ssu.h File Reference

#include <isc/lang.h>
#include <dns/types.h>
#include <dst/dst.h>

Go to the source code of this file.

Defines

#define DNS_SSU_H   1
#define DNS_SSUMATCHTYPE_NAME   0
#define DNS_SSUMATCHTYPE_SUBDOMAIN   1
#define DNS_SSUMATCHTYPE_WILDCARD   2
#define DNS_SSUMATCHTYPE_SELF   3
#define DNS_SSUMATCHTYPE_SELFSUB   4
#define DNS_SSUMATCHTYPE_SELFWILD   5
#define DNS_SSUMATCHTYPE_SELFKRB5   6
#define DNS_SSUMATCHTYPE_SELFMS   7
#define DNS_SSUMATCHTYPE_SUBDOMAINMS   8
#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5   9
#define DNS_SSUMATCHTYPE_TCPSELF   10
#define DNS_SSUMATCHTYPE_6TO4SELF   11
#define DNS_SSUMATCHTYPE_EXTERNAL   12
#define DNS_SSUMATCHTYPE_DLZ   13
#define DNS_SSUMATCHTYPE_MAX   12

Functions

isc_result_t dns_ssutable_create (isc_mem_t *mctx, dns_ssutable_t **table)
 Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client.
isc_result_t dns_ssutable_createdlz (isc_mem_t *mctx, dns_ssutable_t **tablep, dns_dlzdb_t *dlzdatabase)
 Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver.
void dns_ssutable_attach (dns_ssutable_t *source, dns_ssutable_t **targetp)
 Attach '*targetp' to 'source'.
void dns_ssutable_detach (dns_ssutable_t **tablep)
 Detach '*tablep' from its simple-secure-update rule table.
isc_result_t dns_ssutable_addrule (dns_ssutable_t *table, isc_boolean_t grant, dns_name_t *identity, unsigned int matchtype, dns_name_t *name, unsigned int ntypes, dns_rdatatype_t *types)
 Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name.
isc_boolean_t dns_ssutable_checkrules (dns_ssutable_t *table, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key)
 Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied.
isc_boolean_t dns_ssurule_isgrant (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
dns_name_tdns_ssurule_identity (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
unsigned int dns_ssurule_matchtype (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
dns_name_tdns_ssurule_name (const dns_ssurule_t *rule)
 Accessor functions to extract rule components.
unsigned int dns_ssurule_types (const dns_ssurule_t *rule, dns_rdatatype_t **types)
 Accessor functions to extract rule components.
isc_result_t dns_ssutable_firstrule (const dns_ssutable_t *table, dns_ssurule_t **rule)
 Initiates a rule iterator. There is no need to maintain any state.
isc_result_t dns_ssutable_nextrule (dns_ssurule_t *rule, dns_ssurule_t **nextrule)
 Returns the next rule in the table.
isc_boolean_t dns_ssu_external_match (dns_name_t *identity, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key, isc_mem_t *mctx)


Detailed Description

Definition in file ssu.h.


Define Documentation

#define DNS_SSU_H   1

Definition at line 21 of file ssu.h.

#define DNS_SSUMATCHTYPE_NAME   0

Definition at line 32 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SUBDOMAIN   1

Definition at line 33 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_WILDCARD   2

Definition at line 34 of file ssu.h.

Referenced by configure_zone_ssutable(), dns_ssutable_addrule(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SELF   3

Definition at line 35 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SELFSUB   4

Definition at line 36 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SELFWILD   5

Definition at line 37 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SELFKRB5   6

Definition at line 38 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SELFMS   7

Definition at line 39 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SUBDOMAINMS   8

Definition at line 40 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5   9

Definition at line 41 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_TCPSELF   10

Definition at line 42 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_6TO4SELF   11

Definition at line 43 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_EXTERNAL   12

Definition at line 44 of file ssu.h.

Referenced by configure_zone_ssutable(), and dns_ssutable_checkrules().

#define DNS_SSUMATCHTYPE_DLZ   13

Definition at line 45 of file ssu.h.

Referenced by dns_ssutable_checkrules(), and dns_ssutable_createdlz().

#define DNS_SSUMATCHTYPE_MAX   12

Definition at line 46 of file ssu.h.

Referenced by dns_ssutable_addrule().


Function Documentation

isc_result_t dns_ssutable_create ( isc_mem_t mctx,
dns_ssutable_t **  table 
)

Creates a table that will be used to store simple-secure-update rules. Note: all locking must be provided by the client.

Requires:

Returns:

Definition at line 69 of file ssu.c.

References ISC_LIST_INIT, isc_mem_attach(), isc_mem_get, isc_mem_put, isc_mutex_init, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssutable::lock, dns_ssutable::magic, dns_ssutable::mctx, dns_ssutable::references, REQUIRE, and SSUTABLEMAGIC.

Referenced by configure_zone_ssutable(), and dns_ssutable_createdlz().

isc_result_t dns_ssutable_createdlz ( isc_mem_t mctx,
dns_ssutable_t **  tablep,
dns_dlzdb_t dlzdatabase 
)

Create an SSU table that contains a dlzdatabase pointer, and a single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU table is used by writeable DLZ drivers to offload authorization for updates to the driver.

Definition at line 580 of file ssu.c.

References dns_ssutable::dlzdatabase, DNS_SSUMATCHTYPE_DLZ, dns_ssutable_create(), dns_ssutable_detach(), dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TRUE, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, and dns_ssurule::types.

Referenced by dns_dlz_writeablezone().

void dns_ssutable_attach ( dns_ssutable_t source,
dns_ssutable_t **  targetp 
)

Attach '*targetp' to 'source'.

Requires:

Ensures:

Definition at line 123 of file ssu.c.

References INSIST, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.

Referenced by dns_zone_getssutable(), and dns_zone_setssutable().

void dns_ssutable_detach ( dns_ssutable_t **  tablep  ) 

Detach '*tablep' from its simple-secure-update rule table.

Requires:

Ensures:

Definition at line 139 of file ssu.c.

References destroy(), INSIST, ISC_FALSE, ISC_TRUE, dns_ssutable::lock, LOCK, dns_ssutable::references, REQUIRE, UNLOCK, and VALID_SSUTABLE.

Referenced by configure_zone_ssutable(), dns_dlzdestroy(), dns_ssutable_createdlz(), dns_zone_setssutable(), update_action(), and zone_free().

isc_result_t dns_ssutable_addrule ( dns_ssutable_t table,
isc_boolean_t  grant,
dns_name_t identity,
unsigned int  matchtype,
dns_name_t name,
unsigned int  ntypes,
dns_rdatatype_t types 
)

Adds a new rule to a simple-secure-update rule table. The rule either grants or denies update privileges of an identity (or set of identities) to modify a name (or set of names) or certain types present at that name.

Notes:

Requires: Returns:

Definition at line 161 of file ssu.c.

References dns_name_dup(), dns_name_dynamic(), dns_name_free(), dns_name_init(), dns_name_isabsolute(), dns_name_iswildcard(), DNS_SSUMATCHTYPE_MAX, DNS_SSUMATCHTYPE_WILDCARD, dns_ssurule::grant, dns_ssurule::identity, ISC_LIST_INITANDAPPEND, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, dns_ssurule::magic, dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, SSURULEMAGIC, dns_ssurule::types, and VALID_SSUTABLE.

Referenced by configure_zone_ssutable().

isc_boolean_t dns_ssutable_checkrules ( dns_ssutable_t table,
dns_name_t signer,
dns_name_t name,
isc_netaddr_t tcpaddr,
dns_rdatatype_t  type,
const dst_key_t key 
)

Checks that the attempted update of (name, type) is allowed according to the rules specified in the simple-secure-update rule table. If no rules are matched, access is denied.

Notes: 'tcpaddr' should only be set if the request received via TCP. This provides a weak assurance that the request was not spoofed. 'tcpaddr' is to to validate DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF rules.

For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, Section 2.5, "IP6.ARPA Domain".

For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only the top 48 bits of the IPv6 address are mapped to the reverse name. This is independent of whether the most significant 16 bits match 2002::/16, assigned for 6to4 prefixes, or not.

Requires:

Definition at line 350 of file ssu.c.

References dns_ssutable::dlzdatabase, dns_dlz_ssumatch(), dns_fixedname_init, dns_fixedname_name, dns_name_concatenate(), dns_name_equal(), dns_name_isabsolute(), dns_name_issubdomain(), dns_name_iswildcard(), dns_name_matcheswildcard(), dns_ssu_external_match(), DNS_SSUMATCHTYPE_6TO4SELF, DNS_SSUMATCHTYPE_DLZ, DNS_SSUMATCHTYPE_EXTERNAL, DNS_SSUMATCHTYPE_NAME, DNS_SSUMATCHTYPE_SELF, DNS_SSUMATCHTYPE_SELFKRB5, DNS_SSUMATCHTYPE_SELFMS, DNS_SSUMATCHTYPE_SELFSUB, DNS_SSUMATCHTYPE_SELFWILD, DNS_SSUMATCHTYPE_SUBDOMAIN, DNS_SSUMATCHTYPE_SUBDOMAINKRB5, DNS_SSUMATCHTYPE_SUBDOMAINMS, DNS_SSUMATCHTYPE_TCPSELF, DNS_SSUMATCHTYPE_WILDCARD, dns_wildcardname, dst_gssapi_identitymatchesrealmkrb5(), dst_gssapi_identitymatchesrealmms(), fixed, dns_ssurule::grant, dns_ssurule::identity, ISC_FALSE, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_SUCCESS, isusertype(), dns_ssurule::matchtype, dns_ssutable::mctx, dns_ssurule::name, dns_ssurule::ntypes, REQUIRE, reverse_from_address(), stf_from_address(), dns_ssurule::types, and VALID_SSUTABLE.

Referenced by ssu_checkrule(), and update_action().

isc_boolean_t dns_ssurule_isgrant ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 529 of file ssu.c.

References dns_ssurule::grant, REQUIRE, and VALID_SSURULE.

dns_name_t* dns_ssurule_identity ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 535 of file ssu.c.

References dns_ssurule::identity, REQUIRE, and VALID_SSURULE.

unsigned int dns_ssurule_matchtype ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 541 of file ssu.c.

References dns_ssurule::matchtype, REQUIRE, and VALID_SSURULE.

dns_name_t* dns_ssurule_name ( const dns_ssurule_t rule  ) 

Accessor functions to extract rule components.

Definition at line 547 of file ssu.c.

References dns_ssurule::name, REQUIRE, and VALID_SSURULE.

unsigned int dns_ssurule_types ( const dns_ssurule_t rule,
dns_rdatatype_t **  types 
)

Accessor functions to extract rule components.

Definition at line 553 of file ssu.c.

References dns_ssurule::ntypes, REQUIRE, dns_ssurule::types, and VALID_SSURULE.

isc_result_t dns_ssutable_firstrule ( const dns_ssutable_t table,
dns_ssurule_t **  rule 
)

Initiates a rule iterator. There is no need to maintain any state.

Returns:

Definition at line 561 of file ssu.c.

References ISC_LIST_HEAD, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSUTABLE.

isc_result_t dns_ssutable_nextrule ( dns_ssurule_t rule,
dns_ssurule_t **  nextrule 
)

Returns the next rule in the table.

Returns:

Definition at line 569 of file ssu.c.

References ISC_LIST_NEXT, ISC_R_NOMORE, ISC_R_SUCCESS, REQUIRE, and VALID_SSURULE.

isc_boolean_t dns_ssu_external_match ( dns_name_t identity,
dns_name_t signer,
dns_name_t name,
isc_netaddr_t tcpaddr,
dns_rdatatype_t  type,
const dst_key_t key,
isc_mem_t mctx 
)

Definition at line 120 of file ssu_external.c.

References isc_region::base, dns_name_format(), DNS_NAME_FORMATSIZE, dns_rdatatype_format(), DNS_RDATATYPE_FORMATSIZE, dst_key_format(), DST_KEY_FORMATSIZE, dst_key_tkeytoken(), ENSURE, isc__strerror(), isc_buffer_availablelength, isc_buffer_init, isc_buffer_putmem, isc_buffer_putstr, isc_buffer_putuint32, isc_buffer_putuint8, isc_buffer_region, ISC_FALSE, isc_mem_allocate, isc_mem_free, isc_netaddr_format(), ISC_NETADDR_FORMATSIZE, ISC_STRERRORSIZE, ISC_TRUE, isc_region::length, ssu_e_log(), SSU_EXTERNAL_VERSION, and ux_socket_connect().

Referenced by dns_ssutable_checkrules().


Generated on Tue Apr 28 17:41:10 2015 by Doxygen 1.5.4 for BIND9 Internals 9.11.0pre-alpha