aml.c revision 1ce5dcf1c826e0f2aa1e5a6236940b1b76f61449
/*
* Copyright (C) 1999 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
* CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
#include <config.h>
#include <isc/assertions.h>
#include <dns/fixedname.h>
{
int match;
/*
* Check for a TSIG. We log bad TSIGs regardless of whether they
* cause the request to be rejected or not (it may be allowd
* because of another AML). We do not log the lack of a TSIG
* unless we are debugging.
*/
if (result == DNS_R_SUCCESS) {
"request has valid signature");
} else if (result == DNS_R_NOTFOUND) {
"request is not signed");
} else {
/* There is a signature, but it is bad. */
"request has invalid signature: %s",
}
else if (fallback_aml != NULL)
aml = fallback_aml;
else if (default_allow)
goto allow;
else
goto deny;
if (result != DNS_R_SUCCESS)
goto deny; /* Internal error, already logged. */
if (match > 0)
goto allow;
goto deny; /* Negative match or no match. */
"%s approved", opname);
return (DNS_R_SUCCESS);
deny:
"%s denied", opname);
return (DNS_R_REFUSED);
}
static isc_result_t
{
unsigned int keylen;
if (result != ISC_R_SUCCESS) {
"key name \"%s\" is not a valid domain name",
keyname);
return (result);
}
return (ISC_R_SUCCESS);
}
int *match,
{
int distance;
int indirectmatch;
e != NULL;
{
switch (e->type) {
case dns_c_ipmatch_pattern:
/* XXX "mask" is a misnomer, should be
"prefix length" */
goto matched;
break;
case dns_c_ipmatch_key:
&match);
if (result != ISC_R_SUCCESS)
return (result);
goto matched;
}
break;
case dns_c_ipmatch_indirect:
goto indirect;
#ifdef notyet
case dns_c_ipmatch_localhost:
goto indirect;
case dns_c_ipmatch_localnets:
goto indirect;
#else
case dns_c_ipmatch_localhost:
case dns_c_ipmatch_localnets:
"the \"localhost\" and \"localnets\""
"ACLs are not yet supported");
return (ISC_R_NOTIMPLEMENTED);
#endif
case dns_c_ipmatch_acl:
e->u.aclname,
&acl);
if (result == ISC_R_SUCCESS) {
goto indirect;
}
"undefined ACL \"%s\"", e->u.aclname);
return (result);
default:
"address match list contains "
"unsupported element type");
break;
if (result != DNS_R_SUCCESS)
return (result);
/*
* Treat negative matches in indirect AMLs as
* "no match".
* That way, a negated indirect AML will never become
* a surprise positive match through double negation.
*/
if (indirectmatch > 0)
goto matched;
/* A negative indirect match may have set *matchelt. */
break;
*match = dns_c_ipmatchelement_isneg(e) ?
*matchelt = e;
return (ISC_R_SUCCESS);
}
}
/* No match. */
*match = 0;
return (ISC_R_SUCCESS);
}