fccc836ebfeb8e278b528b59304f451c369baf37Tinderbox User * Copyright (C) 2000, 2001, 2003-2008, 2010, 2011, 2013, 2014, 2016-2018 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * file, You can obtain one at http://mozilla.org/MPL/2.0/.
db69d5d53cbffd6cc7419807e767792eef3bc593Automatic Updater * $Id: ssu.c,v 1.38 2011/01/06 23:47:00 tbox Exp $
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington * Principal Author: Brian Wellington
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838David Lawrence#define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T')
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838David Lawrence#define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838David Lawrence#define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R')
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838David Lawrence#define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC)
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein isc_boolean_t grant; /*%< is this a grant or a deny? */
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein unsigned int matchtype; /*%< which type of pattern match? */
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein dns_name_t *identity; /*%< the identity to match */
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein dns_name_t *name; /*%< the name being updated */
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein unsigned int ntypes; /*%< number of data types covered */
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein dns_rdatatype_t *types; /*%< the data types. Can include ANY, */
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein /*%< defaults to all but SIG,SOA,NS if NULL */
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellingtondns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellington REQUIRE(tablep != NULL && *tablep == NULL);
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellington table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellington isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellingtonstatic inline void
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellington dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
3a0da183bb40bd120698102b20b61ef12665c09bMark Andrews isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t));
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellingtondns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellington REQUIRE(targetp != NULL && *targetp == NULL);
6fcfd0c35d3fd6aea3d36ad002b68e59ac62fdc7Brian Wellingtondns_ssutable_detach(dns_ssutable_t **tablep) {
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellingtondns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington dns_name_t *identity, unsigned int matchtype,
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington result = dns_name_dup(identity, mctx, rule->identity);
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington result = dns_name_dup(name, mctx, rule->name);
e851ea826066ac5a5b01c2c23218faa0273a12e8Evan Hunt memmove(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
6fda1577669dca9e0d8e4832e407bac34cc12de6Mark Andrews ISC_LIST_INITANDAPPEND(table->rules, rule, link);
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
92f60809e854ccf5f115883c6347e370da048848Mark Andrewsreverse_from_address(dns_name_t *tcpself, isc_netaddr_t *tcpaddr) {
92f60809e854ccf5f115883c6347e370da048848Mark Andrews unsigned long l;
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%x.%x.%x.%x.%x.%x.%x.%x."
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%x.%x.%x.%x.%x.%x.%x.%x."
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%x.%x.%x.%x.%x.%x.%x.%x."
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%x.%x.%x.%x.%x.%x.%x.%x."
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "IP6.ARPA.",
92f60809e854ccf5f115883c6347e370da048848Mark Andrews result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
92f60809e854ccf5f115883c6347e370da048848Mark Andrewsstf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) {
92f60809e854ccf5f115883c6347e370da048848Mark Andrews char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
92f60809e854ccf5f115883c6347e370da048848Mark Andrews unsigned long l;
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "2.0.0.2.IP6.ARPA.",
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%x.%x.%x.%x.%x.%x.%x.%x."
92f60809e854ccf5f115883c6347e370da048848Mark Andrews "%x.%x.%x.%x.IP6.ARPA.",
92f60809e854ccf5f115883c6347e370da048848Mark Andrews result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellingtondns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
f592d2f76cac7115038124c510d2ba3050334b4dEvan Huntdns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer,
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington unsigned int i;
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington REQUIRE(signer == NULL || dns_name_isabsolute(signer));
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington if (!dns_name_issubdomain(name, rule->name))
7c442d7fe06bc95432af7513764e5cc85e133648Evan Hunt "update-policy local: "
7c442d7fe06bc95432af7513764e5cc85e133648Evan Hunt "match on session "
7c442d7fe06bc95432af7513764e5cc85e133648Evan Hunt "key not from "
7c442d7fe06bc95432af7513764e5cc85e133648Evan Hunt "localhost");
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington if (!dns_name_matcheswildcard(name, rule->name))
6e373c502584f9292e964378411d296c8259026bMark Andrews result = dns_name_concatenate(dns_wildcardname, signer,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews if (!dst_gssapi_identitymatchesrealmms(signer, name,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
3916872f379457fe344afb02398a009701c5016aEvan Hunt if (!dns_ssu_external_match(rule->identity, signer,
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt * If this is a DLZ rule, then the DLZ ssu
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt * checks will have already checked
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellingtondns_ssurule_isgrant(const dns_ssurule_t *rule) {
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellingtondns_ssurule_identity(const dns_ssurule_t *rule) {
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellingtondns_ssurule_matchtype(const dns_ssurule_t *rule) {
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellingtondns_ssurule_name(const dns_ssurule_t *rule) {
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellingtondns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellingtondns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellingtondns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
dc1961d96f9d116f77e0ac5e4a0b2bb5bb40328eJames Brister REQUIRE(nextrule != NULL && *nextrule == NULL);
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt * Create a specialised SSU table that points at an external DLZ database
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Huntdns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrewsdns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) {
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews } else if (strcasecmp(str, "subdomain") == 0) {
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews } else if (strcasecmp(str, "krb5-self") == 0) {
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews } else if (strcasecmp(str, "ms-subdomain") == 0) {
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews } else if (strcasecmp(str, "krb5-subdomain") == 0) {
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews } else if (strcasecmp(str, "6to4-self") == 0) {