Commit fbeefd49 authored by Mark Andrews's avatar Mark Andrews

add krb5-selfsub and ms-selfsub

parent 5fb75a3d
...@@ -12719,12 +12719,13 @@ example.com. NS ns2.example.net. ...@@ -12719,12 +12719,13 @@ example.com. NS ns2.example.net.
the rules are checked for each existing record type. the rules are checked for each existing record type.
</para> </para>
<para> <para>
The <replaceable>ruletype</replaceable> field has 13 The <replaceable>ruletype</replaceable> field has 16
values: values:
<varname>name</varname>, <varname>subdomain</varname>, <varname>name</varname>, <varname>subdomain</varname>,
<varname>wildcard</varname>, <varname>self</varname>, <varname>wildcard</varname>, <varname>self</varname>,
<varname>selfsub</varname>, <varname>selfwild</varname>, <varname>selfsub</varname>, <varname>selfwild</varname>,
<varname>krb5-self</varname>, <varname>ms-self</varname>, <varname>krb5-self</varname>, <varname>ms-self</varname>,
<varname>krb5-selfsub</varname>, <varname>ms-selfsub</varname>,
<varname>krb5-subdomain</varname>, <varname>krb5-subdomain</varname>,
<varname>ms-subdomain</varname>, <varname>ms-subdomain</varname>,
<varname>tcp-self</varname>, <varname>6to4-self</varname>, <varname>tcp-self</varname>, <varname>6to4-self</varname>,
...@@ -12883,6 +12884,20 @@ example.com. NS ns2.example.net. ...@@ -12883,6 +12884,20 @@ example.com. NS ns2.example.net.
</para> </para>
</entry> </entry>
</row> </row>
<row rowsep="0">
<entry colname="1">
<para>
<varname>ms-selfsub</varname>
</para>
</entry> <entry colname="2">
<para>
This is similar to <command>ms-self</command>
except it also allows updates to any subdomain of
the name specified in the Windows machine
principal, not just to the name itself.
</para>
</entry>
</row>
<row rowsep="0"> <row rowsep="0">
<entry colname="1"> <entry colname="1">
<para> <para>
...@@ -12954,6 +12969,20 @@ example.com. NS ns2.example.net. ...@@ -12954,6 +12969,20 @@ example.com. NS ns2.example.net.
</para> </para>
</entry> </entry>
</row> </row>
<row rowsep="0">
<entry colname="1">
<para>
<varname>krb5-selfsub</varname>
</para>
</entry> <entry colname="2">
<para>
This is similar to <command>krb5-self</command>
except it also allows updates to any subdomain of
the name specified in the 'machine' part of the
Kerberos principal, not just to the name itself.
</para>
</entry>
</row>
<row rowsep="0"> <row rowsep="0">
<entry colname="1"> <entry colname="1">
<para> <para>
......
...@@ -1830,6 +1830,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { ...@@ -1830,6 +1830,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
break; break;
case dns_ssumatchtype_selfkrb5: case dns_ssumatchtype_selfkrb5:
case dns_ssumatchtype_selfms: case dns_ssumatchtype_selfms:
case dns_ssumatchtype_selfsubkrb5:
case dns_ssumatchtype_selfsubms:
case dns_ssumatchtype_tcpself: case dns_ssumatchtype_tcpself:
case dns_ssumatchtype_6to4self: case dns_ssumatchtype_6to4self:
if (tresult == ISC_R_SUCCESS && if (tresult == ISC_R_SUCCESS &&
......
...@@ -347,11 +347,11 @@ cleanup: ...@@ -347,11 +347,11 @@ cleanup:
bool bool
dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
const dns_name_t *name, const dns_name_t *name,
const dns_name_t *realm) const dns_name_t *realm,
bool subdomain)
{ {
#ifdef GSSAPI #ifdef GSSAPI
char sbuf[DNS_NAME_FORMATSIZE]; char sbuf[DNS_NAME_FORMATSIZE];
char nbuf[DNS_NAME_FORMATSIZE];
char rbuf[DNS_NAME_FORMATSIZE]; char rbuf[DNS_NAME_FORMATSIZE];
char *sname; char *sname;
char *rname; char *rname;
...@@ -366,8 +366,6 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, ...@@ -366,8 +366,6 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
result = dns_name_toprincipal(signer, &buffer); result = dns_name_toprincipal(signer, &buffer);
RUNTIME_CHECK(result == ISC_R_SUCCESS); RUNTIME_CHECK(result == ISC_R_SUCCESS);
isc_buffer_putuint8(&buffer, 0); isc_buffer_putuint8(&buffer, 0);
if (name != NULL)
dns_name_format(name, nbuf, sizeof(nbuf));
dns_name_format(realm, rbuf, sizeof(rbuf)); dns_name_format(realm, rbuf, sizeof(rbuf));
/* /*
...@@ -382,6 +380,10 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, ...@@ -382,6 +380,10 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
*rname = '\0'; *rname = '\0';
rname++; rname++;
if (strcmp(rname, rbuf) != 0) {
return (false);
}
/* /*
* Find the host portion of the signer's name. We do this by * Find the host portion of the signer's name. We do this by
* searching for the first / character. We then check to make * searching for the first / character. We then check to make
...@@ -401,24 +403,30 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, ...@@ -401,24 +403,30 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
} }
/* /*
* Now, we do a simple comparison between the name and the realm. * If name is non NULL check that it matches against the
* machine name as expected.
*/ */
if (name != NULL) { if (name != NULL) {
if ((strcasecmp(sname, nbuf) == 0) dns_fixedname_t fixed;
&& (strcmp(rname, rbuf) == 0)) { dns_name_t *machine;
return (true);
machine = dns_fixedname_initname(&fixed);
result = dns_name_fromstring(machine, sname, 0, NULL);
if (result != ISC_R_SUCCESS) {
return (false);
} }
} else { if (subdomain) {
if (strcmp(rname, rbuf) == 0) { return (dns_name_issubdomain(name, machine));
return (true);
} }
return (dns_name_equal(name, machine));
} }
return (false); return (true);
#else #else
UNUSED(signer); UNUSED(signer);
UNUSED(name); UNUSED(name);
UNUSED(realm); UNUSED(realm);
UNUSED(subdomain);
return (false); return (false);
#endif #endif
} }
...@@ -426,14 +434,13 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, ...@@ -426,14 +434,13 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
bool bool
dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
const dns_name_t *name, const dns_name_t *name,
const dns_name_t *realm) const dns_name_t *realm,
bool subdomain)
{ {
#ifdef GSSAPI #ifdef GSSAPI
char sbuf[DNS_NAME_FORMATSIZE]; char sbuf[DNS_NAME_FORMATSIZE];
char nbuf[DNS_NAME_FORMATSIZE];
char rbuf[DNS_NAME_FORMATSIZE]; char rbuf[DNS_NAME_FORMATSIZE];
char *sname; char *sname;
char *nname;
char *rname; char *rname;
isc_buffer_t buffer; isc_buffer_t buffer;
isc_result_t result; isc_result_t result;
...@@ -446,8 +453,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, ...@@ -446,8 +453,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
result = dns_name_toprincipal(signer, &buffer); result = dns_name_toprincipal(signer, &buffer);
RUNTIME_CHECK(result == ISC_R_SUCCESS); RUNTIME_CHECK(result == ISC_R_SUCCESS);
isc_buffer_putuint8(&buffer, 0); isc_buffer_putuint8(&buffer, 0);
if (name != NULL)
dns_name_format(name, nbuf, sizeof(nbuf));
dns_name_format(realm, rbuf, sizeof(rbuf)); dns_name_format(realm, rbuf, sizeof(rbuf));
/* /*
...@@ -484,39 +489,35 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, ...@@ -484,39 +489,35 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
*sname = '\0'; *sname = '\0';
sname = sbuf; sname = sbuf;
/* if (strcmp(rname, rbuf) != 0) {
* Find the first . in the target name, and make it the end of return (false);
* the string. The rest of the name has to match the realm.
*/
if (name != NULL) {
nname = strchr(nbuf, '.');
if (nname == NULL) {
return (false);
}
*nname++ = '\0';
} }
/* /*
* Now, we do a simple comparison between the name and the realm. * Now, we check that the realm matches (case sensitive) and that
* 'name' matches against 'machinename' qualified with 'realm'.
*/ */
if (name != NULL) { if (name != NULL) {
if ((strcasecmp(sname, nbuf) == 0) dns_fixedname_t fixed;
&& (strcmp(rname, rbuf) == 0) dns_name_t *machine;
&& (strcasecmp(nname, rbuf) == 0)) {
return (true); machine = dns_fixedname_initname(&fixed);
result = dns_name_fromstring2(machine, sbuf, realm, 0, NULL);
if (result != ISC_R_SUCCESS) {
return (false);
} }
} else { if (subdomain) {
if (strcmp(rname, rbuf) == 0) { return (dns_name_issubdomain(name, machine));
return (true);
} }
return (dns_name_equal(name, machine));
} }
return (true);
return (false);
#else #else
UNUSED(signer); UNUSED(signer);
UNUSED(name); UNUSED(name);
UNUSED(realm); UNUSED(realm);
UNUSED(subdomain);
return (false); return (false);
#endif #endif
} }
......
...@@ -39,9 +39,11 @@ typedef enum { ...@@ -39,9 +39,11 @@ typedef enum {
dns_ssumatchtype_6to4self = 11, dns_ssumatchtype_6to4self = 11,
dns_ssumatchtype_external = 12, dns_ssumatchtype_external = 12,
dns_ssumatchtype_local = 13, dns_ssumatchtype_local = 13,
dns_ssumatchtype_max = 13, /* max value */ dns_ssumatchtype_selfsubms = 14,
dns_ssumatchtype_selfsubkrb5 = 15,
dns_ssumatchtype_max = 15, /* max value */
dns_ssumatchtype_dlz = 14 /* intentionally higher than _max */ dns_ssumatchtype_dlz = 16 /* intentionally higher than _max */
} dns_ssumatchtype_t; } dns_ssumatchtype_t;
isc_result_t isc_result_t
......
...@@ -189,7 +189,8 @@ gss_error_tostring(uint32_t major, uint32_t minor, ...@@ -189,7 +189,8 @@ gss_error_tostring(uint32_t major, uint32_t minor,
bool bool
dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
const dns_name_t *name, const dns_name_t *name,
const dns_name_t *realm); const dns_name_t *realm,
bool subdomain);
/* /*
* Compare a "signer" (in the format of a Kerberos-format Kerberos5 * Compare a "signer" (in the format of a Kerberos-format Kerberos5
* principal: host/example.com@EXAMPLE.COM) to the realm name stored * principal: host/example.com@EXAMPLE.COM) to the realm name stored
...@@ -200,7 +201,8 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, ...@@ -200,7 +201,8 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
bool bool
dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
const dns_name_t *name, const dns_name_t *name,
const dns_name_t *realm); const dns_name_t *realm,
bool subdomain);
/* /*
* Compare a "signer" (in the format of a Kerberos-format Kerberos5 * Compare a "signer" (in the format of a Kerberos-format Kerberos5
* principal: host/example.com@EXAMPLE.COM) to the realm name stored * principal: host/example.com@EXAMPLE.COM) to the realm name stored
......
...@@ -388,6 +388,8 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, ...@@ -388,6 +388,8 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
break; break;
case dns_ssumatchtype_selfkrb5: case dns_ssumatchtype_selfkrb5:
case dns_ssumatchtype_selfms: case dns_ssumatchtype_selfms:
case dns_ssumatchtype_selfsubkrb5:
case dns_ssumatchtype_selfsubms:
case dns_ssumatchtype_subdomainkrb5: case dns_ssumatchtype_subdomainkrb5:
case dns_ssumatchtype_subdomainms: case dns_ssumatchtype_subdomainms:
if (signer == NULL) if (signer == NULL)
...@@ -457,29 +459,55 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, ...@@ -457,29 +459,55 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
continue; continue;
break; break;
case dns_ssumatchtype_selfkrb5: case dns_ssumatchtype_selfkrb5:
if (!dst_gssapi_identitymatchesrealmkrb5(signer, name, if (dst_gssapi_identitymatchesrealmkrb5(signer, name,
rule->identity)) rule->identity,
continue; false))
break; {
break;
}
continue;
case dns_ssumatchtype_selfms: case dns_ssumatchtype_selfms:
if (!dst_gssapi_identitymatchesrealmms(signer, name, if (dst_gssapi_identitymatchesrealmms(signer, name,
rule->identity)) rule->identity,
continue; false))
break; {
break;
}
continue;
case dns_ssumatchtype_selfsubkrb5:
if (dst_gssapi_identitymatchesrealmkrb5(signer, name,
rule->identity,
true))
{
break;
}
continue;
case dns_ssumatchtype_selfsubms:
if (dst_gssapi_identitymatchesrealmms(signer, name,
rule->identity,
true))
break;
continue;
case dns_ssumatchtype_subdomainkrb5: case dns_ssumatchtype_subdomainkrb5:
if (!dns_name_issubdomain(name, rule->name)) if (!dns_name_issubdomain(name, rule->name))
continue; continue;
if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL, if (dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
rule->identity)) rule->identity,
continue; false))
break; {
break;
}
continue;
case dns_ssumatchtype_subdomainms: case dns_ssumatchtype_subdomainms:
if (!dns_name_issubdomain(name, rule->name)) if (!dns_name_issubdomain(name, rule->name))
continue; continue;
if (!dst_gssapi_identitymatchesrealmms(signer, NULL, if (dst_gssapi_identitymatchesrealmms(signer, NULL,
rule->identity)) rule->identity,
continue; false))
break; {
break;
}
continue;
case dns_ssumatchtype_tcpself: case dns_ssumatchtype_tcpself:
tcpself = dns_fixedname_initname(&fixed); tcpself = dns_fixedname_initname(&fixed);
reverse_from_address(tcpself, addr); reverse_from_address(tcpself, addr);
...@@ -652,8 +680,12 @@ dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) { ...@@ -652,8 +680,12 @@ dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) {
*mtype = dns_ssumatchtype_selfwild; *mtype = dns_ssumatchtype_selfwild;
} else if (strcasecmp(str, "ms-self") == 0) { } else if (strcasecmp(str, "ms-self") == 0) {
*mtype = dns_ssumatchtype_selfms; *mtype = dns_ssumatchtype_selfms;
} else if (strcasecmp(str, "ms-selfsub") == 0) {
*mtype = dns_ssumatchtype_selfsubms;
} else if (strcasecmp(str, "krb5-self") == 0) { } else if (strcasecmp(str, "krb5-self") == 0) {
*mtype = dns_ssumatchtype_selfkrb5; *mtype = dns_ssumatchtype_selfkrb5;
} else if (strcasecmp(str, "krb5-selfsub") == 0) {
*mtype = dns_ssumatchtype_selfsubkrb5;
} else if (strcasecmp(str, "ms-subdomain") == 0) { } else if (strcasecmp(str, "ms-subdomain") == 0) {
*mtype = dns_ssumatchtype_subdomainms; *mtype = dns_ssumatchtype_subdomainms;
} else if (strcasecmp(str, "krb5-subdomain") == 0) { } else if (strcasecmp(str, "krb5-subdomain") == 0) {
......
...@@ -323,9 +323,10 @@ doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) { ...@@ -323,9 +323,10 @@ doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) {
} }
static const char *matchtype_enums[] = { static const char *matchtype_enums[] = {
"6to4-self", "external", "krb5-self", "krb5-subdomain", "ms-self", "6to4-self", "external", "krb5-self", "krb5-selfsub",
"ms-subdomain", "name", "self", "selfsub", "selfwild", "subdomain", "krb5-subdomain", "ms-self", "ms-selfsub", "ms-subdomain",
"tcp-self", "wildcard", "zonesub", NULL "name", "self", "selfsub", "selfwild", "subdomain", "tcp-self",
"wildcard", "zonesub", NULL
}; };
static cfg_type_t cfg_type_matchtype = { static cfg_type_t cfg_type_matchtype = {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment