lib/dns/ssu_external.c

	ssu_external.c revision a727690e8b321992375623fb89b7a37d375e6030
/*
 * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
 * Written by Andrew Tridgell
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
 */

/*
 * This implements external update-policy rules.  This allows permission
 * to update a zone to be checked by consulting an external daemon (e.g.,
 * kerberos).
 */

#include <config.h>
#include <errno.h>
#include <unistd.h>
#include <sys/socket.h>
#ifdef ISC_PLATFORM_HAVESYSUNH
#include <sys/un.h>
#endif

#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <isc/strerror.h>

#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/ssu.h>
#include <dns/log.h>
#include <dns/rdatatype.h>

#include <dst/dst.h>


static void
ssu_e_log(int level, const char *fmt, ...) {
    va_list ap;

    va_start(ap, fmt);
    isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_SECURITY,
               DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(level), fmt, ap);
    va_end(ap);
}


/*
 * Connect to a UNIX domain socket.
 */
static int
ux_socket_connect(const char *path) {
    int fd = -1;
#ifdef ISC_PLATFORM_HAVESYSUNH
        struct sockaddr_un addr;

    REQUIRE(path != NULL);

    if (strlen(path) > sizeof(addr.sun_path)) {
        ssu_e_log(3, "ssu_external: socket path '%s' "
                 "longer than system maximum %u",
              path, sizeof(addr.sun_path));
        return (-1);
    }

        memset(&addr, 0, sizeof(addr));
        addr.sun_family = AF_UNIX;
        strncpy(addr.sun_path, path, sizeof(addr.sun_path));

    fd = socket(AF_UNIX, SOCK_STREAM, 0);
    if (fd == -1) {
        char strbuf[ISC_STRERRORSIZE];
        isc__strerror(errno, strbuf, sizeof(strbuf));
        ssu_e_log(3, "ssu_external: unable to create socket - %s",
              strbuf);
        return (-1);
    }

    if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
        char strbuf[ISC_STRERRORSIZE];
        isc__strerror(errno, strbuf, sizeof(strbuf));
        ssu_e_log(3, "ssu_external: unable to connect to "
                     "socket '%s' - %s",
              path, strbuf);
        close(fd);
        return (-1);
    }
#endif
    return (fd);
}

/* Change this version if you update the format of the request */
#define SSU_EXTERNAL_VERSION 1

/*
 * Perform an update-policy rule check against an external application
 * over a socket.
 *
 * This currently only supports local: for unix domain datagram sockets.
 *
 * Note that by using a datagram socket and creating a new socket each
 * time we avoid the need for locking and allow for parallel access to
 * the authorization server.
 */
isc_boolean_t
dns_ssu_external_match(dns_name_t *identity,
               dns_name_t *signer, dns_name_t *name,
               isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
               const dst_key_t *key, isc_mem_t *mctx)
{
    char b_identity[DNS_NAME_FORMATSIZE];
    char b_signer[DNS_NAME_FORMATSIZE];
    char b_name[DNS_NAME_FORMATSIZE];
    char b_addr[ISC_NETADDR_FORMATSIZE];
    char b_type[DNS_RDATATYPE_FORMATSIZE];
    char b_key[DST_KEY_FORMATSIZE];
    isc_buffer_t *tkey_token;
    int fd;
    const char *sock_path;
    size_t req_len;
    isc_region_t token_region;
    uint8_t *data;
    isc_buffer_t buf;
    uint32_t token_len = 0;
    uint32_t reply;
    ssize_t ret;

    /* The identity contains local:/path/to/socket */
    dns_name_format(identity, b_identity, sizeof(b_identity));

    /* For now only local: is supported */
    if (strncmp(b_identity, "local:", 6) != 0) {
        ssu_e_log(3, "ssu_external: invalid socket path '%s'", buf);
        return (ISC_FALSE);
    }
    sock_path = &b_identity[6];

    fd = ux_socket_connect(sock_path);
    if (fd == -1)
        return (ISC_FALSE);

    tkey_token = dst_key_tkeytoken(key);

    /* Format the request elements */
    if (signer)
        dns_name_format(signer, b_signer, sizeof(b_signer));
    else
        b_signer[0] = 0;

    dns_name_format(name, b_name, sizeof(b_name));

    if (tcpaddr)
        isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
    else
        b_addr[0] = 0;

    dns_rdatatype_format(type, b_type, sizeof(b_type));

    if (key)
        dst_key_format(key, b_key, sizeof(b_key));
    else
        b_key[0] = 0;

    if (tkey_token) {
        isc_buffer_region(tkey_token, &token_region);
        token_len = token_region.length;
    }

    /* Work out how big the request will be */
    req_len = sizeof(uint32_t)     + /* Format version */
          sizeof(uint32_t)     + /* Length */
          strlen(b_signer) + 1 + /* Signer */
          strlen(b_name) + 1   + /* Name */
          strlen(b_addr) + 1   + /* Address */
          strlen(b_type) + 1   + /* Type */
          strlen(b_key) + 1    + /* Key */
          sizeof(uint32_t)     + /* tkey_token length */
          token_len;             /* tkey_token */


    /* format the buffer */
    data = isc_mem_allocate(mctx, req_len);
    if (data == NULL) {
        close(fd);
        return (ISC_FALSE);
    }

    isc_buffer_init(&buf, data, req_len);
    isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
    isc_buffer_putuint32(&buf, req_len);

    /* Strings must be null-terminated */
    isc_buffer_putstr(&buf, b_signer);
    isc_buffer_putuint8(&buf, 0);
    isc_buffer_putstr(&buf, b_name);
    isc_buffer_putuint8(&buf, 0);
    isc_buffer_putstr(&buf, b_addr);
    isc_buffer_putuint8(&buf, 0);
    isc_buffer_putstr(&buf, b_type);
    isc_buffer_putuint8(&buf, 0);
    isc_buffer_putstr(&buf, b_key);
    isc_buffer_putuint8(&buf, 0);

    isc_buffer_putuint32(&buf, token_len);
    if (tkey_token && token_len != 0)
        isc_buffer_putmem(&buf, token_region.base, token_len);

    ENSURE(isc_buffer_availablelength(&buf) == 0);

    /* Send the request */
    ret = write(fd, data, req_len);
    isc_mem_free(mctx, data);
    if (ret != (ssize_t) req_len) {
        char strbuf[ISC_STRERRORSIZE];
        isc__strerror(errno, strbuf, sizeof(strbuf));
        ssu_e_log(3, "ssu_external: unable to send request - %s",
              strbuf);
        close(fd);
        return (ISC_FALSE);
    }

    /* Receive the reply */
    ret = read(fd, &reply, sizeof(uint32_t));
    if (ret != (ssize_t) sizeof(uint32_t)) {
        char strbuf[ISC_STRERRORSIZE];
        isc__strerror(errno, strbuf, sizeof(strbuf));
        ssu_e_log(3, "ssu_external: unable to receive reply - %s",
              strbuf);
        close(fd);
        return (ISC_FALSE);
    }

    close(fd);

    reply = ntohl(reply);

    if (reply == 0) {
        ssu_e_log(3, "ssu_external: denied external auth for '%s'",
              b_name);
        return (ISC_FALSE);
    } else if (reply == 1) {
        ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
              b_name);
        return (ISC_TRUE);
    }

    ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);

    return (ISC_FALSE);
}