void
dns_name_split(dns_name_t *name, unsigned int suffixlabels,
dns_name_t *prefix, dns_name_t *suffix)
{
unsigned int splitlabel;
REQUIRE(VALID_NAME(name));
REQUIRE(suffixlabels > 0);
REQUIRE(suffixlabels < name->labels);
REQUIRE(prefix != NULL || suffix != NULL);
REQUIRE(prefix == NULL ||
(VALID_NAME(prefix) &&
prefix->buffer != NULL &&
BINDABLE(prefix)));
REQUIRE(suffix == NULL ||
(VALID_NAME(suffix) &&
suffix->buffer != NULL &&
BINDABLE(suffix)));
splitlabel = name->labels - suffixlabels;
if (prefix != NULL)
dns_name_getlabelsequence(name, 0, splitlabel, prefix);
if (suffix != NULL)
dns_name_getlabelsequence(name, splitlabel,
suffixlabels, suffix);
return;
}
/*
* Find the longest match of name in the table.
* If match is found return ISC_TRUE. prefix, suffix and offset are updated.
* If no match is found return ISC_FALSE.
*/
isc_boolean_t
dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
dns_name_t *prefix, isc_uint16_t *offset)
{
dns_name_t tname, nname;
dns_compressnode_t *node = NULL;
unsigned int labels, hash, n;
REQUIRE(VALID_CCTX(cctx));
REQUIRE(dns_name_isabsolute(name) == ISC_TRUE);
REQUIRE(offset != NULL);
if (cctx->count == 0)
return (ISC_FALSE);
labels = dns_name_countlabels(name);
INSIST(labels > 0);
dns_name_init(&tname, NULL);
dns_name_init(&nname, NULL);
for (n = 0; n < labels - 1; n++) {
dns_name_getlabelsequence(name, n, labels - n, &tname);
hash = dns_name_hash(&tname, ISC_FALSE) %
DNS_COMPRESS_TABLESIZE;
for (node = cctx->table[hash]; node != NULL; node = node->next)
{
NODENAME(node, &nname);
if ((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) != 0) {
if (dns_name_caseequal(&nname, &tname))
break;
} else {
if (dns_name_equal(&nname, &tname))
break;
}
}
if (node != NULL)
break;
}
/*
* If node == NULL, we found no match at all.
*/
if (node == NULL)
return (ISC_FALSE);
if (n == 0)
dns_name_reset(prefix);
else
dns_name_getlabelsequence(name, 0, n, prefix);
*offset = node->offset;
return (ISC_TRUE);
}
static inline void
name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
gss_buffer_desc *gbuffer)
{
dns_name_t tname, *namep;
isc_region_t r;
isc_result_t result;
if (!dns_name_isabsolute(name))
namep = name;
else
{
unsigned int labels;
dns_name_init(&tname, NULL);
labels = dns_name_countlabels(name);
dns_name_getlabelsequence(name, 0, labels - 1, &tname);
namep = &tname;
}
result = dns_name_toprincipal(namep, buffer);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
isc_buffer_putuint8(buffer, 0);
isc_buffer_usedregion(buffer, &r);
REGION_TO_GBUFFER(r, *gbuffer);
}
void
dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
const dns_name_t *prefix, isc_uint16_t offset)
{
dns_name_t tname;
unsigned int start;
unsigned int n;
unsigned int count;
unsigned int hash;
dns_compressnode_t *node;
unsigned int length;
unsigned int tlength;
isc_uint16_t toffset;
REQUIRE(VALID_CCTX(cctx));
REQUIRE(dns_name_isabsolute(name));
dns_name_init(&tname, NULL);
n = dns_name_countlabels(name);
count = dns_name_countlabels(prefix);
if (dns_name_isabsolute(prefix))
count--;
start = 0;
length = name_length(name);
while (count > 0) {
if (offset >= 0x4000)
break;
dns_name_getlabelsequence(name, start, n, &tname);
hash = dns_name_hash(&tname, ISC_FALSE) %
DNS_COMPRESS_TABLESIZE;
tlength = name_length(&tname);
toffset = (isc_uint16_t)(offset + (length - tlength));
/*
* Create a new node and add it.
*/
if (cctx->count < DNS_COMPRESS_INITIALNODES)
node = &cctx->initialnodes[cctx->count];
else {
node = isc_mem_get(cctx->mctx,
sizeof(dns_compressnode_t));
if (node == NULL)
return;
}
node->count = cctx->count++;
node->offset = toffset;
dns_name_toregion(&tname, &node->r);
node->labels = (isc_uint8_t)dns_name_countlabels(&tname);
node->next = cctx->table[hash];
cctx->table[hash] = node;
start++;
n--;
count--;
}
}
isc_result_t
dnsname_to_dn(zone_register_t *zr, dns_name_t *name, dns_name_t *zone,
ld_string_t *target)
{
isc_result_t result;
int label_count;
const char *zone_dn = NULL;
char *dns_str = NULL;
char *escaped_name = NULL;
int dummy;
dns_name_t labels;
unsigned int common_labels;
dns_namereln_t namereln;
REQUIRE(zr != NULL);
REQUIRE(name != NULL);
REQUIRE(target != NULL);
isc_mem_t * mctx = zr_get_mctx(zr);
str_clear(target);
/* Find the DN of the zone we belong to. */
CHECK(zr_get_zone_dn(zr, zone, &zone_dn));
namereln = dns_name_fullcompare(name, zone, &dummy, &common_labels);
if (namereln != dns_namereln_equal) {
label_count = dns_name_countlabels(name) - common_labels;
dns_name_init(&labels, NULL);
dns_name_getlabelsequence(name, 0, label_count, &labels);
CHECK(dns_name_tostring(&labels, &dns_str, mctx));
CHECK(dns_to_ldap_dn_escape(mctx, dns_str, &escaped_name));
CHECK(str_cat_char(target, "idnsName="));
CHECK(str_cat_char(target, escaped_name));
/*
* Modification of following line can affect modify_ldap_common().
* See line with: char *zone_dn = strstr(str_buf(owner_dn),", ") + 1;
*/
CHECK(str_cat_char(target, ", "));
}
CHECK(str_cat_char(target, zone_dn));
cleanup:
if (dns_str)
isc_mem_free(mctx, dns_str);
if (escaped_name)
isc_mem_free(mctx, escaped_name);
return result;
}
isc_boolean_t
dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
int order;
unsigned int nlabels, labels;
dns_name_t tname;
REQUIRE(VALID_NAME(name));
REQUIRE(name->labels > 0);
REQUIRE(VALID_NAME(wname));
labels = wname->labels;
REQUIRE(labels > 0);
REQUIRE(dns_name_iswildcard(wname));
DNS_NAME_INIT(&tname, NULL);
dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
dns_namereln_subdomain)
return (ISC_TRUE);
return (ISC_FALSE);
}
isc_result_t
dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
dns_tsig_keyring_t *ring)
{
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_tkey_t tkeyin, tkeyout;
isc_boolean_t freetkeyin = ISC_FALSE;
dns_name_t *qname, *name, *keyname, *signer, tsigner;
dns_fixedname_t fkeyname;
dns_rdataset_t *tkeyset;
dns_rdata_t rdata;
dns_namelist_t namelist;
char tkeyoutdata[512];
isc_buffer_t tkeyoutbuf;
REQUIRE(msg != NULL);
REQUIRE(tctx != NULL);
REQUIRE(ring != NULL);
ISC_LIST_INIT(namelist);
/*
* Interpret the question section.
*/
result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
if (result != ISC_R_SUCCESS)
return (DNS_R_FORMERR);
qname = NULL;
dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
/*
* Look for a TKEY record that matches the question.
*/
tkeyset = NULL;
name = NULL;
result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
dns_rdatatype_tkey, 0, &name, &tkeyset);
if (result != ISC_R_SUCCESS) {
/*
* Try the answer section, since that's where Win2000
* puts it.
*/
name = NULL;
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS) {
result = DNS_R_FORMERR;
tkey_log("dns_tkey_processquery: couldn't find a TKEY "
"matching the question");
goto failure;
}
}
result = dns_rdataset_first(tkeyset);
if (result != ISC_R_SUCCESS) {
result = DNS_R_FORMERR;
goto failure;
}
dns_rdata_init(&rdata);
dns_rdataset_current(tkeyset, &rdata);
RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
freetkeyin = ISC_TRUE;
if (tkeyin.error != dns_rcode_noerror) {
result = DNS_R_FORMERR;
goto failure;
}
/*
* Before we go any farther, verify that the message was signed.
* GSSAPI TKEY doesn't require a signature, the rest do.
*/
dns_name_init(&tsigner, NULL);
result = dns_message_signer(msg, &tsigner);
if (result != ISC_R_SUCCESS) {
if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
result == ISC_R_NOTFOUND)
signer = NULL;
else {
tkey_log("dns_tkey_processquery: query was not "
"properly signed - rejecting");
result = DNS_R_FORMERR;
goto failure;
}
} else
signer = &tsigner;
tkeyout.common.rdclass = tkeyin.common.rdclass;
tkeyout.common.rdtype = tkeyin.common.rdtype;
ISC_LINK_INIT(&tkeyout.common, link);
tkeyout.mctx = msg->mctx;
dns_name_init(&tkeyout.algorithm, NULL);
dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
tkeyout.inception = tkeyout.expire = 0;
tkeyout.mode = tkeyin.mode;
tkeyout.error = 0;
tkeyout.keylen = tkeyout.otherlen = 0;
tkeyout.key = tkeyout.other = NULL;
/*
* A delete operation must have a fully specified key name. If this
* is not a delete, we do the following:
* if (qname != ".")
* keyname = qname + defaultdomain
* else
* keyname = <random hex> + defaultdomain
*/
if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
dns_tsigkey_t *tsigkey = NULL;
if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
tkey_log("dns_tkey_processquery: tkey-domain not set");
result = DNS_R_REFUSED;
goto failure;
}
dns_fixedname_init(&fkeyname);
keyname = dns_fixedname_name(&fkeyname);
if (!dns_name_equal(qname, dns_rootname)) {
unsigned int n = dns_name_countlabels(qname);
RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
== ISC_R_SUCCESS);
dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
} else {
static char hexdigits[16] = {
'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
unsigned char randomdata[16];
char randomtext[32];
isc_buffer_t b;
unsigned int i, j;
result = isc_entropy_getdata(tctx->ectx,
randomdata,
sizeof(randomdata),
NULL, 0);
if (result != ISC_R_SUCCESS)
goto failure;
for (i = 0, j = 0; i < sizeof(randomdata); i++) {
unsigned char val = randomdata[i];
randomtext[j++] = hexdigits[val >> 4];
randomtext[j++] = hexdigits[val & 0xF];
}
isc_buffer_init(&b, randomtext, sizeof(randomtext));
isc_buffer_add(&b, sizeof(randomtext));
result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
}
if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
/* Yup. This is a hack */
result = dns_name_concatenate(keyname, dns_rootname,
keyname, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
} else {
result = dns_name_concatenate(keyname, tctx->domain,
keyname, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
}
result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
if (result == ISC_R_SUCCESS) {
tkeyout.error = dns_tsigerror_badname;
dns_tsigkey_detach(&tsigkey);
goto failure_with_tkey;
} else if (result != ISC_R_NOTFOUND)
goto failure;
} else
void
dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
const dns_name_t *prefix, isc_uint16_t offset)
{
dns_name_t tname, xname;
unsigned int start;
unsigned int n;
unsigned int count;
unsigned int i;
dns_compressnode_t *node;
unsigned int length;
unsigned int tlength;
isc_uint16_t toffset;
unsigned char *tmp;
isc_region_t r;
REQUIRE(VALID_CCTX(cctx));
REQUIRE(dns_name_isabsolute(name));
if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0))
return;
if (offset >= 0x4000)
return;
dns_name_init(&tname, NULL);
dns_name_init(&xname, NULL);
n = dns_name_countlabels(name);
count = dns_name_countlabels(prefix);
if (dns_name_isabsolute(prefix))
count--;
if (count == 0)
return;
start = 0;
dns_name_toregion(name, &r);
length = r.length;
tmp = isc_mem_get(cctx->mctx, length);
if (tmp == NULL)
return;
/*
* Copy name data to 'tmp' and make 'r' use 'tmp'.
*/
memmove(tmp, r.base, r.length);
r.base = tmp;
dns_name_fromregion(&xname, &r);
if (count > 2U)
count = 2U;
while (count > 0) {
unsigned char ch;
dns_name_getlabelsequence(&xname, start, n, &tname);
/*
* We calculate the table index using the first
* character in the first label of tname.
*/
ch = tname.ndata[1];
i = tableindex[ch];
tlength = name_length(&tname);
toffset = (isc_uint16_t)(offset + (length - tlength));
if (toffset >= 0x4000)
break;
/*
* Create a new node and add it.
*/
if (cctx->count < DNS_COMPRESS_INITIALNODES)
node = &cctx->initialnodes[cctx->count];
else {
node = isc_mem_get(cctx->mctx,
sizeof(dns_compressnode_t));
if (node == NULL)
break;
}
node->count = cctx->count++;
/*
* 'node->r.base' becomes 'tmp' when start == 0.
* Record this by setting 0x8000 so it can be freed later.
*/
if (start == 0)
toffset |= 0x8000;
node->offset = toffset;
dns_name_toregion(&tname, &node->r);
dns_name_init(&node->name, NULL);
node->name.length = node->r.length;
node->name.ndata = node->r.base;
node->name.labels = tname.labels;
node->name.attributes = DNS_NAMEATTR_ABSOLUTE;
node->next = cctx->table[i];
cctx->table[i] = node;
start++;
n--;
count--;
}
if (start == 0)
isc_mem_put(cctx->mctx, tmp, length);
}
/*
* Find the longest match of name in the table.
* If match is found return ISC_TRUE. prefix, suffix and offset are updated.
* If no match is found return ISC_FALSE.
*/
isc_boolean_t
dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
dns_name_t *prefix, isc_uint16_t *offset)
{
dns_name_t tname;
dns_compressnode_t *node = NULL;
unsigned int labels, i, n;
unsigned int numlabels;
unsigned char *p;
REQUIRE(VALID_CCTX(cctx));
REQUIRE(dns_name_isabsolute(name) == ISC_TRUE);
REQUIRE(offset != NULL);
if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0))
return (ISC_FALSE);
if (cctx->count == 0)
return (ISC_FALSE);
labels = dns_name_countlabels(name);
INSIST(labels > 0);
dns_name_init(&tname, NULL);
numlabels = labels > 3U ? 3U : labels;
p = name->ndata;
for (n = 0; n < numlabels - 1; n++) {
unsigned char ch, llen;
unsigned int firstoffset, length;
firstoffset = (unsigned int)(p - name->ndata);
length = name->length - firstoffset;
/*
* We calculate the table index using the first
* character in the first label of the suffix name.
*/
ch = p[1];
i = tableindex[ch];
if (ISC_LIKELY((cctx->allowed &
DNS_COMPRESS_CASESENSITIVE) != 0))
{
for (node = cctx->table[i];
node != NULL;
node = node->next)
{
if (ISC_UNLIKELY(node->name.length != length))
continue;
if (ISC_LIKELY(memcmp(node->name.ndata,
p, length) == 0))
goto found;
}
} else {
for (node = cctx->table[i];
node != NULL;
node = node->next)
{
unsigned int l, count;
unsigned char c;
unsigned char *label1, *label2;
if (ISC_UNLIKELY(node->name.length != length))
continue;
l = labels - n;
if (ISC_UNLIKELY(node->name.labels != l))
continue;
label1 = node->name.ndata;
label2 = p;
while (ISC_LIKELY(l-- > 0)) {
count = *label1++;
if (count != *label2++)
goto cont1;
/* no bitstring support */
INSIST(count <= 63);
/* Loop unrolled for performance */
while (ISC_LIKELY(count > 3)) {
c = maptolower[label1[0]];
if (c != maptolower[label2[0]])
goto cont1;
c = maptolower[label1[1]];
if (c != maptolower[label2[1]])
goto cont1;
c = maptolower[label1[2]];
if (c != maptolower[label2[2]])
goto cont1;
c = maptolower[label1[3]];
if (c != maptolower[label2[3]])
goto cont1;
count -= 4;
label1 += 4;
label2 += 4;
}
while (ISC_LIKELY(count-- > 0)) {
c = maptolower[*label1++];
if (c != maptolower[*label2++])
goto cont1;
}
}
break;
cont1:
continue;
}
}
if (node != NULL)
break;
llen = *p;
p += llen + 1;
}
found:
/*
* If node == NULL, we found no match at all.
*/
if (node == NULL)
return (ISC_FALSE);
if (n == 0)
dns_name_reset(prefix);
else
dns_name_getlabelsequence(name, 0, n, prefix);
*offset = (node->offset & 0x7fff);
return (ISC_TRUE);
}
/*%
* Return ISC_R_SUCCESS if we can determine that the name doesn't exist
* or we can determine whether there is data or not at the name.
* If the name does not exist return the wildcard name.
*
* Return ISC_R_IGNORE when the NSEC is not the appropriate one.
*/
isc_result_t
dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
dns_name_t *nsecname, dns_rdataset_t *nsecset,
isc_boolean_t *exists, isc_boolean_t *data,
dns_name_t *wild, dns_nseclog_t logit, void *arg)
{
int order;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
dns_namereln_t relation;
unsigned int olabels, nlabels, labels;
dns_rdata_nsec_t nsec;
isc_boolean_t atparent;
isc_boolean_t ns;
isc_boolean_t soa;
REQUIRE(exists != NULL);
REQUIRE(data != NULL);
REQUIRE(nsecset != NULL &&
nsecset->type == dns_rdatatype_nsec);
result = dns_rdataset_first(nsecset);
if (result != ISC_R_SUCCESS) {
(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
return (result);
}
dns_rdataset_current(nsecset, &rdata);
(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
if (order < 0) {
/*
* The name is not within the NSEC range.
*/
(*logit)(arg, ISC_LOG_DEBUG(3),
"NSEC does not cover name, before NSEC");
return (ISC_R_IGNORE);
}
if (order == 0) {
/*
* The names are the same. If we are validating "."
* then atparent should not be set as there is no parent.
*/
atparent = (olabels != 1) && dns_rdatatype_atparent(type);
ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
if (ns && !soa) {
if (!atparent) {
/*
* This NSEC record is from somewhere higher in
* the DNS, and at the parent of a delegation.
* It can not be legitimately used here.
*/
(*logit)(arg, ISC_LOG_DEBUG(3),
"ignoring parent nsec");
return (ISC_R_IGNORE);
}
} else if (atparent && ns && soa) {
/*
* This NSEC record is from the child.
* It can not be legitimately used here.
*/
(*logit)(arg, ISC_LOG_DEBUG(3),
"ignoring child nsec");
return (ISC_R_IGNORE);
}
if (type == dns_rdatatype_cname || type == dns_rdatatype_nxt ||
type == dns_rdatatype_nsec || type == dns_rdatatype_key ||
!dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
*exists = ISC_TRUE;
*data = dns_nsec_typepresent(&rdata, type);
(*logit)(arg, ISC_LOG_DEBUG(3),
"nsec proves name exists (owner) data=%d",
*data);
return (ISC_R_SUCCESS);
}
(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
return (ISC_R_IGNORE);
}
if (relation == dns_namereln_subdomain &&
dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
!dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
{
/*
* This NSEC record is from somewhere higher in
* the DNS, and at the parent of a delegation.
* It can not be legitimately used here.
*/
(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
return (ISC_R_IGNORE);
}
result = dns_rdata_tostruct(&rdata, &nsec, NULL);
if (result != ISC_R_SUCCESS)
return (result);
relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
if (order == 0) {
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3),
"ignoring nsec matches next name");
return (ISC_R_IGNORE);
}
if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
/*
* The name is not within the NSEC range.
*/
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3),
"ignoring nsec because name is past end of range");
return (ISC_R_IGNORE);
}
if (order > 0 && relation == dns_namereln_subdomain) {
(*logit)(arg, ISC_LOG_DEBUG(3),
"nsec proves name exist (empty)");
dns_rdata_freestruct(&nsec);
*exists = ISC_TRUE;
*data = ISC_FALSE;
return (ISC_R_SUCCESS);
}
if (wild != NULL) {
dns_name_t common;
dns_name_init(&common, NULL);
if (olabels > nlabels) {
labels = dns_name_countlabels(nsecname);
dns_name_getlabelsequence(nsecname, labels - olabels,
olabels, &common);
} else {
labels = dns_name_countlabels(&nsec.next);
dns_name_getlabelsequence(&nsec.next, labels - nlabels,
nlabels, &common);
}
result = dns_name_concatenate(dns_wildcardname, &common,
wild, NULL);
if (result != ISC_R_SUCCESS) {
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3),
"failure generating wildcard name");
return (result);
}
}
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
*exists = ISC_FALSE;
return (ISC_R_SUCCESS);
}