acl.c revision 18d0b5e54be891a1aa938c165b6d439859121ec8
69fe9aaafdd6a141610e86a777d325db75422070Mark Andrews * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * Copyright (C) 1999-2002 Internet Software Consortium.
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson * Permission to use, copy, modify, and distribute this software for any
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson * purpose with or without fee is hereby granted, provided that the above
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson * copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * PERFORMANCE OF THIS SOFTWARE.
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews/* $Id: acl.c,v 1.28 2005/07/12 01:00:14 marka Exp $ */
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencedns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence * Work around silly limitation of isc_mem_get().
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence * Must set magic early because we use dns_acl_detach() to clean up.
7693d4de8fca501dfe6989a7f30d8d3c86fe096aAndreas Gustafsson acl->elements = isc_mem_get(mctx, n * sizeof(dns_aclelement_t));
7693d4de8fca501dfe6989a7f30d8d3c86fe096aAndreas Gustafsson memset(acl->elements, 0, n * sizeof(dns_aclelement_t));
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencedns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson * Resize the ACL.
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson * Append the new element.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencedns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
7693d4de8fca501dfe6989a7f30d8d3c86fe096aAndreas Gustafsson acl->elements[0].type = dns_aclelementtype_any;
7693d4de8fca501dfe6989a7f30d8d3c86fe096aAndreas Gustafssondns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
7693d4de8fca501dfe6989a7f30d8d3c86fe096aAndreas Gustafsson return (dns_acl_anyornone(mctx, ISC_FALSE, target));
7693d4de8fca501dfe6989a7f30d8d3c86fe096aAndreas Gustafssondns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
7693d4de8fca501dfe6989a7f30d8d3c86fe096aAndreas Gustafsson return (dns_acl_anyornone(mctx, ISC_TRUE, target));
8bb77cd31b7518fb5d2a6a9d75e16e4abd59df61Andreas Gustafsson unsigned int i;
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson REQUIRE(matchelt == NULL || *matchelt == NULL);
8bb77cd31b7518fb5d2a6a9d75e16e4abd59df61Andreas Gustafsson *match = e->negative ? -((int)i+1) : ((int)i+1);
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson /* No match. */
aa39170da817cae7b4c6c735cc832e05ec3d2351Mark Andrews unsigned int i;
aa39170da817cae7b4c6c735cc832e05ec3d2351Mark Andrews REQUIRE(matchelt == NULL || *matchelt == NULL);
aa39170da817cae7b4c6c735cc832e05ec3d2351Mark Andrews if (dns_aclelement_equal(e, elt) == ISC_TRUE) {
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafssondns_aclelement_match(isc_netaddr_t *reqaddr,
6eccf5bd07eb9abf65cc08fec4a8fc97b62c0e1bBrian Wellington isc_netaddr_fromv4mapped(&v4addr, reqaddr);
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson dns_name_equal(reqsigner, &e->u.keyname))
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson result = dns_acl_match(reqaddr, reqsigner,
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson * Treat negative matches in indirect ACLs as
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson * That way, a negated indirect ACL will never become
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson * a surprise positive match through double negation.
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson * XXXDCL this should be documented.
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson * A negative indirect match may have set *matchelt,
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson * but we don't want it set when we return.
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson if (env != NULL && env->localhost != NULL) {
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson if (env != NULL && env->localnets != NULL) {
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencedns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
aa23a35d81a9618a40c4a9b44be48009553e4777Andreas Gustafsson isc_refcount_increment(&source->refcount, NULL);
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson unsigned int i;
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson dns_aclelement_t *de = &dacl->elements[i];
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson dns_name_free(&de->u.keyname, dacl->mctx);
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson isc_mem_put(dacl->mctx, dacl, sizeof(*dacl));
aa23a35d81a9618a40c4a9b44be48009553e4777Andreas Gustafsson isc_refcount_decrement(&acl->refcount, &refs);
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencedns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
aa39170da817cae7b4c6c735cc832e05ec3d2351Mark Andrews return (isc_netaddr_eqprefix(&ea->u.ip_prefix.address,
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson return (dns_name_equal(&ea->u.keyname, &eb->u.keyname));
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson return (dns_acl_equal(ea->u.nestedacl, eb->u.nestedacl));
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafssondns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson unsigned int i;
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson for (i = 0; i < a->length; i++) {
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson if (! dns_aclelement_equal(&a->elements[i],
9c566a852f31c3a5d0b9d6eaf11463114339c01dAndreas Gustafsson htonl(p->address.type.in.s_addr) == INADDR_LOOPBACK)
9c566a852f31c3a5d0b9d6eaf11463114339c01dAndreas Gustafsson IN6_IS_ADDR_LOOPBACK(&p->address.type.in6))
9c566a852f31c3a5d0b9d6eaf11463114339c01dAndreas Gustafsson unsigned int i;
9c566a852f31c3a5d0b9d6eaf11463114339c01dAndreas Gustafsson for (i = 0; i < a->length; i++) {
9c566a852f31c3a5d0b9d6eaf11463114339c01dAndreas Gustafsson /* A negated match can never be insecure. */
9c566a852f31c3a5d0b9d6eaf11463114339c01dAndreas Gustafsson /* The loopback address is considered secure. */
9c566a852f31c3a5d0b9d6eaf11463114339c01dAndreas Gustafsson /* No insecure elements were found. */
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencedns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson result = dns_acl_create(mctx, 0, &env->localhost);
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson result = dns_acl_create(mctx, 0, &env->localnets);
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencedns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson dns_acl_attach(s->localhost, &t->localhost);