search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vendor/BIND: Update to 9.5.2-P3
[dragonfly.git] / contrib / bind / lib / dns / ssu.c
blob517945943c9881804fe88598e1d277e9d1b775cb
1 /*
2 * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 /*! \file */
19 /*
20 * $Id: ssu.c,v 1.31 2007/06/19 23:47:16 tbox Exp $
21 * Principal Author: Brian Wellington
22 */
23
24 #include <config.h>
25
26 #include <isc/magic.h>
27 #include <isc/mem.h>
28 #include <isc/result.h>
29 #include <isc/string.h> /* Required for HP/UX (and others?) */
30 #include <isc/util.h>
31
32 #include <dns/fixedname.h>
33 #include <dns/name.h>
34 #include <dns/ssu.h>
35
36 #include <dst/gssapi.h>
37
38 #define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T')
39 #define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
40
41 #define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R')
42 #define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC)
43
44 struct dns_ssurule {
45 unsigned int magic;
46 isc_boolean_t grant; /*%< is this a grant or a deny? */
47 unsigned int matchtype; /*%< which type of pattern match? */
48 dns_name_t *identity; /*%< the identity to match */
49 dns_name_t *name; /*%< the name being updated */
50 unsigned int ntypes; /*%< number of data types covered */
51 dns_rdatatype_t *types; /*%< the data types. Can include ANY, */
52 /*%< defaults to all but SIG,SOA,NS if NULL */
53 ISC_LINK(dns_ssurule_t) link;
54 };
55
56 struct dns_ssutable {
57 unsigned int magic;
58 isc_mem_t *mctx;
59 unsigned int references;
60 isc_mutex_t lock;
61 ISC_LIST(dns_ssurule_t) rules;
62 };
63
64 isc_result_t
65 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
66 isc_result_t result;
67 dns_ssutable_t *table;
68
69 REQUIRE(tablep != NULL && *tablep == NULL);
70 REQUIRE(mctx != NULL);
71
72 table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
73 if (table == NULL)
74 return (ISC_R_NOMEMORY);
75 result = isc_mutex_init(&table->lock);
76 if (result != ISC_R_SUCCESS) {
77 isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
78 return (result);
79 }
80 table->references = 1;
81 table->mctx = mctx;
82 ISC_LIST_INIT(table->rules);
83 table->magic = SSUTABLEMAGIC;
84 *tablep = table;
85 return (ISC_R_SUCCESS);
86 }
87
88 static inline void
89 destroy(dns_ssutable_t *table) {
90 isc_mem_t *mctx;
91
92 REQUIRE(VALID_SSUTABLE(table));
93
94 mctx = table->mctx;
95 while (!ISC_LIST_EMPTY(table->rules)) {
96 dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
97 if (rule->identity != NULL) {
98 dns_name_free(rule->identity, mctx);
99 isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
100 }
101 if (rule->name != NULL) {
102 dns_name_free(rule->name, mctx);
103 isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
104 }
105 if (rule->types != NULL)
106 isc_mem_put(mctx, rule->types,
107 rule->ntypes * sizeof(dns_rdatatype_t));
108 ISC_LIST_UNLINK(table->rules, rule, link);
109 rule->magic = 0;
110 isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
111 }
112 DESTROYLOCK(&table->lock);
113 table->magic = 0;
114 isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
115 }
116
117 void
118 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
119 REQUIRE(VALID_SSUTABLE(source));
120 REQUIRE(targetp != NULL && *targetp == NULL);
121
122 LOCK(&source->lock);
123
124 INSIST(source->references > 0);
125 source->references++;
126 INSIST(source->references != 0);
127
128 UNLOCK(&source->lock);
129
130 *targetp = source;
131 }
132
133 void
134 dns_ssutable_detach(dns_ssutable_t **tablep) {
135 dns_ssutable_t *table;
136 isc_boolean_t done = ISC_FALSE;
137
138 REQUIRE(tablep != NULL);
139 table = *tablep;
140 REQUIRE(VALID_SSUTABLE(table));
141
142 LOCK(&table->lock);
143
144 INSIST(table->references > 0);
145 if (--table->references == 0)
146 done = ISC_TRUE;
147 UNLOCK(&table->lock);
148
149 *tablep = NULL;
150
151 if (done)
152 destroy(table);
153 }
154
155 isc_result_t
156 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
157 dns_name_t *identity, unsigned int matchtype,
158 dns_name_t *name, unsigned int ntypes,
159 dns_rdatatype_t *types)
160 {
161 dns_ssurule_t *rule;
162 isc_mem_t *mctx;
163 isc_result_t result;
164
165 REQUIRE(VALID_SSUTABLE(table));
166 REQUIRE(dns_name_isabsolute(identity));
167 REQUIRE(dns_name_isabsolute(name));
168 REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
169 if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
170 REQUIRE(dns_name_iswildcard(name));
171 if (ntypes > 0)
172 REQUIRE(types != NULL);
173
174 mctx = table->mctx;
175 rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
176 if (rule == NULL)
177 return (ISC_R_NOMEMORY);
178
179 rule->identity = NULL;
180 rule->name = NULL;
181 rule->types = NULL;
182
183 rule->grant = grant;
184
185 rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
186 if (rule->identity == NULL) {
187 result = ISC_R_NOMEMORY;
188 goto failure;
189 }
190 dns_name_init(rule->identity, NULL);
191 result = dns_name_dup(identity, mctx, rule->identity);
192 if (result != ISC_R_SUCCESS)
193 goto failure;
194
195 rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
196 if (rule->name == NULL) {
197 result = ISC_R_NOMEMORY;
198 goto failure;
199 }
200 dns_name_init(rule->name, NULL);
201 result = dns_name_dup(name, mctx, rule->name);
202 if (result != ISC_R_SUCCESS)
203 goto failure;
204
205 rule->matchtype = matchtype;
206
207 rule->ntypes = ntypes;
208 if (ntypes > 0) {
209 rule->types = isc_mem_get(mctx,
210 ntypes * sizeof(dns_rdatatype_t));
211 if (rule->types == NULL) {
212 result = ISC_R_NOMEMORY;
213 goto failure;
214 }
215 memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
216 } else
217 rule->types = NULL;
218
219 rule->magic = SSURULEMAGIC;
220 ISC_LIST_INITANDAPPEND(table->rules, rule, link);
221
222 return (ISC_R_SUCCESS);
223
224 failure:
225 if (rule->identity != NULL) {
226 if (dns_name_dynamic(rule->identity))
227 dns_name_free(rule->identity, mctx);
228 isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
229 }
230 if (rule->name != NULL) {
231 if (dns_name_dynamic(rule->name))
232 dns_name_free(rule->name, mctx);
233 isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
234 }
235 if (rule->types != NULL)
236 isc_mem_put(mctx, rule->types,
237 ntypes * sizeof(dns_rdatatype_t));
238 isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
239
240 return (result);
241 }
242
243 static inline isc_boolean_t
244 isusertype(dns_rdatatype_t type) {
245 return (ISC_TF(type != dns_rdatatype_ns &&
246 type != dns_rdatatype_soa &&
247 type != dns_rdatatype_rrsig));
248 }
249
250 isc_boolean_t
251 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
252 dns_name_t *name, dns_rdatatype_t type)
253 {
254 dns_ssurule_t *rule;
255 unsigned int i;
256 dns_fixedname_t fixed;
257 dns_name_t *wildcard;
258 isc_result_t result;
259
260 REQUIRE(VALID_SSUTABLE(table));
261 REQUIRE(signer == NULL || dns_name_isabsolute(signer));
262 REQUIRE(dns_name_isabsolute(name));
263
264 if (signer == NULL)
265 return (ISC_FALSE);
266
267 for (rule = ISC_LIST_HEAD(table->rules);
268 rule != NULL;
269 rule = ISC_LIST_NEXT(rule, link))
270 {
271 switch (rule->matchtype) {
272 case DNS_SSUMATCHTYPE_NAME:
273 case DNS_SSUMATCHTYPE_SUBDOMAIN:
274 case DNS_SSUMATCHTYPE_WILDCARD:
275 case DNS_SSUMATCHTYPE_SELF:
276 case DNS_SSUMATCHTYPE_SELFSUB:
277 case DNS_SSUMATCHTYPE_SELFWILD:
278 if (dns_name_iswildcard(rule->identity)) {
279 if (!dns_name_matcheswildcard(signer,
280 rule->identity))
281 continue;
282 }
283 else {
284 if (!dns_name_equal(signer, rule->identity))
285 continue;
286 }
287 break;
288 }
289
290 switch (rule->matchtype) {
291 case DNS_SSUMATCHTYPE_NAME:
292 if (!dns_name_equal(name, rule->name))
293 continue;
294 break;
295 case DNS_SSUMATCHTYPE_SUBDOMAIN:
296 if (!dns_name_issubdomain(name, rule->name))
297 continue;
298 break;
299 case DNS_SSUMATCHTYPE_WILDCARD:
300 if (!dns_name_matcheswildcard(name, rule->name))
301 continue;
302 break;
303 case DNS_SSUMATCHTYPE_SELF:
304 if (!dns_name_equal(signer, name))
305 continue;
306 break;
307 case DNS_SSUMATCHTYPE_SELFSUB:
308 if (!dns_name_issubdomain(name, signer))
309 continue;
310 break;
311 case DNS_SSUMATCHTYPE_SELFWILD:
312 dns_fixedname_init(&fixed);
313 wildcard = dns_fixedname_name(&fixed);
314 result = dns_name_concatenate(dns_wildcardname, signer,
315 wildcard, NULL);
316 if (result != ISC_R_SUCCESS)
317 continue;
318 if (!dns_name_matcheswildcard(name, wildcard))
319 continue;
320 break;
321 case DNS_SSUMATCHTYPE_SELFKRB5:
322 if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
323 rule->identity))
324 continue;
325 break;
326 case DNS_SSUMATCHTYPE_SELFMS:
327 if (!dst_gssapi_identitymatchesrealmms(signer, name,
328 rule->identity))
329 continue;
330 break;
331 case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
332 if (!dns_name_issubdomain(name, rule->name))
333 continue;
334 if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
335 rule->identity))
336 continue;
337 break;
338 case DNS_SSUMATCHTYPE_SUBDOMAINMS:
339 if (!dns_name_issubdomain(name, rule->name))
340 continue;
341 if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
342 rule->identity))
343 continue;
344 break;
345 }
346
347 if (rule->ntypes == 0) {
348 if (!isusertype(type))
349 continue;
350 } else {
351 for (i = 0; i < rule->ntypes; i++) {
352 if (rule->types[i] == dns_rdatatype_any ||
353 rule->types[i] == type)
354 break;
355 }
356 if (i == rule->ntypes)
357 continue;
358 }
359 return (rule->grant);
360 }
361
362 return (ISC_FALSE);
363 }
364
365 isc_boolean_t
366 dns_ssurule_isgrant(const dns_ssurule_t *rule) {
367 REQUIRE(VALID_SSURULE(rule));
368 return (rule->grant);
369 }
370
371 dns_name_t *
372 dns_ssurule_identity(const dns_ssurule_t *rule) {
373 REQUIRE(VALID_SSURULE(rule));
374 return (rule->identity);
375 }
376
377 unsigned int
378 dns_ssurule_matchtype(const dns_ssurule_t *rule) {
379 REQUIRE(VALID_SSURULE(rule));
380 return (rule->matchtype);
381 }
382
383 dns_name_t *
384 dns_ssurule_name(const dns_ssurule_t *rule) {
385 REQUIRE(VALID_SSURULE(rule));
386 return (rule->name);
387 }
388
389 unsigned int
390 dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
391 REQUIRE(VALID_SSURULE(rule));
392 REQUIRE(types != NULL && *types != NULL);
393 *types = rule->types;
394 return (rule->ntypes);
395 }
396
397 isc_result_t
398 dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
399 REQUIRE(VALID_SSUTABLE(table));
400 REQUIRE(rule != NULL && *rule == NULL);
401 *rule = ISC_LIST_HEAD(table->rules);
402 return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
403 }
404
405 isc_result_t
406 dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
407 REQUIRE(VALID_SSURULE(rule));
408 REQUIRE(nextrule != NULL && *nextrule == NULL);
409 *nextrule = ISC_LIST_NEXT(rule, link);
410 return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
411 }
DragonFly BSD