                 isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
  76                 return (result);
  77         }
  78         table->references = 1;
  79         table->mctx = mctx;
  80         ISC_LIST_INIT(table->rules);
  81         table->magic = SSUTABLEMAGIC;
  82         *tablep = table;
  83         return (ISC_R_SUCCESS);
  84 }
  85
  86 static inline void
  87 destroy(dns_ssutable_t *table) {
  88         isc_mem_t *mctx;
  89
  90         REQUIRE(VALID_SSUTABLE(table));
  91
  92         mctx = table->mctx;
  93         while (!ISC_LIST_EMPTY(table->rules)) {
  94                 dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
  95                 if (rule->identity != NULL) {
  96                         dns_name_free(rule->identity, mctx);
  97                         isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
  98                 }
  99                 if (rule->name != NULL) {
 100                         dns_name_free(rule->name, mctx);
 101                         isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
 102                 }
 103                 if (rule->types != NULL)
 104                         isc_mem_put(mctx, rule->types,
 105                                     rule->ntypes * sizeof(dns_rdatatype_t));
 106                 ISC_LIST_UNLINK(table->rules, rule, link);
 107                 rule->magic = 0;
 108                 isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
 109         }
 110         DESTROYLOCK(&table->lock);
 111         table->magic = 0;
 112         isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
 113 }
 114
 115 void
 116 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
 117         REQUIRE(VALID_SSUTABLE(source));
 118         REQUIRE(targetp != NULL && *targetp == NULL);
 119
 120         LOCK(&source->lock);
 121
 122         INSIST(source->references > 0);
 123         source->references++;
 124         INSIST(source->references != 0);
 125
 126         UNLOCK(&source->lock);
 127
 128         *targetp = source;
 129 }
 130
 131 void
 132 dns_ssutable_detach(dns_ssutable_t **tablep) {
 133         dns_ssutable_t *table;
 134         isc_boolean_t done = ISC_FALSE;
 135
 136         REQUIRE(tablep != NULL);
 137         table = *tablep;
 138         REQUIRE(VALID_SSUTABLE(table));
 139
 140         LOCK(&table->lock);
 141
 142         INSIST(table->references > 0);
 143         if (--table->references == 0)
 144                 done = ISC_TRUE;
 145         UNLOCK(&table->lock);
 146
 147         *tablep = NULL;
 148
 149         if (done)
 150                 destroy(table);
 151 }
 152
 153 isc_result_t
 154 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 155                      dns_name_t *identity, unsigned int matchtype,
 156                      dns_name_t *name, unsigned int ntypes,
 157                      dns_rdatatype_t *types)
 158 {
 159         dns_ssurule_t *rule;
 160         isc_mem_t *mctx;
 161         isc_result_t result;
 162
 163         REQUIRE(VALID_SSUTABLE(table));
 164         REQUIRE(dns_name_isabsolute(identity));
 165         REQUIRE(dns_name_isabsolute(name));
 166         REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
 167         if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
 168                 REQUIRE(dns_name_iswildcard(name));
 169         if (ntypes > 0)
 170                 REQUIRE(types != NULL);
 171
 172         mctx = table->mctx;
 173         rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
 174         if (rule == NULL)
 175                 return (ISC_R_NOMEMORY);
 176
 177         rule->identity = NULL;
 178         rule->name = NULL;
 179         rule->types = NULL;
 180
 181         rule->grant = grant;
 182
 183         rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
 184         if (rule->identity == NULL) {
 185                 result = ISC_R_NOMEMORY;
 186                 goto failure;
 187         }
 188         dns_name_init(rule->identity, NULL);
 189         result = dns_name_dup(identity, mctx, rule->identity);
 190         if (result != ISC_R_SUCCESS)
 191                 goto failure;
 192
 193         rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
 194         if (rule->name == NULL) {
 195                 result = ISC_R_NOMEMORY;
 196                 goto failure;
 197         }
 198         dns_name_init(rule->name, NULL);
 199         result = dns_name_dup(name, mctx, rule->name);
 200         if (result != ISC_R_SUCCESS)
 201                 goto failure;
 202
 203         rule->matchtype = matchtype;
 204
 205         rule->ntypes = ntypes;
 206         if (ntypes > 0) {
 207                 rule->types = isc_mem_get(mctx,
 208                                           ntypes * sizeof(dns_rdatatype_t));
 209                 if (rule->types == NULL) {
 210                         result = ISC_R_NOMEMORY;
 211                         goto failure;
 212                 }
 213                 memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
 214         } else
 215                 rule->types = NULL;
 216
 217         rule->magic = SSURULEMAGIC;
 218         ISC_LIST_INITANDAPPEND(table->rules, rule, link);
 219
 220         return (ISC_R_SUCCESS);
 221
 222  failure:
 223         if (rule->identity != NULL) {
 224                 if (dns_name_dynamic(rule->identity))
 225                         dns_name_free(rule->identity, mctx);
 226                 isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
 227         }
 228         if (rule->name != NULL) {
 229                 if (dns_name_dynamic(rule->name))
 230                         dns_name_free(rule->name, mctx);
 231                 isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
 232         }
 233         if (rule->types != NULL)
 234                 isc_mem_put(mctx, rule->types,
 235                             ntypes * sizeof(dns_rdatatype_t));
 236         isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
 237
 238         return (result);
 239 }
 240
 241 static inline isc_boolean_t
 242 isusertype(dns_rdatatype_t type) {
 243         return (ISC_TF(type != dns_rdatatype_ns &&
 244                        type != dns_rdatatype_soa &&
 245                        type != dns_rdatatype_rrsig));
 246 }
 247
 248 isc_boolean_t
 249 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 250                         dns_name_t *name, dns_rdatatype_t type)
 251 {
 252         dns_ssurule_t *rule;
 253         unsigned int i;
 254         dns_fixedname_t fixed;
 255         dns_name_t *wildcard;
 256         isc_result_t result;
 257
 258         REQUIRE(VALID_SSUTABLE(table));
 259         REQUIRE(signer == NULL || dns_name_isabsolute(signer));
 260         REQUIRE(dns_name_isabsolute(name));
 261
 262         if (signer == NULL)
 263                 return (ISC_FALSE);
 264         rule = ISC_LIST_HEAD(table->rules);
 265                 rule = ISC_LIST_NEXT(rule, link);
 266         for (rule = ISC_LIST_HEAD(table->rules);
 267              rule != NULL;
 268              rule = ISC_LIST_NEXT(rule, link))
 269         {
 270                 if (dns_name_iswildcard(rule->identity)) {
 271                         if (!dns_name_matcheswildcard(signer, rule->identity))
 272                                 continue;
 273                 } else if (!dns_name_equal(signer, rule->identity))
 274                                 continue;
 275
 276                 if (rule->matchtype == DNS_SSUMATCHTYPE_NAME) {
 277                         if (!dns_name_equal(name, rule->name))
 278                                 continue;
 279                 } else if (rule->matchtype == DNS_SSUMATCHTYPE_SUBDOMAIN) {
 280                         if (!dns_name_issubdomain(name, rule->name))
 281                                 continue;
 282                 } else if (rule->matchtype == DNS_SSUMATCHTYPE_WILDCARD) {
 283                         if (!dns_name_matcheswildcard(name, rule->name))
 284                                 continue;
 285                 } else if (rule->matchtype == DNS_SSUMATCHTYPE_SELF) {
 286                         if (!dns_name_equal(signer, name))
 287                                 continue;
 288                 } else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFSUB) {
 289                         if (!dns_name_issubdomain(name, signer))
 290                                 continue;
 291                 } else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFWILD) {
 292                         dns_fixedname_init(&fixed);
 293                         wildcard = dns_fixedname_name(&fixed);
 294                         result = dns_name_concatenate(dns_wildcardname, signer,
 295                                                       wildcard, NULL);
 296                         if (result != ISC_R_SUCCESS)
 297                                 continue;
 298                         if (!dns_name_matcheswildcard(name, wildcard))
 299                                 continue;
 300                 }
 301
 302                 if (rule->ntypes == 0) {
 303                         if (!isusertype(type))
 304                                 continue;
 305                 } else {
 306                         for (i = 0; i < rule->ntypes; i++) {
 307                                 if (rule->types[i] == dns_rdatatype_any ||
 308                                     rule->types[i] == type)
 309                                         break;
 310                         }
 311                         if (i == rule->ntypes)
 312                                 continue;
 313                 }
 314                 return (rule->grant);
 315         }
 316
 317         return (ISC_FALSE);
 318 }
 319
 320 isc_boolean_t
 321 dns_ssurule_isgrant(const dns_ssurule_t *rule) {
 322         REQUIRE(VALID_SSURULE(rule));
 323         return (rule->grant);
 324 }
 325
 326 dns_name_t *
 327 dns_ssurule_identity(const dns_ssurule_t *rule) {
 328         REQUIRE(VALID_SSURULE(rule));
 329         return (rule->identity);
 330 }
 331
 332 unsigned int
 333 dns_ssurule_matchtype(const dns_ssurule_t *rule) {
 334         REQUIRE(VALID_SSURULE(rule));
 335         return (rule->matchtype);
 336 }
 337
 338 dns_name_t *
 339 dns_ssurule_name(const dns_ssurule_t *rule) {
 340         REQUIRE(VALID_SSURULE(rule));
 341         return (rule->name);
 342 }
 343
 344 unsigned int
 345 dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
 346         REQUIRE(VALID_SSURULE(rule));
 347         REQUIRE(types != NULL && *types != NULL);
 348         *types = rule->types;
 349         return (rule->ntypes);
 350 }
 351
 352 isc_result_t
 353 dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
 354         REQUIRE(VALID_SSUTABLE(table));
 355         REQUIRE(rule != NULL && *rule == NULL);
 356         *rule = ISC_LIST_HEAD(table->rules);
 357         return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
 358 }
 359
 360 isc_result_t
 361 dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
 362         REQUIRE(VALID_SSURULE(rule));
 363         REQUIRE(nextrule != NULL && *nextrule == NULL);
 364         *nextrule = ISC_LIST_NEXT(rule, link);
 365         return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
 366 }