OpenDNSSEC-signer  1.4.5
acl.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 NLNet Labs. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  * notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  * notice, this list of conditions and the following disclaimer in the
11  * documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
32 #include "config.h"
33 #include "shared/log.h"
34 #include "shared/file.h"
35 #include "shared/status.h"
36 #include "wire/acl.h"
37 
38 static const char* acl_str = "acl";
39 
40 
46 static acl_range_type
47 acl_parse_range_type(char* ip, char** mask)
48 {
49  char *p;
50  if((p=strchr(ip, '&'))!=0) {
51  *p = 0;
52  *mask = p+1;
53  return ACL_RANGE_MASK;
54  }
55  if((p=strchr(ip, '/'))!=0) {
56  *p = 0;
57  *mask = p+1;
58  return ACL_RANGE_SUBNET;
59  }
60  if((p=strchr(ip, '-'))!=0) {
61  *p = 0;
62  *mask = p+1;
63  return ACL_RANGE_MINMAX;
64  }
65  *mask = 0;
66  return ACL_RANGE_SINGLE;
67 }
68 
69 
74 static ods_status
75 acl_parse_range_subnet(char* p, void* addr, int maxbits)
76 {
77  int subnet_bits = atoi(p);
78  uint8_t* addr_bytes = (uint8_t*)addr;
79  if (subnet_bits == 0 && strcmp(p, "0")!=0) {
81  }
82  if (subnet_bits < 0 || subnet_bits > maxbits) {
84  }
85  /* fill addr with n bits of 1s (struct has been zeroed) */
86  while(subnet_bits >= 8) {
87  *addr_bytes++ = 0xff;
88  subnet_bits -= 8;
89  }
90  if(subnet_bits > 0) {
91  uint8_t shifts[] =
92  {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff};
93  *addr_bytes = shifts[subnet_bits];
94  }
95  return ODS_STATUS_OK;
96 }
97 
98 
103 int
104 acl_parse_family(const char* a)
105 {
106  /* see if addr is ipv6 or ipv4 -- by : and . */
107  while (*a) {
108  if (*a == '.') {
109  return AF_INET;
110  }
111  if (*a == ':') {
112  return AF_INET6;
113  }
114  ++a;
115  }
116  /* default to v4 */
117  return AF_INET;
118 }
119 
120 
125 acl_type*
126 acl_create(allocator_type* allocator, char* address, char* port,
127  char* tsig_name, tsig_type* tsig)
128 {
129  ods_status status = ODS_STATUS_OK;
130  acl_type* acl = NULL;
131  char* p = NULL;
132  if (!allocator) {
133  return NULL;
134  }
135  acl = (acl_type*) allocator_alloc(allocator, sizeof(acl_type));
136  if (!acl) {
137  ods_log_error("[%s] unable to create acl: allocator_alloc() "
138  "failed", acl_str);
139  return NULL;
140  }
141  acl->address = NULL;
142  acl->next = NULL;
143  acl->tsig = NULL;
144  if (tsig_name) {
145  acl->tsig = tsig_lookup_by_name(tsig, tsig_name);
146  if (!acl->tsig) {
147  ods_log_error("[%s] unable to create acl: tsig %s not found",
148  acl_str, tsig_name);
149  acl_cleanup(acl, allocator);
150  return NULL;
151  }
152  }
153  acl->port = 0;
154  if (port) {
155  acl->port = atoi((const char*) port);
156  }
157  memset(&acl->addr, 0, sizeof(union acl_addr_storage));
158  memset(&acl->range_mask, 0, sizeof(union acl_addr_storage));
159  if (address) {
160  acl->family = acl_parse_family(address);
161  acl->range_type = acl_parse_range_type(address, &p);
162  acl->address = allocator_strdup(allocator, address);
163  if (!acl->address) {
164  ods_log_error("[%s] unable to create acl: allocator_strdup() "
165  "failed", acl_str);
166  acl_cleanup(acl, allocator);
167  return NULL;
168  }
169  if (acl->family == AF_INET6) {
170  if (inet_pton(AF_INET6, acl->address, &acl->addr.addr6) != 1) {
171  ods_log_error("[%s] unable to create acl: bad ipv6 address "
172  "(%s)", acl_str, acl->address);
173  acl_cleanup(acl, allocator);
174  return NULL;
175  }
176  if (acl->range_type == ACL_RANGE_MASK ||
177  acl->range_type == ACL_RANGE_MINMAX) {
178  if (inet_pton(AF_INET6, p, &acl->range_mask.addr6) != 1) {
179  ods_log_error("[%s] unable to create acl: bad ipv6 address"
180  " mask (%s)", acl_str, p);
181  acl_cleanup(acl, allocator);
182  return NULL;
183  }
184  } else if (acl->range_type == ACL_RANGE_SUBNET) {
185  status = acl_parse_range_subnet(p, &acl->range_mask.addr6, 128);
186  if (status != ODS_STATUS_OK) {
187  ods_log_error("[%s] unable to create acl: %s (%s)",
188  acl_str, ods_status2str(status), p);
189  acl_cleanup(acl, allocator);
190  return NULL;
191  }
192  }
193  } else if (acl->family == AF_INET) {
194  if (inet_pton(AF_INET, acl->address, &acl->addr.addr) != 1) {
195  ods_log_error("[%s] unable to create acl: bad ipv4 address "
196  "(%s)", acl_str, acl->address);
197  acl_cleanup(acl, allocator);
198  return NULL;
199  }
200  if (acl->range_type == ACL_RANGE_MASK ||
201  acl->range_type == ACL_RANGE_MINMAX) {
202  if (inet_pton(AF_INET, p, &acl->range_mask.addr) != 1) {
203  ods_log_error("[%s] unable to create acl: bad ipv4 address"
204  " mask (%s)", acl_str, p);
205  acl_cleanup(acl, allocator);
206  return NULL;
207  }
208  } else if (acl->range_type == ACL_RANGE_SUBNET) {
209  status = acl_parse_range_subnet(p, &acl->range_mask.addr, 32);
210  if (status != ODS_STATUS_OK) {
211  ods_log_error("[%s] unable to create acl: %s (%s)",
212  acl_str, ods_status2str(status), p);
213  acl_cleanup(acl, allocator);
214  return NULL;
215  }
216  }
217  }
218  }
219  acl->ixfr_disabled = 0;
220  return acl;
221 }
222 
223 
228 static int
229 acl_addr_matches_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz)
230 {
231  size_t i = 0;
232  ods_log_assert(sz % 4 == 0);
233  sz /= 4;
234  for (i=0; i<sz; ++i) {
235  if (((*a++)&*mask) != ((*b++)&*mask)) {
236  return 0;
237  }
238  ++mask;
239  }
240  return 1;
241 }
242 
247 static int
248 acl_addr_matches_range(uint32_t* minval, uint32_t* x, uint32_t* maxval,
249  size_t sz)
250 {
251  size_t i = 0;
252  uint8_t checkmin = 1;
253  uint8_t checkmax = 1;
254  ods_log_assert(sz % 4 == 0);
255  /* check treats x as one huge number */
256  sz /= 4;
257  for (i=0; i<sz; ++i) {
258  /* if outside bounds, we are done */
259  if (checkmin && minval[i] > x[i]) {
260  return 0;
261  }
262  if (checkmax && maxval[i] < x[i]) {
263  return 0;
264  }
265  /* if x is equal to a bound, that bound needs further checks */
266  if (checkmin && minval[i] != x[i]) {
267  checkmin = 0;
268  }
269  if (checkmax && maxval[i]!=x[i]) {
270  checkmax = 0;
271  }
272  if (!checkmin && !checkmax) {
273  return 1; /* will always match */
274  }
275  }
276  return 1;
277 }
278 
279 
284 static int
285 acl_addr_matches(acl_type* acl, struct sockaddr_storage* addr)
286 {
287  if (!acl) {
288  return 0;
289  }
290  if (!acl->address) {
291  /* all addresses match */
292  return 1;
293  }
294  if (acl->family == AF_INET6) {
295  struct sockaddr_in6* addr6 = (struct sockaddr_in6*) addr;
296  if (addr->ss_family != AF_INET6) {
297  return 0;
298  }
299  if (acl->port != 0 && acl->port != ntohs(addr6->sin6_port)) {
300  return 0;
301  }
302  switch(acl->range_type) {
303  case ACL_RANGE_MASK:
304  case ACL_RANGE_SUBNET:
305  if (!acl_addr_matches_mask((uint32_t*)&acl->addr.addr6,
306  (uint32_t*)&addr6->sin6_addr,
307  (uint32_t*)&acl->range_mask.addr6,
308  sizeof(struct in6_addr))) {
309  return 0;
310  }
311  break;
312  case ACL_RANGE_MINMAX:
313  if (!acl_addr_matches_range((uint32_t*)&acl->addr.addr6,
314  (uint32_t*)&addr6->sin6_addr,
315  (uint32_t*)&acl->range_mask.addr6,
316  sizeof(struct in6_addr))) {
317  return 0;
318  }
319  break;
320  case ACL_RANGE_SINGLE:
321  default:
322  if (memcmp(&addr6->sin6_addr, &acl->addr.addr6,
323  sizeof(struct in6_addr)) != 0) {
324  return 0;
325  }
326  break;
327  }
328  return 1;
329  } else {
330  struct sockaddr_in* addr4 = (struct sockaddr_in*)addr;
331  if (addr4->sin_family != AF_INET) {
332  return 0;
333  }
334  if (acl->port != 0 && acl->port != ntohs(addr4->sin_port)) {
335  return 0;
336  }
337  switch (acl->range_type) {
338  case ACL_RANGE_MASK:
339  case ACL_RANGE_SUBNET:
340  if (!acl_addr_matches_mask((uint32_t*)&acl->addr.addr,
341  (uint32_t*)&addr4->sin_addr,
342  (uint32_t*)&acl->range_mask.addr,
343  sizeof(struct in_addr))) {
344  return 0;
345  }
346  break;
347  case ACL_RANGE_MINMAX:
348  if (!acl_addr_matches_range((uint32_t*)&acl->addr.addr,
349  (uint32_t*)&addr4->sin_addr,
350  (uint32_t*)&acl->range_mask.addr,
351  sizeof(struct in_addr))) {
352  return 0;
353  }
354  break;
355  case ACL_RANGE_SINGLE:
356  default:
357  if (memcmp(&addr4->sin_addr, &acl->addr.addr,
358  sizeof(struct in_addr)) != 0) {
359  return 0;
360  }
361  break;
362  }
363  return 1;
364  }
365  /* not reached */
366  return 0;
367 }
368 
369 
374 static int
375 acl_tsig_matches(acl_type* acl, tsig_rr_type* tsig)
376 {
377  if (!acl || !tsig) {
378  ods_log_debug("[%s] no match: no acl or tsig", acl_str);
379  return 0; /* missing required elements */
380  }
381  if (!acl->tsig) {
382  if (tsig->status == TSIG_NOT_PRESENT) {
383  return 1;
384  }
385  ods_log_debug("[%s] no match: tsig present but no config", acl_str);
386  return 0; /* TSIG present but no config */
387  }
388  if (tsig->status != TSIG_OK) {
389  ods_log_debug("[%s] no match: tsig %s", acl_str,
390  tsig_status2str(tsig->status));
391  return 0; /* query has no TSIG */
392  }
393  if (tsig->error_code != LDNS_RCODE_NOERROR) {
394  ods_log_debug("[%s] no match: tsig error %d", acl_str,
395  tsig->error_code);
396  return 0; /* query has bork TSIG */
397  }
398  if (!tsig->key_name || !tsig->algo) {
399  ods_log_debug("[%s] no match: missing key/algo", acl_str);
400  return 0;
401  }
402  if (!acl->tsig->key) {
403  ods_log_debug("[%s] no match: no config", acl_str);
404  return 0; /* missing TSIG config */
405  }
406  if (ldns_dname_compare(tsig->key_name, acl->tsig->key->dname) != 0) {
407  ods_log_debug("[%s] no match: key names not the same", acl_str);
408  return 0; /* wrong key name */
409  }
410  if (ods_strlowercmp(tsig->algo->txt_name, acl->tsig->algorithm) != 0) {
411  ods_log_debug("[%s] no match: algorithms not the same", acl_str);
412  return 0; /* wrong algorithm name */
413  }
414  /* tsig matches */
415  return 1;
416 }
417 
418 
423 int
424 addr2ip(struct sockaddr_storage addr, char* ip, size_t len)
425 {
426  if (addr.ss_family == AF_INET6) {
427  if (!inet_ntop(AF_INET6, &((struct sockaddr_in6 *)&addr)->sin6_addr,
428  ip, len)) {
429  return 0;
430  }
431  } else {
432  if (!inet_ntop(AF_INET, &((struct sockaddr_in *)&addr)->sin_addr,
433  ip, len))
434  return 0;
435  }
436  return 1;
437 }
438 
439 
444 acl_type*
445 acl_find(acl_type* acl, struct sockaddr_storage* addr, tsig_rr_type* trr)
446 {
447  acl_type* find = acl;
448  while (find) {
449  if (acl_addr_matches(find, addr) && acl_tsig_matches(find, trr)) {
450  ods_log_debug("[%s] match %s", acl_str, find->address);
451  return find;
452  }
453  find = find->next;
454  }
455  return NULL;
456 }
457 
458 
463 void
465 {
466  if (!acl || !allocator) {
467  return;
468  }
469  acl_cleanup(acl->next, allocator);
470  allocator_deallocate(allocator, (void*) acl->address);
471  allocator_deallocate(allocator, (void*) acl);
472  return;
473 }
void acl_cleanup(acl_type *acl, allocator_type *allocator)
Definition: acl.c:464
tsig_algo_type * algo
Definition: tsig.h:131
tsig_status status
Definition: tsig.h:126
void ods_log_debug(const char *format,...)
Definition: log.c:270
union acl_addr_storage range_mask
Definition: acl.h:65
void * allocator_alloc(allocator_type *allocator, size_t size)
Definition: allocator.c:66
uint16_t error_code
Definition: tsig.h:144
int acl_parse_family(const char *a)
Definition: acl.c:104
enum ods_enum_status ods_status
Definition: status.h:90
time_t ixfr_disabled
Definition: acl.h:71
void ods_log_error(const char *format,...)
Definition: log.c:334
acl_type * next
Definition: acl.h:59
const char * ods_status2str(ods_status status)
Definition: status.c:111
int family
Definition: acl.h:63
union acl_addr_storage addr
Definition: acl.h:64
const char * algorithm
Definition: tsig.h:114
tsig_key_type * key
Definition: tsig.h:116
acl_range_type range_type
Definition: acl.h:66
const char * tsig_status2str(tsig_status status)
Definition: tsig.c:809
ldns_rdf * key_name
Definition: tsig.h:136
Definition: tsig.h:58
char * allocator_strdup(allocator_type *allocator, const char *string)
Definition: allocator.c:121
ldns_rdf * dname
Definition: tsig.h:80
char * address
Definition: acl.h:61
enum acl_range_enum acl_range_type
Definition: acl.h:51
acl_type * acl_find(acl_type *acl, struct sockaddr_storage *addr, tsig_rr_type *trr)
Definition: acl.c:445
acl_type * acl_create(allocator_type *allocator, char *address, char *port, char *tsig_name, tsig_type *tsig)
Definition: acl.c:126
void allocator_deallocate(allocator_type *allocator, void *data)
Definition: allocator.c:135
unsigned int port
Definition: acl.h:62
int ods_strlowercmp(const char *str1, const char *str2)
Definition: file.c:337
struct in_addr addr
Definition: listener.h:60
#define ods_log_assert(x)
Definition: log.h:154
const char * txt_name
Definition: tsig.h:91
int addr2ip(struct sockaddr_storage addr, char *ip, size_t len)
Definition: acl.c:424
tsig_type * tsig
Definition: acl.h:69
tsig_type * tsig_lookup_by_name(tsig_type *tsig, const char *name)
Definition: tsig.c:266
struct in6_addr addr6
Definition: listener.h:61
Definition: acl.h:58