1 /* $NetBSD: ssu.h,v 1.4 2014/12/10 04:37:58 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2004-2008, 2010, 2011 Internet Systems Consortium, Inc. ("ISC") 5 * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. 6 * 7 * Permission to use, copy, modify, and/or distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 * PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 /* Id: ssu.h,v 1.28 2011/01/06 23:47:00 tbox Exp */ 21 22 #ifndef DNS_SSU_H 23 #define DNS_SSU_H 1 24 25 /*! \file dns/ssu.h */ 26 27 #include <isc/lang.h> 28 29 #include <dns/types.h> 30 #include <dst/dst.h> 31 32 ISC_LANG_BEGINDECLS 33 34 #define DNS_SSUMATCHTYPE_NAME 0 35 #define DNS_SSUMATCHTYPE_SUBDOMAIN 1 36 #define DNS_SSUMATCHTYPE_WILDCARD 2 37 #define DNS_SSUMATCHTYPE_SELF 3 38 #define DNS_SSUMATCHTYPE_SELFSUB 4 39 #define DNS_SSUMATCHTYPE_SELFWILD 5 40 #define DNS_SSUMATCHTYPE_SELFKRB5 6 41 #define DNS_SSUMATCHTYPE_SELFMS 7 42 #define DNS_SSUMATCHTYPE_SUBDOMAINMS 8 43 #define DNS_SSUMATCHTYPE_SUBDOMAINKRB5 9 44 #define DNS_SSUMATCHTYPE_TCPSELF 10 45 #define DNS_SSUMATCHTYPE_6TO4SELF 11 46 #define DNS_SSUMATCHTYPE_EXTERNAL 12 47 #define DNS_SSUMATCHTYPE_DLZ 13 48 #define DNS_SSUMATCHTYPE_MAX 12 /* max value */ 49 50 isc_result_t 51 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table); 52 /*%< 53 * Creates a table that will be used to store simple-secure-update rules. 54 * Note: all locking must be provided by the client. 55 * 56 * Requires: 57 *\li 'mctx' is a valid memory context 58 *\li 'table' is not NULL, and '*table' is NULL 59 * 60 * Returns: 61 *\li ISC_R_SUCCESS 62 *\li ISC_R_NOMEMORY 63 */ 64 65 isc_result_t 66 dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, 67 dns_dlzdb_t *dlzdatabase); 68 /*%< 69 * Create an SSU table that contains a dlzdatabase pointer, and a 70 * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU 71 * table is used by writeable DLZ drivers to offload authorization for 72 * updates to the driver. 73 */ 74 75 void 76 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp); 77 /*%< 78 * Attach '*targetp' to 'source'. 79 * 80 * Requires: 81 *\li 'source' is a valid SSU table 82 *\li 'targetp' points to a NULL dns_ssutable_t *. 83 * 84 * Ensures: 85 *\li *targetp is attached to source. 86 */ 87 88 void 89 dns_ssutable_detach(dns_ssutable_t **tablep); 90 /*%< 91 * Detach '*tablep' from its simple-secure-update rule table. 92 * 93 * Requires: 94 *\li 'tablep' points to a valid dns_ssutable_t 95 * 96 * Ensures: 97 *\li *tablep is NULL 98 *\li If '*tablep' is the last reference to the SSU table, all 99 * resources used by the table will be freed. 100 */ 101 102 isc_result_t 103 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant, 104 dns_name_t *identity, unsigned int matchtype, 105 dns_name_t *name, unsigned int ntypes, 106 dns_rdatatype_t *types); 107 /*%< 108 * Adds a new rule to a simple-secure-update rule table. The rule 109 * either grants or denies update privileges of an identity (or set of 110 * identities) to modify a name (or set of names) or certain types present 111 * at that name. 112 * 113 * Notes: 114 *\li If 'matchtype' is of SELF type, this rule only matches if the 115 * name to be updated matches the signing identity. 116 * 117 *\li If 'ntypes' is 0, this rule applies to all types except 118 * NS, SOA, RRSIG, and NSEC. 119 * 120 *\li If 'types' includes ANY, this rule applies to all types 121 * except NSEC. 122 * 123 * Requires: 124 *\li 'table' is a valid SSU table 125 *\li 'identity' is a valid absolute name 126 *\li 'matchtype' must be one of the defined constants. 127 *\li 'name' is a valid absolute name 128 *\li If 'ntypes' > 0, 'types' must not be NULL 129 * 130 * Returns: 131 *\li ISC_R_SUCCESS 132 *\li ISC_R_NOMEMORY 133 */ 134 135 isc_boolean_t 136 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer, 137 dns_name_t *name, isc_netaddr_t *tcpaddr, 138 dns_rdatatype_t type, const dst_key_t *key); 139 /*%< 140 * Checks that the attempted update of (name, type) is allowed according 141 * to the rules specified in the simple-secure-update rule table. If 142 * no rules are matched, access is denied. 143 * 144 * Notes: 145 * 'tcpaddr' should only be set if the request received 146 * via TCP. This provides a weak assurance that the 147 * request was not spoofed. 'tcpaddr' is to to validate 148 * DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF 149 * rules. 150 * 151 * For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to 152 * the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. 153 * RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, 154 * Section 2.5, "IP6.ARPA Domain". 155 * 156 * For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted 157 * to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only 158 * the top 48 bits of the IPv6 address are mapped to the reverse 159 * name. This is independent of whether the most significant 16 160 * bits match 2002::/16, assigned for 6to4 prefixes, or not. 161 * 162 * Requires: 163 *\li 'table' is a valid SSU table 164 *\li 'signer' is NULL or a valid absolute name 165 *\li 'tcpaddr' is NULL or a valid network address. 166 *\li 'name' is a valid absolute name 167 */ 168 169 170 /*% Accessor functions to extract rule components */ 171 isc_boolean_t dns_ssurule_isgrant(const dns_ssurule_t *rule); 172 /*% Accessor functions to extract rule components */ 173 dns_name_t * dns_ssurule_identity(const dns_ssurule_t *rule); 174 /*% Accessor functions to extract rule components */ 175 unsigned int dns_ssurule_matchtype(const dns_ssurule_t *rule); 176 /*% Accessor functions to extract rule components */ 177 dns_name_t * dns_ssurule_name(const dns_ssurule_t *rule); 178 /*% Accessor functions to extract rule components */ 179 unsigned int dns_ssurule_types(const dns_ssurule_t *rule, 180 dns_rdatatype_t **types); 181 182 isc_result_t dns_ssutable_firstrule(const dns_ssutable_t *table, 183 dns_ssurule_t **rule); 184 /*%< 185 * Initiates a rule iterator. There is no need to maintain any state. 186 * 187 * Returns: 188 *\li #ISC_R_SUCCESS 189 *\li #ISC_R_NOMORE 190 */ 191 192 isc_result_t dns_ssutable_nextrule(dns_ssurule_t *rule, 193 dns_ssurule_t **nextrule); 194 /*%< 195 * Returns the next rule in the table. 196 * 197 * Returns: 198 *\li #ISC_R_SUCCESS 199 *\li #ISC_R_NOMORE 200 */ 201 202 203 /*%< 204 * Check a policy rule via an external application 205 */ 206 isc_boolean_t 207 dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer, 208 dns_name_t *name, isc_netaddr_t *tcpaddr, 209 dns_rdatatype_t type, const dst_key_t *key, 210 isc_mem_t *mctx); 211 212 ISC_LANG_ENDDECLS 213 214 #endif /* DNS_SSU_H */ 215