acl.c 5.93 KB
Newer Older
1
/*  Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
2 3 4 5 6 7 8 9 10 11 12 13

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
14
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
15 16
 */

17
#include "knot/updates/acl.h"
18

19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
static bool match_type(uint16_t type, conf_val_t *types)
{
	if (types == NULL) {
		return true;
	}

	conf_val_reset(types);
	while (types->code == KNOT_EOK) {
		if (type == knot_wire_read_u64(types->data)) {
			return true;
		}
		conf_val_next(types);
	}

	return false;
}

static bool match_name(const knot_dname_t *rr_owner, const knot_dname_t *name,
                       acl_update_owner_match_t match)
{
	if (name == NULL) {
		return true;
	}

	int ret = knot_dname_in_bailiwick(rr_owner, name);
	switch (match) {
	case ACL_UPDATE_MATCH_SUBEQ:
		return (ret >= 0);
	case ACL_UPDATE_MATCH_EQ:
		return (ret == 0);
	case ACL_UPDATE_MATCH_SUB:
		return (ret > 0);
	default:
		return false;
	}
}

static bool match_names(const knot_dname_t *rr_owner, conf_val_t *names,
                        acl_update_owner_match_t match)
{
	if (names == NULL) {
		return true;
	}

	conf_val_reset(names);
	while (names->code == KNOT_EOK) {
		if (match_name(rr_owner, conf_dname(names), match)) {
			return true;
		}
		conf_val_next(names);
	}

	return false;
}

static bool update_match(conf_t *conf, conf_val_t *acl, knot_dname_t *key_name,
                         const knot_dname_t *zone_name, knot_pkt_t *query)
{
	if (query == NULL) {
		return true;
	}

	conf_val_t val_types = conf_id_get(conf, C_ACL, C_UPDATE_TYPE, acl);
	conf_val_t *types = (conf_val_count(&val_types) > 0) ? &val_types : NULL;

	conf_val_t val = conf_id_get(conf, C_ACL, C_UPDATE_OWNER, acl);
	acl_update_owner_t owner = conf_opt(&val);

	/* Return if no specific requirements configured. */
	if (types == NULL && owner == ACL_UPDATE_OWNER_NONE) {
		return true;
	}

92
	acl_update_owner_match_t match = ACL_UPDATE_MATCH_SUBEQ;
93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142
	if (owner != ACL_UPDATE_OWNER_NONE) {
		val = conf_id_get(conf, C_ACL, C_UPDATE_OWNER_MATCH, acl);
		match = conf_opt(&val);
	}

	conf_val_t *names = NULL;
	conf_val_t val_names;
	if (owner == ACL_UPDATE_OWNER_NAME) {
		val_names = conf_id_get(conf, C_ACL, C_UPDATE_OWNER_NAME, acl);
		if (conf_val_count(&val_names) > 0) {
			names = &val_names;
		}
	}

	/* Updated RRs are contained in the Authority section of the query
	 * (RFC 2136 Section 2.2)
	 */
	uint16_t pos = query->sections[KNOT_AUTHORITY].pos;
	uint16_t count = query->sections[KNOT_AUTHORITY].count;

	for (int i = pos; i < pos + count; i++) {
		knot_rrset_t *rr = &query->rr[i];
		if (!match_type(rr->type, types)) {
			return false;
		}

		switch (owner) {
		case ACL_UPDATE_OWNER_NAME:
			if (!match_names(rr->owner, names, match)) {
				return false;
			}
			break;
		case ACL_UPDATE_OWNER_KEY:
			if (!match_name(rr->owner, key_name, match)) {
				return false;
			}
			break;
		case ACL_UPDATE_OWNER_ZONE:
			if (!match_name(rr->owner, zone_name, match)) {
				return false;
			}
			break;
		default:
			break;
		}
	}

	return true;
}

143
bool acl_allowed(conf_t *conf, conf_val_t *acl, acl_action_t action,
144 145
                 const struct sockaddr_storage *addr, knot_tsig_key_t *tsig,
                 const knot_dname_t *zone_name, knot_pkt_t *query)
146
{
147
	if (acl == NULL || addr == NULL || tsig == NULL) {
148
		return false;
149 150
	}

151
	while (acl->code == KNOT_EOK) {
152
		/* Check if the address matches the current acl address list. */
153 154
		conf_val_t val = conf_id_get(conf, C_ACL, C_ADDR, acl);
		if (val.code != KNOT_ENOENT && !conf_addr_range_match(&val, addr)) {
155
			goto next_acl;
156
		}
157

158
		/* Check if the key matches the current acl key list. */
159
		conf_val_t key_val = conf_id_get(conf, C_ACL, C_KEY, acl);
160
		while (key_val.code == KNOT_EOK) {
161 162
			/* No key provided, but required. */
			if (tsig->name == NULL) {
163
				conf_val_next(&key_val);
Marek Vavrusa's avatar
Marek Vavrusa committed
164 165 166
				continue;
			}

167
			/* Compare key names (both in lower-case). */
168
			const knot_dname_t *key_name = conf_dname(&key_val);
169
			if (!knot_dname_is_equal(key_name, tsig->name)) {
170
				conf_val_next(&key_val);
171
				continue;
172
			}
173 174

			/* Compare key algorithms. */
175
			conf_val_t alg_val = conf_id_get(conf, C_KEY, C_ALG,
176 177
			                                 &key_val);
			if (conf_opt(&alg_val) != tsig->algorithm) {
178
				conf_val_next(&key_val);
179 180
				continue;
			}
181 182 183 184 185 186 187

			break;
		}
		/* Check for key match or empty list without key provided. */
		if (key_val.code != KNOT_EOK &&
		    !(key_val.code == KNOT_ENOENT && tsig->name == NULL)) {
			goto next_acl;
188 189
		}

190
		/* Check if the action is allowed. */
191
		if (action != ACL_ACTION_NONE) {
192
			val = conf_id_get(conf, C_ACL, C_ACTION, acl);
193 194 195 196 197
			while (val.code == KNOT_EOK) {
				if (conf_opt(&val) != action) {
					conf_val_next(&val);
					continue;
				}
198

199 200
				break;
			}
201 202 203 204 205 206
			switch (val.code) {
			case KNOT_EOK: /* Check for action match. */
				break;
			case KNOT_ENOENT: /* Empty action list allowed with deny only. */
				return false;
			default: /* No match. */
207 208
				goto next_acl;
			}
209 210
		}

211 212 213 214 215 216
		/* If the action is update, check for update rule match. */
		if (action == ACL_ACTION_UPDATE &&
		    !update_match(conf, acl, tsig->name, zone_name, query)) {
			goto next_acl;
		}

217
		/* Check if denied. */
218
		val = conf_id_get(conf, C_ACL, C_DENY, acl);
219 220
		if (conf_bool(&val)) {
			return false;
221
		}
222

223
		/* Fill the output with tsig secret if provided. */
224
		if (tsig->name != NULL) {
225
			val = conf_id_get(conf, C_KEY, C_SECRET, &key_val);
226
			tsig->secret.data = (uint8_t *)conf_bin(&val, &tsig->secret.size);
227 228 229
		}

		return true;
230 231
next_acl:
		conf_val_next(acl);
232 233
	}

234
	return false;
235
}