00001 /* 00002 * Copyright (C) 2004-2008, 2010, 2011 Internet Systems Consortium, Inc. ("ISC") 00003 * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. 00004 * 00005 * Permission to use, copy, modify, and/or distribute this software for any 00006 * purpose with or without fee is hereby granted, provided that the above 00007 * copyright notice and this permission notice appear in all copies. 00008 * 00009 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 00010 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 00011 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 00012 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 00013 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 00014 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 00015 * PERFORMANCE OF THIS SOFTWARE. 00016 */ 00017 00018 /* $Id: ssu.h,v 1.28 2011/01/06 23:47:00 tbox Exp $ */ 00019 00020 #ifndef DNS_SSU_H 00021 #define DNS_SSU_H 1 00022 00023 /*! \file dns/ssu.h */ 00024 00025 #include <isc/lang.h> 00026 00027 #include <dns/types.h> 00028 #include <dst/dst.h> 00029 00030 ISC_LANG_BEGINDECLS 00031 00032 #define DNS_SSUMATCHTYPE_NAME 0 00033 #define DNS_SSUMATCHTYPE_SUBDOMAIN 1 00034 #define DNS_SSUMATCHTYPE_WILDCARD 2 00035 #define DNS_SSUMATCHTYPE_SELF 3 00036 #define DNS_SSUMATCHTYPE_SELFSUB 4 00037 #define DNS_SSUMATCHTYPE_SELFWILD 5 00038 #define DNS_SSUMATCHTYPE_SELFKRB5 6 00039 #define DNS_SSUMATCHTYPE_SELFMS 7 00040 #define DNS_SSUMATCHTYPE_SUBDOMAINMS 8 00041 #define DNS_SSUMATCHTYPE_SUBDOMAINKRB5 9 00042 #define DNS_SSUMATCHTYPE_TCPSELF 10 00043 #define DNS_SSUMATCHTYPE_6TO4SELF 11 00044 #define DNS_SSUMATCHTYPE_EXTERNAL 12 00045 #define DNS_SSUMATCHTYPE_DLZ 13 00046 #define DNS_SSUMATCHTYPE_MAX 12 /* max value */ 00047 00048 isc_result_t 00049 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table); 00050 /*%< 00051 * Creates a table that will be used to store simple-secure-update rules. 00052 * Note: all locking must be provided by the client. 00053 * 00054 * Requires: 00055 *\li 'mctx' is a valid memory context 00056 *\li 'table' is not NULL, and '*table' is NULL 00057 * 00058 * Returns: 00059 *\li ISC_R_SUCCESS 00060 *\li ISC_R_NOMEMORY 00061 */ 00062 00063 isc_result_t 00064 dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, 00065 dns_dlzdb_t *dlzdatabase); 00066 /*%< 00067 * Create an SSU table that contains a dlzdatabase pointer, and a 00068 * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU 00069 * table is used by writeable DLZ drivers to offload authorization for 00070 * updates to the driver. 00071 */ 00072 00073 void 00074 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp); 00075 /*%< 00076 * Attach '*targetp' to 'source'. 00077 * 00078 * Requires: 00079 *\li 'source' is a valid SSU table 00080 *\li 'targetp' points to a NULL dns_ssutable_t *. 00081 * 00082 * Ensures: 00083 *\li *targetp is attached to source. 00084 */ 00085 00086 void 00087 dns_ssutable_detach(dns_ssutable_t **tablep); 00088 /*%< 00089 * Detach '*tablep' from its simple-secure-update rule table. 00090 * 00091 * Requires: 00092 *\li 'tablep' points to a valid dns_ssutable_t 00093 * 00094 * Ensures: 00095 *\li *tablep is NULL 00096 *\li If '*tablep' is the last reference to the SSU table, all 00097 * resources used by the table will be freed. 00098 */ 00099 00100 isc_result_t 00101 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant, 00102 dns_name_t *identity, unsigned int matchtype, 00103 dns_name_t *name, unsigned int ntypes, 00104 dns_rdatatype_t *types); 00105 /*%< 00106 * Adds a new rule to a simple-secure-update rule table. The rule 00107 * either grants or denies update privileges of an identity (or set of 00108 * identities) to modify a name (or set of names) or certain types present 00109 * at that name. 00110 * 00111 * Notes: 00112 *\li If 'matchtype' is of SELF type, this rule only matches if the 00113 * name to be updated matches the signing identity. 00114 * 00115 *\li If 'ntypes' is 0, this rule applies to all types except 00116 * NS, SOA, RRSIG, and NSEC. 00117 * 00118 *\li If 'types' includes ANY, this rule applies to all types 00119 * except NSEC. 00120 * 00121 * Requires: 00122 *\li 'table' is a valid SSU table 00123 *\li 'identity' is a valid absolute name 00124 *\li 'matchtype' must be one of the defined constants. 00125 *\li 'name' is a valid absolute name 00126 *\li If 'ntypes' > 0, 'types' must not be NULL 00127 * 00128 * Returns: 00129 *\li ISC_R_SUCCESS 00130 *\li ISC_R_NOMEMORY 00131 */ 00132 00133 isc_boolean_t 00134 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer, 00135 dns_name_t *name, isc_netaddr_t *tcpaddr, 00136 dns_rdatatype_t type, const dst_key_t *key); 00137 /*%< 00138 * Checks that the attempted update of (name, type) is allowed according 00139 * to the rules specified in the simple-secure-update rule table. If 00140 * no rules are matched, access is denied. 00141 * 00142 * Notes: 00143 * 'tcpaddr' should only be set if the request received 00144 * via TCP. This provides a weak assurance that the 00145 * request was not spoofed. 'tcpaddr' is to to validate 00146 * DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF 00147 * rules. 00148 * 00149 * For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to 00150 * the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. 00151 * RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, 00152 * Section 2.5, "IP6.ARPA Domain". 00153 * 00154 * For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted 00155 * to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only 00156 * the top 48 bits of the IPv6 address are mapped to the reverse 00157 * name. This is independent of whether the most significant 16 00158 * bits match 2002::/16, assigned for 6to4 prefixes, or not. 00159 * 00160 * Requires: 00161 *\li 'table' is a valid SSU table 00162 *\li 'signer' is NULL or a valid absolute name 00163 *\li 'tcpaddr' is NULL or a valid network address. 00164 *\li 'name' is a valid absolute name 00165 */ 00166 00167 00168 /*% Accessor functions to extract rule components */ 00169 isc_boolean_t dns_ssurule_isgrant(const dns_ssurule_t *rule); 00170 /*% Accessor functions to extract rule components */ 00171 dns_name_t * dns_ssurule_identity(const dns_ssurule_t *rule); 00172 /*% Accessor functions to extract rule components */ 00173 unsigned int dns_ssurule_matchtype(const dns_ssurule_t *rule); 00174 /*% Accessor functions to extract rule components */ 00175 dns_name_t * dns_ssurule_name(const dns_ssurule_t *rule); 00176 /*% Accessor functions to extract rule components */ 00177 unsigned int dns_ssurule_types(const dns_ssurule_t *rule, 00178 dns_rdatatype_t **types); 00179 00180 isc_result_t dns_ssutable_firstrule(const dns_ssutable_t *table, 00181 dns_ssurule_t **rule); 00182 /*%< 00183 * Initiates a rule iterator. There is no need to maintain any state. 00184 * 00185 * Returns: 00186 *\li #ISC_R_SUCCESS 00187 *\li #ISC_R_NOMORE 00188 */ 00189 00190 isc_result_t dns_ssutable_nextrule(dns_ssurule_t *rule, 00191 dns_ssurule_t **nextrule); 00192 /*%< 00193 * Returns the next rule in the table. 00194 * 00195 * Returns: 00196 *\li #ISC_R_SUCCESS 00197 *\li #ISC_R_NOMORE 00198 */ 00199 00200 00201 /*%< 00202 * Check a policy rule via an external application 00203 */ 00204 isc_boolean_t 00205 dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer, 00206 dns_name_t *name, isc_netaddr_t *tcpaddr, 00207 dns_rdatatype_t type, const dst_key_t *key, 00208 isc_mem_t *mctx); 00209 00210 ISC_LANG_ENDDECLS 00211 00212 #endif /* DNS_SSU_H */