#include <config.h>
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/dlz.h>
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/ssu.h>
#include <dst/gssapi.h>
#include <dst/dst.h>
Go to the source code of this file.
Data Structures | |
struct | dns_ssurule |
struct | dns_ssutable |
Defines | |
#define | SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T') |
#define | VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC) |
#define | SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R') |
#define | VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC) |
Functions | |
isc_result_t | dns_ssutable_create (isc_mem_t *mctx, dns_ssutable_t **tablep) |
Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client. | |
static void | destroy (dns_ssutable_t *table) |
void | dns_ssutable_attach (dns_ssutable_t *source, dns_ssutable_t **targetp) |
Attach '*targetp' to 'source'. | |
void | dns_ssutable_detach (dns_ssutable_t **tablep) |
Detach '*tablep' from its simple-secure-update rule table. | |
isc_result_t | dns_ssutable_addrule (dns_ssutable_t *table, isc_boolean_t grant, dns_name_t *identity, unsigned int matchtype, dns_name_t *name, unsigned int ntypes, dns_rdatatype_t *types) |
Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name. | |
static isc_boolean_t | isusertype (dns_rdatatype_t type) |
static void | reverse_from_address (dns_name_t *tcpself, isc_netaddr_t *tcpaddr) |
static void | stf_from_address (dns_name_t *stfself, isc_netaddr_t *tcpaddr) |
isc_boolean_t | dns_ssutable_checkrules (dns_ssutable_t *table, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key) |
Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied. | |
isc_boolean_t | dns_ssurule_isgrant (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
dns_name_t * | dns_ssurule_identity (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
unsigned int | dns_ssurule_matchtype (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
dns_name_t * | dns_ssurule_name (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
unsigned int | dns_ssurule_types (const dns_ssurule_t *rule, dns_rdatatype_t **types) |
Accessor functions to extract rule components. | |
isc_result_t | dns_ssutable_firstrule (const dns_ssutable_t *table, dns_ssurule_t **rule) |
Initiates a rule iterator. There is no need to maintain any state. | |
isc_result_t | dns_ssutable_nextrule (dns_ssurule_t *rule, dns_ssurule_t **nextrule) |
Returns the next rule in the table. | |
isc_result_t | dns_ssutable_createdlz (isc_mem_t *mctx, dns_ssutable_t **tablep, dns_dlzdb_t *dlzdatabase) |
Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver. |
Definition in file ssu.c.
#define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T') |
#define VALID_SSUTABLE | ( | table | ) | ISC_MAGIC_VALID(table, SSUTABLEMAGIC) |
Definition at line 42 of file ssu.c.
Referenced by destroy(), dns_ssutable_addrule(), dns_ssutable_attach(), dns_ssutable_checkrules(), dns_ssutable_detach(), and dns_ssutable_firstrule().
#define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R') |
Definition at line 44 of file ssu.c.
Referenced by dns_ssutable_addrule(), and dns_ssutable_createdlz().
#define VALID_SSURULE | ( | table | ) | ISC_MAGIC_VALID(table, SSURULEMAGIC) |
Definition at line 45 of file ssu.c.
Referenced by dns_ssurule_identity(), dns_ssurule_isgrant(), dns_ssurule_matchtype(), dns_ssurule_name(), dns_ssurule_types(), and dns_ssutable_nextrule().
isc_result_t dns_ssutable_create | ( | isc_mem_t * | mctx, | |
dns_ssutable_t ** | table | |||
) |
Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client.
Requires:
Definition at line 69 of file ssu.c.
References ISC_LIST_INIT, isc_mem_attach(), isc_mem_get, isc_mem_put, isc_mutex_init, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssutable::lock, dns_ssutable::magic, dns_ssutable::mctx, dns_ssutable::references, REQUIRE, and SSUTABLEMAGIC.
Referenced by configure_zone_ssutable(), and dns_ssutable_createdlz().
static void destroy | ( | dns_ssutable_t * | table | ) | [inline, static] |
Definition at line 94 of file ssu.c.
References DESTROYLOCK, dns_name_free(), dns_ssurule::identity, ISC_LIST_EMPTY, ISC_LIST_HEAD, ISC_LIST_UNLINK, isc_mem_put, isc_mem_putanddetach, dns_ssutable::lock, dns_ssutable::magic, dns_ssurule::magic, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, dns_ssurule::types, and VALID_SSUTABLE.
void dns_ssutable_attach | ( | dns_ssutable_t * | source, | |
dns_ssutable_t ** | targetp | |||
) |
Attach '*targetp' to 'source'.
Requires:
Definition at line 123 of file ssu.c.
References INSIST, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.
Referenced by dns_zone_getssutable(), and dns_zone_setssutable().
void dns_ssutable_detach | ( | dns_ssutable_t ** | tablep | ) |
Detach '*tablep' from its simple-secure-update rule table.
Requires:
Definition at line 139 of file ssu.c.
References destroy(), INSIST, ISC_FALSE, ISC_TRUE, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.
Referenced by configure_zone_ssutable(), dns_dlzdestroy(), dns_ssutable_createdlz(), dns_zone_setssutable(), update_action(), and zone_free().
isc_result_t dns_ssutable_addrule | ( | dns_ssutable_t * | table, | |
isc_boolean_t | grant, | |||
dns_name_t * | identity, | |||
unsigned int | matchtype, | |||
dns_name_t * | name, | |||
unsigned int | ntypes, | |||
dns_rdatatype_t * | types | |||
) |
Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name.
Notes:
Definition at line 161 of file ssu.c.
References dns_name_dup(), dns_name_dynamic(), dns_name_free(), dns_name_init(), dns_name_isabsolute(), dns_name_iswildcard(), DNS_SSUMATCHTYPE_MAX, DNS_SSUMATCHTYPE_WILDCARD, dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, dns_ssurule::types, and VALID_SSUTABLE.
Referenced by configure_zone_ssutable().
static isc_boolean_t isusertype | ( | dns_rdatatype_t | type | ) | [inline, static] |
static void reverse_from_address | ( | dns_name_t * | tcpself, | |
isc_netaddr_t * | tcpaddr | |||
) | [static] |
Definition at line 256 of file ssu.c.
References AF_INET6, dns_name_fromtext(), dns_rootname, isc_netaddr::family, isc_netaddr::in, isc_netaddr::in6, INSIST, isc_buffer_add, isc_buffer_init, ISC_R_SUCCESS, isc_string_printf(), RUNTIME_CHECK, and isc_netaddr::type.
Referenced by dns_ssutable_checkrules().
static void stf_from_address | ( | dns_name_t * | stfself, | |
isc_netaddr_t * | tcpaddr | |||
) | [static] |
Definition at line 308 of file ssu.c.
References AF_INET6, dns_name_fromtext(), dns_rootname, isc_netaddr::family, isc_netaddr::in, isc_netaddr::in6, INSIST, isc_buffer_add, isc_buffer_init, ISC_R_SUCCESS, isc_string_printf(), RUNTIME_CHECK, and isc_netaddr::type.
Referenced by dns_ssutable_checkrules().
isc_boolean_t dns_ssutable_checkrules | ( | dns_ssutable_t * | table, | |
dns_name_t * | signer, | |||
dns_name_t * | name, | |||
isc_netaddr_t * | tcpaddr, | |||
dns_rdatatype_t | type, | |||
const dst_key_t * | key | |||
) |
Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied.
Notes: 'tcpaddr' should only be set if the request received via TCP. This provides a weak assurance that the request was not spoofed. 'tcpaddr' is to to validate DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF rules.
For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, Section 2.5, "IP6.ARPA Domain".
For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only the top 48 bits of the IPv6 address are mapped to the reverse name. This is independent of whether the most significant 16 bits match 2002::/16, assigned for 6to4 prefixes, or not.
Requires:
Definition at line 350 of file ssu.c.
References dns_ssutable::dlzdatabase, dns_dlz_ssumatch(), dns_fixedname_init, dns_fixedname_name, dns_name_concatenate(), dns_name_equal(), dns_name_isabsolute(), dns_name_issubdomain(), dns_name_iswildcard(), dns_name_matcheswildcard(), dns_ssu_external_match(), DNS_SSUMATCHTYPE_6TO4SELF, DNS_SSUMATCHTYPE_DLZ, DNS_SSUMATCHTYPE_EXTERNAL, DNS_SSUMATCHTYPE_NAME, DNS_SSUMATCHTYPE_SELF, DNS_SSUMATCHTYPE_SELFKRB5, DNS_SSUMATCHTYPE_SELFMS, DNS_SSUMATCHTYPE_SELFSUB, DNS_SSUMATCHTYPE_SELFWILD, DNS_SSUMATCHTYPE_SUBDOMAIN, DNS_SSUMATCHTYPE_SUBDOMAINKRB5, DNS_SSUMATCHTYPE_SUBDOMAINMS, DNS_SSUMATCHTYPE_TCPSELF, DNS_SSUMATCHTYPE_WILDCARD, dns_wildcardname, dst_gssapi_identitymatchesrealmkrb5(), dst_gssapi_identitymatchesrealmms(), fixed, dns_ssurule::grant, dns_ssurule::identity, ISC_FALSE, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_SUCCESS, isusertype(), dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, reverse_from_address(), stf_from_address(), dns_ssurule::types, and VALID_SSUTABLE.
Referenced by ssu_checkrule(), and update_action().
isc_boolean_t dns_ssurule_isgrant | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 529 of file ssu.c.
References dns_ssurule::grant, REQUIRE, and VALID_SSURULE.
dns_name_t* dns_ssurule_identity | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 535 of file ssu.c.
References dns_ssurule::identity, REQUIRE, and VALID_SSURULE.
unsigned int dns_ssurule_matchtype | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 541 of file ssu.c.
References dns_ssurule::matchtype, REQUIRE, and VALID_SSURULE.
dns_name_t* dns_ssurule_name | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 547 of file ssu.c.
References dns_ssurule::name, REQUIRE, and VALID_SSURULE.
unsigned int dns_ssurule_types | ( | const dns_ssurule_t * | rule, | |
dns_rdatatype_t ** | types | |||
) |
Accessor functions to extract rule components.
Definition at line 553 of file ssu.c.
References dns_ssurule::ntypes, REQUIRE, dns_ssurule::types, and VALID_SSURULE.
isc_result_t dns_ssutable_firstrule | ( | const dns_ssutable_t * | table, | |
dns_ssurule_t ** | rule | |||
) |
Initiates a rule iterator. There is no need to maintain any state.
Returns:
Definition at line 561 of file ssu.c.
References ISC_LIST_HEAD, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSUTABLE.
isc_result_t dns_ssutable_nextrule | ( | dns_ssurule_t * | rule, | |
dns_ssurule_t ** | nextrule | |||
) |
Returns the next rule in the table.
Returns:
Definition at line 569 of file ssu.c.
References ISC_LIST_NEXT, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSURULE.
isc_result_t dns_ssutable_createdlz | ( | isc_mem_t * | mctx, | |
dns_ssutable_t ** | tablep, | |||
dns_dlzdb_t * | dlzdatabase | |||
) |
Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver.
Definition at line 580 of file ssu.c.
References dns_ssutable::dlzdatabase, DNS_SSUMATCHTYPE_DLZ, dns_ssutable_create(), dns_ssutable_detach(), dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TRUE, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, and dns_ssurule::types.
Referenced by dns_dlz_writeablezone().