ssu.c File Reference

#include <config.h>
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/dlz.h>
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/ssu.h>
#include <dst/gssapi.h>
#include <dst/dst.h>

Go to the source code of this file.

Data Structures

struct  dns_ssurule
struct  dns_ssutable

Defines

#define SSUTABLEMAGIC   ISC_MAGIC('S', 'S', 'U', 'T')
#define VALID_SSUTABLE(table)   ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
#define SSURULEMAGIC   ISC_MAGIC('S', 'S', 'U', 'R')
#define VALID_SSURULE(table)   ISC_MAGIC_VALID(table, SSURULEMAGIC)

Functions

isc_result_t dns_ssutable_create (isc_mem_t *mctx, dns_ssutable_t **tablep)
 Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client.
static void destroy (dns_ssutable_t *table)
void dns_ssutable_attach (dns_ssutable_t *source, dns_ssutable_t **targetp)
 Attach '*targetp' to 'source'.
void dns_ssutable_detach (dns_ssutable_t **tablep)
 Detach '*tablep' from its simple-secure-update rule table.
isc_result_t dns_ssutable_addrule (dns_ssutable_t *table, isc_boolean_t grant, dns_name_t *identity, unsigned int matchtype, dns_name_t *name, unsigned int ntypes, dns_rdatatype_t *types)
 Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name.
static isc_boolean_t isusertype (dns_rdatatype_t type)
static void reverse_from_address (dns_name_t *tcpself, isc_netaddr_t *tcpaddr)
static void stf_from_address (dns_name_t *stfself, isc_netaddr_t *tcpaddr)
isc_boolean_t dns_ssutable_checkrules (dns_ssutable_t *table, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key)
 Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied.
isc_boolean_t dns_ssurule_isgrant (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
dns_name_tdns_ssurule_identity (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
unsigned int dns_ssurule_matchtype (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
dns_name_tdns_ssurule_name (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
unsigned int dns_ssurule_types (const dns_ssurule_t *rule, dns_rdatatype_t **types)
 Accessor functions to extract rule components.
isc_result_t dns_ssutable_firstrule (const dns_ssutable_t *table, dns_ssurule_t **rule)
 Initiates a rule iterator. There is no need to maintain any state.
isc_result_t dns_ssutable_nextrule (dns_ssurule_t *rule, dns_ssurule_t **nextrule)
 Returns the next rule in the table.
isc_result_t dns_ssutable_createdlz (isc_mem_t *mctx, dns_ssutable_t **tablep, dns_dlzdb_t *dlzdatabase)
 Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver.


Detailed Description

Definition in file ssu.c.


Define Documentation

#define SSUTABLEMAGIC   ISC_MAGIC('S', 'S', 'U', 'T')

Definition at line 41 of file ssu.c.

Referenced by dns_ssutable_create().

#define VALID_SSUTABLE ( table   )     ISC_MAGIC_VALID(table, SSUTABLEMAGIC)

Definition at line 42 of file ssu.c.

Referenced by destroy(), dns_ssutable_addrule(), dns_ssutable_attach(), dns_ssutable_checkrules(), dns_ssutable_detach(), and dns_ssutable_firstrule().

#define SSURULEMAGIC   ISC_MAGIC('S', 'S', 'U', 'R')

Definition at line 44 of file ssu.c.

Referenced by dns_ssutable_addrule(), and dns_ssutable_createdlz().

#define VALID_SSURULE ( table   )     ISC_MAGIC_VALID(table, SSURULEMAGIC)

Definition at line 45 of file ssu.c.

Referenced by dns_ssurule_identity(), dns_ssurule_isgrant(), dns_ssurule_matchtype(), dns_ssurule_name(), dns_ssurule_types(), and dns_ssutable_nextrule().


Function Documentation

isc_result_t dns_ssutable_create ( isc_mem_t mctx,
dns_ssutable_t **  table 
)

Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client.

Requires:

Returns:

Definition at line 69 of file ssu.c.

References ISC_LIST_INIT, isc_mem_attach(), isc_mem_get, isc_mem_put, isc_mutex_init, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssutable::lock, dns_ssutable::magic, dns_ssutable::mctx, dns_ssutable::references, REQUIRE, and SSUTABLEMAGIC.

Referenced by configure_zone_ssutable(), and dns_ssutable_createdlz().

static void destroy ( dns_ssutable_t table  )  [inline, static]

Definition at line 94 of file ssu.c.

References DESTROYLOCK, dns_name_free(), dns_ssurule::identity, ISC_LIST_EMPTY, ISC_LIST_HEAD, ISC_LIST_UNLINK, isc_mem_put, isc_mem_putanddetach, dns_ssutable::lock, dns_ssutable::magic, dns_ssurule::magic, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, dns_ssurule::types, and VALID_SSUTABLE.

void dns_ssutable_attach ( dns_ssutable_t source,
dns_ssutable_t **  targetp 
)

Attach '*targetp' to 'source'.

Requires:

Ensures:

Definition at line 123 of file ssu.c.

References INSIST, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.

Referenced by dns_zone_getssutable(), and dns_zone_setssutable().

void dns_ssutable_detach ( dns_ssutable_t **  tablep  ) 

Detach '*tablep' from its simple-secure-update rule table.

Requires:

Ensures:

Definition at line 139 of file ssu.c.

References destroy(), INSIST, ISC_FALSE, ISC_TRUE, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.

Referenced by configure_zone_ssutable(), dns_dlzdestroy(), dns_ssutable_createdlz(), dns_zone_setssutable(), update_action(), and zone_free().

isc_result_t dns_ssutable_addrule ( dns_ssutable_t table,
isc_boolean_t  grant,
dns_name_t identity,
unsigned int  matchtype,
dns_name_t name,
unsigned int  ntypes,
dns_rdatatype_t types 
)

Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name.

Notes:

Requires: Returns:

Definition at line 161 of file ssu.c.

References dns_name_dup(), dns_name_dynamic(), dns_name_free(), dns_name_init(), dns_name_isabsolute(), dns_name_iswildcard(), DNS_SSUMATCHTYPE_MAX, DNS_SSUMATCHTYPE_WILDCARD, dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, dns_ssurule::types, and VALID_SSUTABLE.

Referenced by configure_zone_ssutable().

static isc_boolean_t isusertype ( dns_rdatatype_t  type  )  [inline, static]

Definition at line 249 of file ssu.c.

References ISC_TF.

Referenced by dns_ssutable_checkrules().

static void reverse_from_address ( dns_name_t tcpself,
isc_netaddr_t tcpaddr 
) [static]

Definition at line 256 of file ssu.c.

References AF_INET6, dns_name_fromtext(), dns_rootname, isc_netaddr::family, isc_netaddr::in, isc_netaddr::in6, INSIST, isc_buffer_add, isc_buffer_init, ISC_R_SUCCESS, isc_string_printf(), RUNTIME_CHECK, and isc_netaddr::type.

Referenced by dns_ssutable_checkrules().

static void stf_from_address ( dns_name_t stfself,
isc_netaddr_t tcpaddr 
) [static]

Definition at line 308 of file ssu.c.

References AF_INET6, dns_name_fromtext(), dns_rootname, isc_netaddr::family, isc_netaddr::in, isc_netaddr::in6, INSIST, isc_buffer_add, isc_buffer_init, ISC_R_SUCCESS, isc_string_printf(), RUNTIME_CHECK, and isc_netaddr::type.

Referenced by dns_ssutable_checkrules().

isc_boolean_t dns_ssutable_checkrules ( dns_ssutable_t table,
dns_name_t signer,
dns_name_t name,
isc_netaddr_t tcpaddr,
dns_rdatatype_t  type,
const dst_key_t key 
)

Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied.

Notes: 'tcpaddr' should only be set if the request received via TCP. This provides a weak assurance that the request was not spoofed. 'tcpaddr' is to to validate DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF rules.

For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, Section 2.5, "IP6.ARPA Domain".

For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only the top 48 bits of the IPv6 address are mapped to the reverse name. This is independent of whether the most significant 16 bits match 2002::/16, assigned for 6to4 prefixes, or not.

Requires:

Definition at line 350 of file ssu.c.

References dns_ssutable::dlzdatabase, dns_dlz_ssumatch(), dns_fixedname_init, dns_fixedname_name, dns_name_concatenate(), dns_name_equal(), dns_name_isabsolute(), dns_name_issubdomain(), dns_name_iswildcard(), dns_name_matcheswildcard(), dns_ssu_external_match(), DNS_SSUMATCHTYPE_6TO4SELF, DNS_SSUMATCHTYPE_DLZ, DNS_SSUMATCHTYPE_EXTERNAL, DNS_SSUMATCHTYPE_NAME, DNS_SSUMATCHTYPE_SELF, DNS_SSUMATCHTYPE_SELFKRB5, DNS_SSUMATCHTYPE_SELFMS, DNS_SSUMATCHTYPE_SELFSUB, DNS_SSUMATCHTYPE_SELFWILD, DNS_SSUMATCHTYPE_SUBDOMAIN, DNS_SSUMATCHTYPE_SUBDOMAINKRB5, DNS_SSUMATCHTYPE_SUBDOMAINMS, DNS_SSUMATCHTYPE_TCPSELF, DNS_SSUMATCHTYPE_WILDCARD, dns_wildcardname, dst_gssapi_identitymatchesrealmkrb5(), dst_gssapi_identitymatchesrealmms(), fixed, dns_ssurule::grant, dns_ssurule::identity, ISC_FALSE, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_SUCCESS, isusertype(), dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, reverse_from_address(), stf_from_address(), dns_ssurule::types, and VALID_SSUTABLE.

Referenced by ssu_checkrule(), and update_action().

isc_boolean_t dns_ssurule_isgrant ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 529 of file ssu.c.

References dns_ssurule::grant, REQUIRE, and VALID_SSURULE.

dns_name_t* dns_ssurule_identity ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 535 of file ssu.c.

References dns_ssurule::identity, REQUIRE, and VALID_SSURULE.

unsigned int dns_ssurule_matchtype ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 541 of file ssu.c.

References dns_ssurule::matchtype, REQUIRE, and VALID_SSURULE.

dns_name_t* dns_ssurule_name ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 547 of file ssu.c.

References dns_ssurule::name, REQUIRE, and VALID_SSURULE.

unsigned int dns_ssurule_types ( const dns_ssurule_t rule,
dns_rdatatype_t **  types 
)

Accessor functions to extract rule components.

Definition at line 553 of file ssu.c.

References dns_ssurule::ntypes, REQUIRE, dns_ssurule::types, and VALID_SSURULE.

isc_result_t dns_ssutable_firstrule ( const dns_ssutable_t table,
dns_ssurule_t **  rule 
)

Initiates a rule iterator. There is no need to maintain any state.

Returns:

Definition at line 561 of file ssu.c.

References ISC_LIST_HEAD, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSUTABLE.

isc_result_t dns_ssutable_nextrule ( dns_ssurule_t rule,
dns_ssurule_t **  nextrule 
)

Returns the next rule in the table.

Returns:

Definition at line 569 of file ssu.c.

References ISC_LIST_NEXT, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSURULE.

isc_result_t dns_ssutable_createdlz ( isc_mem_t mctx,
dns_ssutable_t **  tablep,
dns_dlzdb_t dlzdatabase 
)

Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver.

Definition at line 580 of file ssu.c.

References dns_ssutable::dlzdatabase, DNS_SSUMATCHTYPE_DLZ, dns_ssutable_create(), dns_ssutable_detach(), dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TRUE, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, and dns_ssurule::types.

Referenced by dns_dlz_writeablezone().


Generated on Tue Apr 28 17:41:13 2015 by Doxygen 1.5.4 for BIND9 Internals 9.11.0pre-alpha