*** empty log message ***

2026-04-22 14:49:20 -04:00 · 2000-02-14 21:00:38 +00:00 · 2000-02-14 21:00:38 +00:00 · 01d202be8f
commit 01d202be8f
parent 672b62dc2a
2 changed files with 336 additions and 0 deletions
--- a/lib/dns/include/dns/ssu.h
+++ b/lib/dns/include/dns/ssu.h
@ -0,0 +1,92 @@
+#ifndef DNS_SSU_H
+#define DNS_SSU_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+#include <isc/list.h>
+#include <isc/rwlock.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
+/*
+ *	Creates a table that will be used to store simple-secure-update rules.
+ *
+ *	Requires:
+ *		'mctx' is a valid memory context
+ *		'table' is not NULL, and '*table' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+void
+dns_ssutable_destroy(dns_ssutable_t **table);
+/*
+ *	Destroys a simple-secure-update rule table.  *table is set to NULL.
+ *
+ *	Requires:
+ *		'table' is not NULL
+ *		'*table' is a valid SSU table
+ */
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
+		     dns_name_t *identity, dns_name_t *name, isc_boolean_t self,
+		     unsigned int ntypes, dns_rdatatype_t *types);
+/*
+ *	Adds a new rule to a simple-secure-update rule table.  The rule
+ *	either grants or denies update privileges of an identity (or set of
+ *	identities) to modify a name (or set of names) or certain types present
+ *	at that name.
+ *
+ *	Notes:
+ *		If 'identity' or 'name' is NULL, that field is not checked
+ *		when processing this rule.
+ *
+ *		'identity' or 'name' may be wildcard names, which are
+ *		expanded for rule processing.
+ *
+ *		If 'self' is true, this rule only matches if the name to be
+ *		updated matches the signing identity.
+ *
+ *		If 'ntypes' is 0, this rule applies to all types except
+ *		NS, SOA, SIG, and NXT.
+ *
+ *		If 'types' includes ANY, this rule applies to all types
+ *		except NXT.
+ *
+ *	Requires:
+ *		'table' is a valid SSU table
+ *		'identity' is either NULL or a valid absolute name
+ *		'name' is either NULL or a valid absolute name
+ *		If 'self' is true, 'name' must be NULL
+ *		If 'ntypes' > 0, 'types' must not be NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+isc_boolean_t
+dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, dns_rdatatype_t type);
+/*
+ *	Checks that the attempted update of (name, type) is allowed according
+ *	to the rules specified in the simple-secure-update rule table.  If
+ *	no rules are matched, access is denied.  If signer is NULL, access
+ *	is denied.
+ *
+ *	Requires:
+ *		'table' is a valid SSU table
+ *		'signer' is NULL or a valid absolute name
+ *		'name' is a valid absolute name
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SSU_H */
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@ -0,0 +1,244 @@
+/*
+ * $Id: ssu.c,v 1.1 2000/02/14 21:00:37 bwelling Exp $
+ * Principal Author: Brian Wellington
+ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isc/error.h>
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <dns/name.h>
+#include <dns/ssu.h>
+
+#define SSUMAGIC		0x53535554 /* SSUT */
+#define VALID_SSUTABLE(table)	ISC_MAGIC_VALID((table), SSUMAGIC)
+
+struct dns_ssurule {
+	isc_boolean_t grant;	/* is this a grant or a deny? */
+	isc_boolean_t self;	/* lets a key modify its own name */
+	dns_name_t *identity;	/* the identity to match - NULL for any */
+	dns_name_t *name;	/* the name being updated - NULL for any */
+	unsigned int ntypes;	/* number of data types covered */
+	dns_rdatatype_t *types;	/* the data types.  Can include ANY, */
+				/* defaults to all but SIG,SOA,NS if NULL*/
+	ISC_LINK(dns_ssurule_t) link;
+};
+
+struct dns_ssutable {
+	isc_uint32_t magic;
+	isc_mem_t *mctx;
+	ISC_LIST(dns_ssurule_t) rules;
+};
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table) {
+	REQUIRE(table != NULL && *table == NULL);
+	REQUIRE(mctx != NULL);
+
+	*table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
+	if (*table == NULL)
+		return (ISC_R_NOMEMORY);
+
+	(*table)->mctx = mctx;
+	ISC_LIST_INIT((*table)->rules);
+	(*table)->magic = SSUMAGIC;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_ssutable_destroy(dns_ssutable_t **table) {
+	isc_mem_t *mctx;
+
+	REQUIRE(table != NULL);
+	REQUIRE(VALID_SSUTABLE(*table));
+
+	mctx = (*table)->mctx;
+	while (!ISC_LIST_EMPTY((*table)->rules)) {
+		dns_ssurule_t *rule = ISC_LIST_HEAD((*table)->rules);
+		if (rule->identity != NULL) {
+			dns_name_free(rule->identity, mctx);
+			isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
+		}
+		if (rule->name != NULL) {
+			dns_name_free(rule->name, mctx);
+			isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
+		}
+		if (rule->types != NULL)
+			isc_mem_put(mctx, rule->types,
+				    rule->ntypes * sizeof(dns_rdatatype_t));
+		ISC_LIST_UNLINK((*table)->rules, rule, link);
+		isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+	}
+	(*table)->magic = 0;
+	isc_mem_put(mctx, *table, sizeof(dns_ssutable_t));
+	*table = NULL;
+}
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
+		     dns_name_t *identity, dns_name_t *name, isc_boolean_t self,
+		     unsigned int ntypes, dns_rdatatype_t *types)
+{
+	dns_ssurule_t *rule;
+	isc_mem_t *mctx;
+	isc_result_t result;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(identity == NULL || dns_name_isabsolute(identity));
+	REQUIRE(name == NULL || dns_name_isabsolute(name));
+	if (self == ISC_TRUE)
+		REQUIRE(name == NULL);
+	if (ntypes > 0)
+		REQUIRE(types != NULL);
+
+	mctx = table->mctx;
+	rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
+	if (rule == NULL)
+		return (ISC_R_NOMEMORY);
+
+	rule->identity = NULL;
+	rule->name = NULL;
+	rule->types = NULL;
+
+	rule->grant = grant;
+
+	if (identity != NULL) {
+		rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (rule->identity == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		dns_name_init(rule->identity, NULL);
+		result = dns_name_dup(identity, mctx, rule->identity);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	else
+		rule->identity = NULL;
+
+	if (name != NULL) {
+		rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (rule->name == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		dns_name_init(rule->name, NULL);
+		result = dns_name_dup(name, mctx, rule->name);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	else
+		rule->name = NULL;
+
+	rule->self = self;
+
+	rule->ntypes = ntypes;
+	if (ntypes > 0) {
+		rule->types = isc_mem_get(mctx,
+					  ntypes * sizeof(dns_rdatatype_t));
+		if (rule->types == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
+	}
+	else
+		rule->types = NULL;
+
+	ISC_LIST_APPEND(table->rules, rule, link);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (rule->identity != NULL) {
+		if (dns_name_dynamic(rule->identity))
+			dns_name_free(rule->identity, mctx);
+		isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
+	}
+	if (rule->name != NULL) {
+		if (dns_name_dynamic(rule->name))
+			dns_name_free(rule->name, mctx);
+		isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
+	}
+	if (rule->types != NULL)
+		isc_mem_put(mctx, rule->types,
+			    ntypes * sizeof(dns_rdatatype_t));
+	isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+
+	return (result);
+}
+
+static inline isc_boolean_t
+isusertype(dns_rdatatype_t type) {
+	return (type != dns_rdatatype_ns &&
+		type != dns_rdatatype_soa &&
+		type != dns_rdatatype_sig);
+}
+
+isc_boolean_t
+dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, dns_rdatatype_t type)
+{
+	dns_ssurule_t *rule;
+	unsigned int i;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
+	REQUIRE(dns_name_isabsolute(name));
+
+	if (signer == NULL)
+		return (ISC_FALSE);
+	rule = ISC_LIST_HEAD(table->rules);
+		rule = ISC_LIST_NEXT(rule, link);
+	for (rule = ISC_LIST_HEAD(table->rules);
+	     rule != NULL;
+	     rule = ISC_LIST_NEXT(rule, link))
+	{
+		if (rule->self && !dns_name_equal(signer, name))
+			continue;
+		if (rule->identity != NULL) {
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(signer,
+							      rule->identity))
+					continue;
+			}
+			else {
+				if (!dns_name_equal(signer, rule->identity))
+					continue;
+			}
+		}
+		if (rule->name != NULL) {
+			if (dns_name_iswildcard(rule->name)) {
+				if (!dns_name_matcheswildcard(name, rule->name))
+					continue;
+			}
+			else {
+				if (!dns_name_equal(name, rule->name))
+					continue;
+			}
+		}
+		if (rule->ntypes == 0) {
+			if (!isusertype(type))
+				continue;
+		}
+		else {
+			for (i = 0; i < rule->ntypes; i++) {
+				if (rule->types[i] == dns_rdatatype_any ||
+				    rule->types[i] == type)
+					break;
+			}
+			if (i == rule->ntypes)
+				continue;
+		}
+		return (rule->grant);
+	}
+
+	return (ISC_FALSE);
+}