2 * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
20 * $Id: ssu.c,v 1.34 2008/01/18 23:46:58 tbox Exp $
21 * Principal Author: Brian Wellington
26 #include <isc/magic.h>
28 #include <isc/netaddr.h>
29 #include <isc/result.h>
30 #include <isc/string.h>
33 #include <dns/fixedname.h>
37 #include <dst/gssapi.h>
39 #define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T')
40 #define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
42 #define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R')
43 #define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC)
47 isc_boolean_t grant; /*%< is this a grant or a deny? */
48 unsigned int matchtype; /*%< which type of pattern match? */
49 dns_name_t *identity; /*%< the identity to match */
50 dns_name_t *name; /*%< the name being updated */
51 unsigned int ntypes; /*%< number of data types covered */
52 dns_rdatatype_t *types; /*%< the data types. Can include ANY, */
53 /*%< defaults to all but SIG,SOA,NS if NULL */
54 ISC_LINK(dns_ssurule_t) link;
60 unsigned int references;
62 ISC_LIST(dns_ssurule_t) rules;
66 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
68 dns_ssutable_t *table;
70 REQUIRE(tablep != NULL && *tablep == NULL);
71 REQUIRE(mctx != NULL);
73 table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
75 return (ISC_R_NOMEMORY);
76 result = isc_mutex_init(&table->lock);
77 if (result != ISC_R_SUCCESS) {
78 isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
81 table->references = 1;
83 ISC_LIST_INIT(table->rules);
84 table->magic = SSUTABLEMAGIC;
86 return (ISC_R_SUCCESS);
90 destroy(dns_ssutable_t *table) {
93 REQUIRE(VALID_SSUTABLE(table));
96 while (!ISC_LIST_EMPTY(table->rules)) {
97 dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
98 if (rule->identity != NULL) {
99 dns_name_free(rule->identity, mctx);
100 isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
102 if (rule->name != NULL) {
103 dns_name_free(rule->name, mctx);
104 isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
106 if (rule->types != NULL)
107 isc_mem_put(mctx, rule->types,
108 rule->ntypes * sizeof(dns_rdatatype_t));
109 ISC_LIST_UNLINK(table->rules, rule, link);
111 isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
113 DESTROYLOCK(&table->lock);
115 isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
119 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
120 REQUIRE(VALID_SSUTABLE(source));
121 REQUIRE(targetp != NULL && *targetp == NULL);
125 INSIST(source->references > 0);
126 source->references++;
127 INSIST(source->references != 0);
129 UNLOCK(&source->lock);
135 dns_ssutable_detach(dns_ssutable_t **tablep) {
136 dns_ssutable_t *table;
137 isc_boolean_t done = ISC_FALSE;
139 REQUIRE(tablep != NULL);
141 REQUIRE(VALID_SSUTABLE(table));
145 INSIST(table->references > 0);
146 if (--table->references == 0)
148 UNLOCK(&table->lock);
157 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
158 dns_name_t *identity, unsigned int matchtype,
159 dns_name_t *name, unsigned int ntypes,
160 dns_rdatatype_t *types)
166 REQUIRE(VALID_SSUTABLE(table));
167 REQUIRE(dns_name_isabsolute(identity));
168 REQUIRE(dns_name_isabsolute(name));
169 REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
170 if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
171 REQUIRE(dns_name_iswildcard(name));
173 REQUIRE(types != NULL);
176 rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
178 return (ISC_R_NOMEMORY);
180 rule->identity = NULL;
186 rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
187 if (rule->identity == NULL) {
188 result = ISC_R_NOMEMORY;
191 dns_name_init(rule->identity, NULL);
192 result = dns_name_dup(identity, mctx, rule->identity);
193 if (result != ISC_R_SUCCESS)
196 rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
197 if (rule->name == NULL) {
198 result = ISC_R_NOMEMORY;
201 dns_name_init(rule->name, NULL);
202 result = dns_name_dup(name, mctx, rule->name);
203 if (result != ISC_R_SUCCESS)
206 rule->matchtype = matchtype;
208 rule->ntypes = ntypes;
210 rule->types = isc_mem_get(mctx,
211 ntypes * sizeof(dns_rdatatype_t));
212 if (rule->types == NULL) {
213 result = ISC_R_NOMEMORY;
216 memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
220 rule->magic = SSURULEMAGIC;
221 ISC_LIST_INITANDAPPEND(table->rules, rule, link);
223 return (ISC_R_SUCCESS);
226 if (rule->identity != NULL) {
227 if (dns_name_dynamic(rule->identity))
228 dns_name_free(rule->identity, mctx);
229 isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
231 if (rule->name != NULL) {
232 if (dns_name_dynamic(rule->name))
233 dns_name_free(rule->name, mctx);
234 isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
236 if (rule->types != NULL)
237 isc_mem_put(mctx, rule->types,
238 ntypes * sizeof(dns_rdatatype_t));
239 isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
244 static inline isc_boolean_t
245 isusertype(dns_rdatatype_t type) {
246 return (ISC_TF(type != dns_rdatatype_ns &&
247 type != dns_rdatatype_soa &&
248 type != dns_rdatatype_rrsig));
252 reverse_from_address(dns_name_t *tcpself, isc_netaddr_t *tcpaddr) {
253 char buf[16 * 4 + sizeof("IP6.ARPA.")];
259 switch (tcpaddr->family) {
261 l = ntohl(tcpaddr->type.in.s_addr);
262 result = isc_string_printf(buf, sizeof(buf),
263 "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
264 (l >> 0) & 0xff, (l >> 8) & 0xff,
265 (l >> 16) & 0xff, (l >> 24) & 0xff);
266 RUNTIME_CHECK(result == ISC_R_SUCCESS);
269 ap = tcpaddr->type.in6.s6_addr;
270 result = isc_string_printf(buf, sizeof(buf),
271 "%x.%x.%x.%x.%x.%x.%x.%x."
272 "%x.%x.%x.%x.%x.%x.%x.%x."
273 "%x.%x.%x.%x.%x.%x.%x.%x."
274 "%x.%x.%x.%x.%x.%x.%x.%x."
276 ap[15] & 0x0f, (ap[15] >> 4) & 0x0f,
277 ap[14] & 0x0f, (ap[14] >> 4) & 0x0f,
278 ap[13] & 0x0f, (ap[13] >> 4) & 0x0f,
279 ap[12] & 0x0f, (ap[12] >> 4) & 0x0f,
280 ap[11] & 0x0f, (ap[11] >> 4) & 0x0f,
281 ap[10] & 0x0f, (ap[10] >> 4) & 0x0f,
282 ap[9] & 0x0f, (ap[9] >> 4) & 0x0f,
283 ap[8] & 0x0f, (ap[8] >> 4) & 0x0f,
284 ap[7] & 0x0f, (ap[7] >> 4) & 0x0f,
285 ap[6] & 0x0f, (ap[6] >> 4) & 0x0f,
286 ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
287 ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
288 ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
289 ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
290 ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
291 ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
292 RUNTIME_CHECK(result == ISC_R_SUCCESS);
297 isc_buffer_init(&b, buf, strlen(buf));
298 isc_buffer_add(&b, strlen(buf));
299 result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
300 RUNTIME_CHECK(result == ISC_R_SUCCESS);
304 stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) {
305 char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
311 switch(tcpaddr->family) {
313 l = ntohl(tcpaddr->type.in.s_addr);
314 result = isc_string_printf(buf, sizeof(buf),
315 "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
317 l & 0xf, (l >> 4) & 0xf,
318 (l >> 8) & 0xf, (l >> 12) & 0xf,
319 (l >> 16) & 0xf, (l >> 20) & 0xf,
320 (l >> 24) & 0xf, (l >> 28) & 0xf);
321 RUNTIME_CHECK(result == ISC_R_SUCCESS);
324 ap = tcpaddr->type.in6.s6_addr;
325 result = isc_string_printf(buf, sizeof(buf),
326 "%x.%x.%x.%x.%x.%x.%x.%x."
327 "%x.%x.%x.%x.IP6.ARPA.",
328 ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
329 ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
330 ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
331 ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
332 ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
333 ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
334 RUNTIME_CHECK(result == ISC_R_SUCCESS);
339 isc_buffer_init(&b, buf, strlen(buf));
340 isc_buffer_add(&b, strlen(buf));
341 result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
342 RUNTIME_CHECK(result == ISC_R_SUCCESS);
346 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
347 dns_name_t *name, isc_netaddr_t *tcpaddr,
348 dns_rdatatype_t type)
352 dns_fixedname_t fixed;
353 dns_name_t *wildcard;
358 REQUIRE(VALID_SSUTABLE(table));
359 REQUIRE(signer == NULL || dns_name_isabsolute(signer));
360 REQUIRE(dns_name_isabsolute(name));
362 if (signer == NULL && tcpaddr == NULL)
365 for (rule = ISC_LIST_HEAD(table->rules);
367 rule = ISC_LIST_NEXT(rule, link))
369 switch (rule->matchtype) {
370 case DNS_SSUMATCHTYPE_NAME:
371 case DNS_SSUMATCHTYPE_SUBDOMAIN:
372 case DNS_SSUMATCHTYPE_WILDCARD:
373 case DNS_SSUMATCHTYPE_SELF:
374 case DNS_SSUMATCHTYPE_SELFSUB:
375 case DNS_SSUMATCHTYPE_SELFWILD:
378 if (dns_name_iswildcard(rule->identity)) {
379 if (!dns_name_matcheswildcard(signer,
383 if (!dns_name_equal(signer, rule->identity))
387 case DNS_SSUMATCHTYPE_SELFKRB5:
388 case DNS_SSUMATCHTYPE_SELFMS:
389 case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
390 case DNS_SSUMATCHTYPE_SUBDOMAINMS:
394 case DNS_SSUMATCHTYPE_TCPSELF:
395 case DNS_SSUMATCHTYPE_6TO4SELF:
401 switch (rule->matchtype) {
402 case DNS_SSUMATCHTYPE_NAME:
403 if (!dns_name_equal(name, rule->name))
406 case DNS_SSUMATCHTYPE_SUBDOMAIN:
407 if (!dns_name_issubdomain(name, rule->name))
410 case DNS_SSUMATCHTYPE_WILDCARD:
411 if (!dns_name_matcheswildcard(name, rule->name))
414 case DNS_SSUMATCHTYPE_SELF:
415 if (!dns_name_equal(signer, name))
418 case DNS_SSUMATCHTYPE_SELFSUB:
419 if (!dns_name_issubdomain(name, signer))
422 case DNS_SSUMATCHTYPE_SELFWILD:
423 dns_fixedname_init(&fixed);
424 wildcard = dns_fixedname_name(&fixed);
425 result = dns_name_concatenate(dns_wildcardname, signer,
427 if (result != ISC_R_SUCCESS)
429 if (!dns_name_matcheswildcard(name, wildcard))
432 case DNS_SSUMATCHTYPE_SELFKRB5:
433 if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
437 case DNS_SSUMATCHTYPE_SELFMS:
438 if (!dst_gssapi_identitymatchesrealmms(signer, name,
442 case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
443 if (!dns_name_issubdomain(name, rule->name))
445 if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
449 case DNS_SSUMATCHTYPE_SUBDOMAINMS:
450 if (!dns_name_issubdomain(name, rule->name))
452 if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
456 case DNS_SSUMATCHTYPE_TCPSELF:
457 dns_fixedname_init(&fixed);
458 tcpself = dns_fixedname_name(&fixed);
459 reverse_from_address(tcpself, tcpaddr);
460 if (dns_name_iswildcard(rule->identity)) {
461 if (!dns_name_matcheswildcard(tcpself,
465 if (!dns_name_equal(tcpself, rule->identity))
468 if (!dns_name_equal(tcpself, name))
471 case DNS_SSUMATCHTYPE_6TO4SELF:
472 dns_fixedname_init(&fixed);
473 stfself = dns_fixedname_name(&fixed);
474 stf_from_address(stfself, tcpaddr);
475 if (dns_name_iswildcard(rule->identity)) {
476 if (!dns_name_matcheswildcard(stfself,
480 if (!dns_name_equal(stfself, rule->identity))
483 if (!dns_name_equal(stfself, name))
488 if (rule->ntypes == 0) {
489 if (!isusertype(type))
492 for (i = 0; i < rule->ntypes; i++) {
493 if (rule->types[i] == dns_rdatatype_any ||
494 rule->types[i] == type)
497 if (i == rule->ntypes)
500 return (rule->grant);
507 dns_ssurule_isgrant(const dns_ssurule_t *rule) {
508 REQUIRE(VALID_SSURULE(rule));
509 return (rule->grant);
513 dns_ssurule_identity(const dns_ssurule_t *rule) {
514 REQUIRE(VALID_SSURULE(rule));
515 return (rule->identity);
519 dns_ssurule_matchtype(const dns_ssurule_t *rule) {
520 REQUIRE(VALID_SSURULE(rule));
521 return (rule->matchtype);
525 dns_ssurule_name(const dns_ssurule_t *rule) {
526 REQUIRE(VALID_SSURULE(rule));
531 dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
532 REQUIRE(VALID_SSURULE(rule));
533 REQUIRE(types != NULL && *types != NULL);
534 *types = rule->types;
535 return (rule->ntypes);
539 dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
540 REQUIRE(VALID_SSUTABLE(table));
541 REQUIRE(rule != NULL && *rule == NULL);
542 *rule = ISC_LIST_HEAD(table->rules);
543 return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
547 dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
548 REQUIRE(VALID_SSURULE(rule));
549 REQUIRE(nextrule != NULL && *nextrule == NULL);
550 *nextrule = ISC_LIST_NEXT(rule, link);
551 return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);