#include <isc/lang.h>
#include <dns/types.h>
#include <dst/dst.h>
Go to the source code of this file.
Defines | |
#define | DNS_SSU_H 1 |
#define | DNS_SSUMATCHTYPE_NAME 0 |
#define | DNS_SSUMATCHTYPE_SUBDOMAIN 1 |
#define | DNS_SSUMATCHTYPE_WILDCARD 2 |
#define | DNS_SSUMATCHTYPE_SELF 3 |
#define | DNS_SSUMATCHTYPE_SELFSUB 4 |
#define | DNS_SSUMATCHTYPE_SELFWILD 5 |
#define | DNS_SSUMATCHTYPE_SELFKRB5 6 |
#define | DNS_SSUMATCHTYPE_SELFMS 7 |
#define | DNS_SSUMATCHTYPE_SUBDOMAINMS 8 |
#define | DNS_SSUMATCHTYPE_SUBDOMAINKRB5 9 |
#define | DNS_SSUMATCHTYPE_TCPSELF 10 |
#define | DNS_SSUMATCHTYPE_6TO4SELF 11 |
#define | DNS_SSUMATCHTYPE_EXTERNAL 12 |
#define | DNS_SSUMATCHTYPE_DLZ 13 |
#define | DNS_SSUMATCHTYPE_MAX 12 |
Functions | |
isc_result_t | dns_ssutable_create (isc_mem_t *mctx, dns_ssutable_t **table) |
Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client. | |
isc_result_t | dns_ssutable_createdlz (isc_mem_t *mctx, dns_ssutable_t **tablep, dns_dlzdb_t *dlzdatabase) |
Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver. | |
void | dns_ssutable_attach (dns_ssutable_t *source, dns_ssutable_t **targetp) |
Attach '*targetp' to 'source'. | |
void | dns_ssutable_detach (dns_ssutable_t **tablep) |
Detach '*tablep' from its simple-secure-update rule table. | |
isc_result_t | dns_ssutable_addrule (dns_ssutable_t *table, isc_boolean_t grant, dns_name_t *identity, unsigned int matchtype, dns_name_t *name, unsigned int ntypes, dns_rdatatype_t *types) |
Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name. | |
isc_boolean_t | dns_ssutable_checkrules (dns_ssutable_t *table, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key) |
Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied. | |
isc_boolean_t | dns_ssurule_isgrant (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
dns_name_t * | dns_ssurule_identity (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
unsigned int | dns_ssurule_matchtype (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
dns_name_t * | dns_ssurule_name (const dns_ssurule_t *rule) |
Accessor functions to extract rule components. | |
unsigned int | dns_ssurule_types (const dns_ssurule_t *rule, dns_rdatatype_t **types) |
Accessor functions to extract rule components. | |
isc_result_t | dns_ssutable_firstrule (const dns_ssutable_t *table, dns_ssurule_t **rule) |
Initiates a rule iterator. There is no need to maintain any state. | |
isc_result_t | dns_ssutable_nextrule (dns_ssurule_t *rule, dns_ssurule_t **nextrule) |
Returns the next rule in the table. | |
isc_boolean_t | dns_ssu_external_match (dns_name_t *identity, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key, isc_mem_t *mctx) |
Definition in file ssu.h.
#define DNS_SSUMATCHTYPE_NAME 0 |
Definition at line 32 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SUBDOMAIN 1 |
Definition at line 33 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_WILDCARD 2 |
Definition at line 34 of file ssu.h.
Referenced by configure_zone_ssutable(), dns_ssutable_addrule(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SELF 3 |
Definition at line 35 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SELFSUB 4 |
Definition at line 36 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SELFWILD 5 |
Definition at line 37 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SELFKRB5 6 |
Definition at line 38 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SELFMS 7 |
Definition at line 39 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SUBDOMAINMS 8 |
Definition at line 40 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5 9 |
Definition at line 41 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_TCPSELF 10 |
Definition at line 42 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_6TO4SELF 11 |
Definition at line 43 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_EXTERNAL 12 |
Definition at line 44 of file ssu.h.
Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().
#define DNS_SSUMATCHTYPE_DLZ 13 |
Definition at line 45 of file ssu.h.
Referenced by dns_ssutable_checkrules(), and dns_ssutable_createdlz().
#define DNS_SSUMATCHTYPE_MAX 12 |
isc_result_t dns_ssutable_create | ( | isc_mem_t * | mctx, | |
dns_ssutable_t ** | table | |||
) |
Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client.
Requires:
Definition at line 69 of file ssu.c.
References ISC_LIST_INIT, isc_mem_attach(), isc_mem_get, isc_mem_put, isc_mutex_init, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssutable::lock, dns_ssutable::magic, dns_ssutable::mctx, dns_ssutable::references, REQUIRE, and SSUTABLEMAGIC.
Referenced by configure_zone_ssutable(), and dns_ssutable_createdlz().
isc_result_t dns_ssutable_createdlz | ( | isc_mem_t * | mctx, | |
dns_ssutable_t ** | tablep, | |||
dns_dlzdb_t * | dlzdatabase | |||
) |
Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver.
Definition at line 580 of file ssu.c.
References dns_ssutable::dlzdatabase, DNS_SSUMATCHTYPE_DLZ, dns_ssutable_create(), dns_ssutable_detach(), dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TRUE, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, and dns_ssurule::types.
Referenced by dns_dlz_writeablezone().
void dns_ssutable_attach | ( | dns_ssutable_t * | source, | |
dns_ssutable_t ** | targetp | |||
) |
Attach '*targetp' to 'source'.
Requires:
Definition at line 123 of file ssu.c.
References INSIST, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.
Referenced by dns_zone_getssutable(), and dns_zone_setssutable().
void dns_ssutable_detach | ( | dns_ssutable_t ** | tablep | ) |
Detach '*tablep' from its simple-secure-update rule table.
Requires:
Definition at line 139 of file ssu.c.
References destroy(), INSIST, ISC_FALSE, ISC_TRUE, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.
Referenced by configure_zone_ssutable(), dns_dlzdestroy(), dns_ssutable_createdlz(), dns_zone_setssutable(), update_action(), and zone_free().
isc_result_t dns_ssutable_addrule | ( | dns_ssutable_t * | table, | |
isc_boolean_t | grant, | |||
dns_name_t * | identity, | |||
unsigned int | matchtype, | |||
dns_name_t * | name, | |||
unsigned int | ntypes, | |||
dns_rdatatype_t * | types | |||
) |
Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name.
Notes:
Definition at line 161 of file ssu.c.
References dns_name_dup(), dns_name_dynamic(), dns_name_free(), dns_name_init(), dns_name_isabsolute(), dns_name_iswildcard(), DNS_SSUMATCHTYPE_MAX, DNS_SSUMATCHTYPE_WILDCARD, dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, dns_ssurule::types, and VALID_SSUTABLE.
Referenced by configure_zone_ssutable().
isc_boolean_t dns_ssutable_checkrules | ( | dns_ssutable_t * | table, | |
dns_name_t * | signer, | |||
dns_name_t * | name, | |||
isc_netaddr_t * | tcpaddr, | |||
dns_rdatatype_t | type, | |||
const dst_key_t * | key | |||
) |
Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied.
Notes: 'tcpaddr' should only be set if the request received via TCP. This provides a weak assurance that the request was not spoofed. 'tcpaddr' is to to validate DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF rules.
For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, Section 2.5, "IP6.ARPA Domain".
For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only the top 48 bits of the IPv6 address are mapped to the reverse name. This is independent of whether the most significant 16 bits match 2002::/16, assigned for 6to4 prefixes, or not.
Requires:
Definition at line 350 of file ssu.c.
References dns_ssutable::dlzdatabase, dns_dlz_ssumatch(), dns_fixedname_init, dns_fixedname_name, dns_name_concatenate(), dns_name_equal(), dns_name_isabsolute(), dns_name_issubdomain(), dns_name_iswildcard(), dns_name_matcheswildcard(), dns_ssu_external_match(), DNS_SSUMATCHTYPE_6TO4SELF, DNS_SSUMATCHTYPE_DLZ, DNS_SSUMATCHTYPE_EXTERNAL, DNS_SSUMATCHTYPE_NAME, DNS_SSUMATCHTYPE_SELF, DNS_SSUMATCHTYPE_SELFKRB5, DNS_SSUMATCHTYPE_SELFMS, DNS_SSUMATCHTYPE_SELFSUB, DNS_SSUMATCHTYPE_SELFWILD, DNS_SSUMATCHTYPE_SUBDOMAIN, DNS_SSUMATCHTYPE_SUBDOMAINKRB5, DNS_SSUMATCHTYPE_SUBDOMAINMS, DNS_SSUMATCHTYPE_TCPSELF, DNS_SSUMATCHTYPE_WILDCARD, dns_wildcardname, dst_gssapi_identitymatchesrealmkrb5(), dst_gssapi_identitymatchesrealmms(), fixed, dns_ssurule::grant, dns_ssurule::identity, ISC_FALSE, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_SUCCESS, isusertype(), dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, reverse_from_address(), stf_from_address(), dns_ssurule::types, and VALID_SSUTABLE.
Referenced by ssu_checkrule(), and update_action().
isc_boolean_t dns_ssurule_isgrant | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 529 of file ssu.c.
References dns_ssurule::grant, REQUIRE, and VALID_SSURULE.
dns_name_t* dns_ssurule_identity | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 535 of file ssu.c.
References dns_ssurule::identity, REQUIRE, and VALID_SSURULE.
unsigned int dns_ssurule_matchtype | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 541 of file ssu.c.
References dns_ssurule::matchtype, REQUIRE, and VALID_SSURULE.
dns_name_t* dns_ssurule_name | ( | const dns_ssurule_t * | rule | ) |
Accessor functions to extract rule components.
Definition at line 547 of file ssu.c.
References dns_ssurule::name, REQUIRE, and VALID_SSURULE.
unsigned int dns_ssurule_types | ( | const dns_ssurule_t * | rule, | |
dns_rdatatype_t ** | types | |||
) |
Accessor functions to extract rule components.
Definition at line 553 of file ssu.c.
References dns_ssurule::ntypes, REQUIRE, dns_ssurule::types, and VALID_SSURULE.
isc_result_t dns_ssutable_firstrule | ( | const dns_ssutable_t * | table, | |
dns_ssurule_t ** | rule | |||
) |
Initiates a rule iterator. There is no need to maintain any state.
Returns:
Definition at line 561 of file ssu.c.
References ISC_LIST_HEAD, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSUTABLE.
isc_result_t dns_ssutable_nextrule | ( | dns_ssurule_t * | rule, | |
dns_ssurule_t ** | nextrule | |||
) |
Returns the next rule in the table.
Returns:
Definition at line 569 of file ssu.c.
References ISC_LIST_NEXT, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSURULE.
isc_boolean_t dns_ssu_external_match | ( | dns_name_t * | identity, | |
dns_name_t * | signer, | |||
dns_name_t * | name, | |||
isc_netaddr_t * | tcpaddr, | |||
dns_rdatatype_t | type, | |||
const dst_key_t * | key, | |||
isc_mem_t * | mctx | |||
) |
Definition at line 120 of file ssu_external.c.
References isc_region::base, dns_name_format(), DNS_NAME_FORMATSIZE, dns_rdatatype_format(), DNS_RDATATYPE_FORMATSIZE, dst_key_format(), DST_KEY_FORMATSIZE, dst_key_tkeytoken(), ENSURE, isc__strerror(), isc_buffer_availablelength, isc_buffer_init, isc_buffer_putmem, isc_buffer_putstr, isc_buffer_putuint32, isc_buffer_putuint8, isc_buffer_region, ISC_FALSE, isc_mem_allocate, isc_mem_free, isc_netaddr_format(), ISC_NETADDR_FORMATSIZE, ISC_STRERRORSIZE, ISC_TRUE, isc_region::length, ssu_e_log(), SSU_EXTERNAL_VERSION, and ux_socket_connect().
Referenced by dns_ssutable_checkrules().