1 /*
2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3  *
4  * This Source Code Form is subject to the terms of the Mozilla Public
5  * License, v. 2.0. If a copy of the MPL was not distributed with this
6  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7  *
8  * See the COPYRIGHT file distributed with this work for additional
9  * information regarding copyright ownership.
10  */
11 
12 #ifndef DNS_SSU_H
13 #define DNS_SSU_H 1
14 
15 /*! \file dns/ssu.h */
16 
17 #include <stdbool.h>
18 
19 #include <isc/lang.h>
20 
21 #include <dns/acl.h>
22 #include <dns/types.h>
23 
24 #include <dst/dst.h>
25 
26 ISC_LANG_BEGINDECLS
27 
28 typedef enum {
29 	dns_ssumatchtype_name = 0,
30 	dns_ssumatchtype_subdomain = 1,
31 	dns_ssumatchtype_wildcard = 2,
32 	dns_ssumatchtype_self = 3,
33 	dns_ssumatchtype_selfsub = 4,
34 	dns_ssumatchtype_selfwild = 5,
35 	dns_ssumatchtype_selfkrb5 = 6,
36 	dns_ssumatchtype_selfms = 7,
37 	dns_ssumatchtype_subdomainms = 8,
38 	dns_ssumatchtype_subdomainkrb5 = 9,
39 	dns_ssumatchtype_tcpself = 10,
40 	dns_ssumatchtype_6to4self = 11,
41 	dns_ssumatchtype_external = 12,
42 	dns_ssumatchtype_local = 13,
43 	dns_ssumatchtype_selfsubms = 14,
44 	dns_ssumatchtype_selfsubkrb5 = 15,
45 	dns_ssumatchtype_max = 15, /* max value */
46 
47 	dns_ssumatchtype_dlz = 16 /* intentionally higher than _max */
48 } dns_ssumatchtype_t;
49 
50 isc_result_t
51 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
52 /*%<
53  *	Creates a table that will be used to store simple-secure-update rules.
54  *	Note: all locking must be provided by the client.
55  *
56  *	Requires:
57  *\li		'mctx' is a valid memory context
58  *\li		'table' is not NULL, and '*table' is NULL
59  *
60  *	Returns:
61  *\li		ISC_R_SUCCESS
62  *\li		ISC_R_NOMEMORY
63  */
64 
65 isc_result_t
66 dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
67 		       dns_dlzdb_t *dlzdatabase);
68 /*%<
69  * Create an SSU table that contains a dlzdatabase pointer, and a
70  * single rule with matchtype dns_ssumatchtype_dlz. This type of SSU
71  * table is used by writeable DLZ drivers to offload authorization for
72  * updates to the driver.
73  */
74 
75 void
76 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
77 /*%<
78  *	Attach '*targetp' to 'source'.
79  *
80  *	Requires:
81  *\li		'source' is a valid SSU table
82  *\li		'targetp' points to a NULL dns_ssutable_t *.
83  *
84  *	Ensures:
85  *\li		*targetp is attached to source.
86  */
87 
88 void
89 dns_ssutable_detach(dns_ssutable_t **tablep);
90 /*%<
91  *	Detach '*tablep' from its simple-secure-update rule table.
92  *
93  *	Requires:
94  *\li		'tablep' points to a valid dns_ssutable_t
95  *
96  *	Ensures:
97  *\li		*tablep is NULL
98  *\li		If '*tablep' is the last reference to the SSU table, all
99  *			resources used by the table will be freed.
100  */
101 
102 isc_result_t
103 dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
104 		     const dns_name_t *identity, dns_ssumatchtype_t matchtype,
105 		     const dns_name_t *name, unsigned int ntypes,
106 		     dns_rdatatype_t *types);
107 /*%<
108  *	Adds a new rule to a simple-secure-update rule table.  The rule
109  *	either grants or denies update privileges of an identity (or set of
110  *	identities) to modify a name (or set of names) or certain types present
111  *	at that name.
112  *
113  *	Notes:
114  *\li		If 'matchtype' is of SELF type, this rule only matches if the
115  *              name to be updated matches the signing identity.
116  *
117  *\li		If 'ntypes' is 0, this rule applies to all types except
118  *		NS, SOA, RRSIG, and NSEC.
119  *
120  *\li		If 'types' includes ANY, this rule applies to all types
121  *		except NSEC.
122  *
123  *	Requires:
124  *\li		'table' is a valid SSU table
125  *\li		'identity' is a valid absolute name
126  *\li		'matchtype' must be one of the defined constants.
127  *\li		'name' is a valid absolute name
128  *\li		If 'ntypes' > 0, 'types' must not be NULL
129  *
130  *	Returns:
131  *\li		ISC_R_SUCCESS
132  *\li		ISC_R_NOMEMORY
133  */
134 
135 bool
136 dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
137 			const dns_name_t *name, const isc_netaddr_t *addr,
138 			bool tcp, const dns_aclenv_t *env, dns_rdatatype_t type,
139 			const dst_key_t *key);
140 /*%<
141  *	Checks that the attempted update of (name, type) is allowed according
142  *	to the rules specified in the simple-secure-update rule table.  If
143  *	no rules are matched, access is denied.
144  *
145  *	Notes:
146  *		In dns_ssutable_checkrules(), 'addr' should only be
147  *		set if the request received via TCP.  This provides a
148  *		weak assurance that the request was not spoofed.
149  *		'addr' is to to validate dns_ssumatchtype_tcpself
150  *		and dns_ssumatchtype_6to4self rules.
151  *
152  *		In dns_ssutable_checkrules2(), 'addr' can also be passed for
153  *		UDP requests and TCP is specified via the 'tcp' parameter.
154  *		In addition to dns_ssumatchtype_tcpself and
155  *		tcp_ssumatchtype_6to4self  rules, the address
156  *		also be used to check dns_ssumatchtype_local rules.
157  *		If 'addr' is set then 'env' must also be set so that
158  *		requests from non-localhost addresses can be rejected.
159  *
160  *		For dns_ssumatchtype_tcpself the addresses are mapped to
161  *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
162  *		RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
163  *		Section 2.5, "IP6.ARPA Domain".
164  *
165  *		For dns_ssumatchtype_6to4self, IPv4 address are converted
166  *		to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
167  *		the top	48 bits of the IPv6 address are mapped to the reverse
168  *		name. This is independent of whether the most significant 16
169  *		bits match 2002::/16, assigned for 6to4 prefixes, or not.
170  *
171  *	Requires:
172  *\li		'table' is a valid SSU table
173  *\li		'signer' is NULL or a valid absolute name
174  *\li		'addr' is NULL or a valid network address.
175  *\li		'aclenv' is NULL or a valid ACL environment.
176  *\li		'name' is a valid absolute name
177  *\li		if 'addr' is not NULL, 'env' is not NULL.
178  */
179 
180 /*% Accessor functions to extract rule components */
181 bool
182 dns_ssurule_isgrant(const dns_ssurule_t *rule);
183 /*% Accessor functions to extract rule components */
184 dns_name_t *
185 dns_ssurule_identity(const dns_ssurule_t *rule);
186 /*% Accessor functions to extract rule components */
187 unsigned int
188 dns_ssurule_matchtype(const dns_ssurule_t *rule);
189 /*% Accessor functions to extract rule components */
190 dns_name_t *
191 dns_ssurule_name(const dns_ssurule_t *rule);
192 /*% Accessor functions to extract rule components */
193 unsigned int
194 dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types);
195 
196 isc_result_t
197 dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule);
198 /*%<
199  * Initiates a rule iterator.  There is no need to maintain any state.
200  *
201  * Returns:
202  *\li	#ISC_R_SUCCESS
203  *\li	#ISC_R_NOMORE
204  */
205 
206 isc_result_t
207 dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule);
208 /*%<
209  * Returns the next rule in the table.
210  *
211  * Returns:
212  *\li	#ISC_R_SUCCESS
213  *\li	#ISC_R_NOMORE
214  */
215 
216 bool
217 dns_ssu_external_match(const dns_name_t *identity, const dns_name_t *signer,
218 		       const dns_name_t *name, const isc_netaddr_t *tcpaddr,
219 		       dns_rdatatype_t type, const dst_key_t *key,
220 		       isc_mem_t *mctx);
221 /*%<
222  * Check a policy rule via an external application
223  */
224 
225 isc_result_t
226 dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype);
227 /*%<
228  * Set 'mtype' from 'str'
229  *
230  * Requires:
231  *\li		'str' is not NULL.
232  *\li		'mtype' is not NULL,
233  *
234  * Returns:
235  *\li	#ISC_R_SUCCESS
236  *\li	#ISC_R_NOTFOUND
237  */
238 
239 ISC_LANG_ENDDECLS
240 
241 #endif /* DNS_SSU_H */
242