xref: /minix/external/bsd/bind/dist/lib/dns/include/dns/ssu.h (revision bb9622b5) 
1 /*	$NetBSD: ssu.h,v 1.4 2014/12/10 04:37:58 christos Exp $	*/
2 
3 /*
4  * Copyright (C) 2004-2008, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
5  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
6  *
7  * Permission to use, copy, modify, and/or distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17  * PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 /* Id: ssu.h,v 1.28 2011/01/06 23:47:00 tbox Exp  */
21 
22 #ifndef DNS_SSU_H
23 #define DNS_SSU_H 1
24 
25 /*! \file dns/ssu.h */
26 
27 #include <isc/lang.h>
28 
29 #include <dns/types.h>
30 #include <dst/dst.h>
31 
32 ISC_LANG_BEGINDECLS
33 
34 #define DNS_SSUMATCHTYPE_NAME		0
35 #define DNS_SSUMATCHTYPE_SUBDOMAIN	1
36 #define DNS_SSUMATCHTYPE_WILDCARD	2
37 #define DNS_SSUMATCHTYPE_SELF		3
38 #define DNS_SSUMATCHTYPE_SELFSUB	4
39 #define DNS_SSUMATCHTYPE_SELFWILD	5
40 #define DNS_SSUMATCHTYPE_SELFKRB5	6
41 #define DNS_SSUMATCHTYPE_SELFMS		7
42 #define DNS_SSUMATCHTYPE_SUBDOMAINMS	8
43 #define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	9
44 #define DNS_SSUMATCHTYPE_TCPSELF	10
45 #define DNS_SSUMATCHTYPE_6TO4SELF	11
46 #define DNS_SSUMATCHTYPE_EXTERNAL	12
47 #define DNS_SSUMATCHTYPE_DLZ		13
48 #define DNS_SSUMATCHTYPE_MAX 		12  /* max value */
49 
50 isc_result_t
51 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
52 /*%<
53  *	Creates a table that will be used to store simple-secure-update rules.
54  *	Note: all locking must be provided by the client.
55  *
56  *	Requires:
57  *\li		'mctx' is a valid memory context
58  *\li		'table' is not NULL, and '*table' is NULL
59  *
60  *	Returns:
61  *\li		ISC_R_SUCCESS
62  *\li		ISC_R_NOMEMORY
63  */
64 
65 isc_result_t
66 dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
67 		       dns_dlzdb_t *dlzdatabase);
68 /*%<
69  * Create an SSU table that contains a dlzdatabase pointer, and a
70  * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU
71  * table is used by writeable DLZ drivers to offload authorization for
72  * updates to the driver.
73  */
74 
75 void
76 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
77 /*%<
78  *	Attach '*targetp' to 'source'.
79  *
80  *	Requires:
81  *\li		'source' is a valid SSU table
82  *\li		'targetp' points to a NULL dns_ssutable_t *.
83  *
84  *	Ensures:
85  *\li		*targetp is attached to source.
86  */
87 
88 void
89 dns_ssutable_detach(dns_ssutable_t **tablep);
90 /*%<
91  *	Detach '*tablep' from its simple-secure-update rule table.
92  *
93  *	Requires:
94  *\li		'tablep' points to a valid dns_ssutable_t
95  *
96  *	Ensures:
97  *\li		*tablep is NULL
98  *\li		If '*tablep' is the last reference to the SSU table, all
99  *			resources used by the table will be freed.
100  */
101 
102 isc_result_t
103 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
104 		     dns_name_t *identity, unsigned int matchtype,
105 		     dns_name_t *name, unsigned int ntypes,
106 		     dns_rdatatype_t *types);
107 /*%<
108  *	Adds a new rule to a simple-secure-update rule table.  The rule
109  *	either grants or denies update privileges of an identity (or set of
110  *	identities) to modify a name (or set of names) or certain types present
111  *	at that name.
112  *
113  *	Notes:
114  *\li		If 'matchtype' is of SELF type, this rule only matches if the
115  *              name to be updated matches the signing identity.
116  *
117  *\li		If 'ntypes' is 0, this rule applies to all types except
118  *		NS, SOA, RRSIG, and NSEC.
119  *
120  *\li		If 'types' includes ANY, this rule applies to all types
121  *		except NSEC.
122  *
123  *	Requires:
124  *\li		'table' is a valid SSU table
125  *\li		'identity' is a valid absolute name
126  *\li		'matchtype' must be one of the defined constants.
127  *\li		'name' is a valid absolute name
128  *\li		If 'ntypes' > 0, 'types' must not be NULL
129  *
130  *	Returns:
131  *\li		ISC_R_SUCCESS
132  *\li		ISC_R_NOMEMORY
133  */
134 
135 isc_boolean_t
136 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
137 			dns_name_t *name, isc_netaddr_t *tcpaddr,
138 			dns_rdatatype_t type, const dst_key_t *key);
139 /*%<
140  *	Checks that the attempted update of (name, type) is allowed according
141  *	to the rules specified in the simple-secure-update rule table.  If
142  *	no rules are matched, access is denied.
143  *
144  *	Notes:
145  *		'tcpaddr' should only be set if the request received
146  *		via TCP.  This provides a weak assurance that the
147  *		request was not spoofed.  'tcpaddr' is to to validate
148  *		DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF
149  *		rules.
150  *
151  *		For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
152  *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
153  *		RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
154  *		Section 2.5, "IP6.ARPA Domain".
155  *
156  *		For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
157  *		to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
158  *		the top	48 bits of the IPv6 address are mapped to the reverse
159  *		name. This is independent of whether the most significant 16
160  *		bits match 2002::/16, assigned for 6to4 prefixes, or not.
161  *
162  *	Requires:
163  *\li		'table' is a valid SSU table
164  *\li		'signer' is NULL or a valid absolute name
165  *\li		'tcpaddr' is NULL or a valid network address.
166  *\li		'name' is a valid absolute name
167  */
168 
169 
170 /*% Accessor functions to extract rule components */
171 isc_boolean_t	dns_ssurule_isgrant(const dns_ssurule_t *rule);
172 /*% Accessor functions to extract rule components */
173 dns_name_t *	dns_ssurule_identity(const dns_ssurule_t *rule);
174 /*% Accessor functions to extract rule components */
175 unsigned int	dns_ssurule_matchtype(const dns_ssurule_t *rule);
176 /*% Accessor functions to extract rule components */
177 dns_name_t *	dns_ssurule_name(const dns_ssurule_t *rule);
178 /*% Accessor functions to extract rule components */
179 unsigned int	dns_ssurule_types(const dns_ssurule_t *rule,
180 				  dns_rdatatype_t **types);
181 
182 isc_result_t	dns_ssutable_firstrule(const dns_ssutable_t *table,
183 				       dns_ssurule_t **rule);
184 /*%<
185  * Initiates a rule iterator.  There is no need to maintain any state.
186  *
187  * Returns:
188  *\li	#ISC_R_SUCCESS
189  *\li	#ISC_R_NOMORE
190  */
191 
192 isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
193 				      dns_ssurule_t **nextrule);
194 /*%<
195  * Returns the next rule in the table.
196  *
197  * Returns:
198  *\li	#ISC_R_SUCCESS
199  *\li	#ISC_R_NOMORE
200  */
201 
202 
203 /*%<
204  * Check a policy rule via an external application
205  */
206 isc_boolean_t
207 dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer,
208 		       dns_name_t *name, isc_netaddr_t *tcpaddr,
209 		       dns_rdatatype_t type, const dst_key_t *key,
210 		       isc_mem_t *mctx);
211 
212 ISC_LANG_ENDDECLS
213 
214 #endif /* DNS_SSU_H */
215