1 /* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12 #ifndef DNS_SSU_H 13 #define DNS_SSU_H 1 14 15 /*! \file dns/ssu.h */ 16 17 #include <stdbool.h> 18 19 #include <isc/lang.h> 20 21 #include <dns/acl.h> 22 #include <dns/types.h> 23 24 #include <dst/dst.h> 25 26 ISC_LANG_BEGINDECLS 27 28 typedef enum { 29 dns_ssumatchtype_name = 0, 30 dns_ssumatchtype_subdomain = 1, 31 dns_ssumatchtype_wildcard = 2, 32 dns_ssumatchtype_self = 3, 33 dns_ssumatchtype_selfsub = 4, 34 dns_ssumatchtype_selfwild = 5, 35 dns_ssumatchtype_selfkrb5 = 6, 36 dns_ssumatchtype_selfms = 7, 37 dns_ssumatchtype_subdomainms = 8, 38 dns_ssumatchtype_subdomainkrb5 = 9, 39 dns_ssumatchtype_tcpself = 10, 40 dns_ssumatchtype_6to4self = 11, 41 dns_ssumatchtype_external = 12, 42 dns_ssumatchtype_local = 13, 43 dns_ssumatchtype_selfsubms = 14, 44 dns_ssumatchtype_selfsubkrb5 = 15, 45 dns_ssumatchtype_max = 15, /* max value */ 46 47 dns_ssumatchtype_dlz = 16 /* intentionally higher than _max */ 48 } dns_ssumatchtype_t; 49 50 isc_result_t 51 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table); 52 /*%< 53 * Creates a table that will be used to store simple-secure-update rules. 54 * Note: all locking must be provided by the client. 55 * 56 * Requires: 57 *\li 'mctx' is a valid memory context 58 *\li 'table' is not NULL, and '*table' is NULL 59 * 60 * Returns: 61 *\li ISC_R_SUCCESS 62 *\li ISC_R_NOMEMORY 63 */ 64 65 isc_result_t 66 dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, 67 dns_dlzdb_t *dlzdatabase); 68 /*%< 69 * Create an SSU table that contains a dlzdatabase pointer, and a 70 * single rule with matchtype dns_ssumatchtype_dlz. This type of SSU 71 * table is used by writeable DLZ drivers to offload authorization for 72 * updates to the driver. 73 */ 74 75 void 76 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp); 77 /*%< 78 * Attach '*targetp' to 'source'. 79 * 80 * Requires: 81 *\li 'source' is a valid SSU table 82 *\li 'targetp' points to a NULL dns_ssutable_t *. 83 * 84 * Ensures: 85 *\li *targetp is attached to source. 86 */ 87 88 void 89 dns_ssutable_detach(dns_ssutable_t **tablep); 90 /*%< 91 * Detach '*tablep' from its simple-secure-update rule table. 92 * 93 * Requires: 94 *\li 'tablep' points to a valid dns_ssutable_t 95 * 96 * Ensures: 97 *\li *tablep is NULL 98 *\li If '*tablep' is the last reference to the SSU table, all 99 * resources used by the table will be freed. 100 */ 101 102 isc_result_t 103 dns_ssutable_addrule(dns_ssutable_t *table, bool grant, 104 const dns_name_t *identity, dns_ssumatchtype_t matchtype, 105 const dns_name_t *name, unsigned int ntypes, 106 dns_rdatatype_t *types); 107 /*%< 108 * Adds a new rule to a simple-secure-update rule table. The rule 109 * either grants or denies update privileges of an identity (or set of 110 * identities) to modify a name (or set of names) or certain types present 111 * at that name. 112 * 113 * Notes: 114 *\li If 'matchtype' is of SELF type, this rule only matches if the 115 * name to be updated matches the signing identity. 116 * 117 *\li If 'ntypes' is 0, this rule applies to all types except 118 * NS, SOA, RRSIG, and NSEC. 119 * 120 *\li If 'types' includes ANY, this rule applies to all types 121 * except NSEC. 122 * 123 * Requires: 124 *\li 'table' is a valid SSU table 125 *\li 'identity' is a valid absolute name 126 *\li 'matchtype' must be one of the defined constants. 127 *\li 'name' is a valid absolute name 128 *\li If 'ntypes' > 0, 'types' must not be NULL 129 * 130 * Returns: 131 *\li ISC_R_SUCCESS 132 *\li ISC_R_NOMEMORY 133 */ 134 135 bool 136 dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, 137 const dns_name_t *name, const isc_netaddr_t *addr, 138 bool tcp, const dns_aclenv_t *env, dns_rdatatype_t type, 139 const dst_key_t *key); 140 /*%< 141 * Checks that the attempted update of (name, type) is allowed according 142 * to the rules specified in the simple-secure-update rule table. If 143 * no rules are matched, access is denied. 144 * 145 * Notes: 146 * In dns_ssutable_checkrules(), 'addr' should only be 147 * set if the request received via TCP. This provides a 148 * weak assurance that the request was not spoofed. 149 * 'addr' is to to validate dns_ssumatchtype_tcpself 150 * and dns_ssumatchtype_6to4self rules. 151 * 152 * In dns_ssutable_checkrules2(), 'addr' can also be passed for 153 * UDP requests and TCP is specified via the 'tcp' parameter. 154 * In addition to dns_ssumatchtype_tcpself and 155 * tcp_ssumatchtype_6to4self rules, the address 156 * also be used to check dns_ssumatchtype_local rules. 157 * If 'addr' is set then 'env' must also be set so that 158 * requests from non-localhost addresses can be rejected. 159 * 160 * For dns_ssumatchtype_tcpself the addresses are mapped to 161 * the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. 162 * RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, 163 * Section 2.5, "IP6.ARPA Domain". 164 * 165 * For dns_ssumatchtype_6to4self, IPv4 address are converted 166 * to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only 167 * the top 48 bits of the IPv6 address are mapped to the reverse 168 * name. This is independent of whether the most significant 16 169 * bits match 2002::/16, assigned for 6to4 prefixes, or not. 170 * 171 * Requires: 172 *\li 'table' is a valid SSU table 173 *\li 'signer' is NULL or a valid absolute name 174 *\li 'addr' is NULL or a valid network address. 175 *\li 'aclenv' is NULL or a valid ACL environment. 176 *\li 'name' is a valid absolute name 177 *\li if 'addr' is not NULL, 'env' is not NULL. 178 */ 179 180 /*% Accessor functions to extract rule components */ 181 bool 182 dns_ssurule_isgrant(const dns_ssurule_t *rule); 183 /*% Accessor functions to extract rule components */ 184 dns_name_t * 185 dns_ssurule_identity(const dns_ssurule_t *rule); 186 /*% Accessor functions to extract rule components */ 187 unsigned int 188 dns_ssurule_matchtype(const dns_ssurule_t *rule); 189 /*% Accessor functions to extract rule components */ 190 dns_name_t * 191 dns_ssurule_name(const dns_ssurule_t *rule); 192 /*% Accessor functions to extract rule components */ 193 unsigned int 194 dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types); 195 196 isc_result_t 197 dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule); 198 /*%< 199 * Initiates a rule iterator. There is no need to maintain any state. 200 * 201 * Returns: 202 *\li #ISC_R_SUCCESS 203 *\li #ISC_R_NOMORE 204 */ 205 206 isc_result_t 207 dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule); 208 /*%< 209 * Returns the next rule in the table. 210 * 211 * Returns: 212 *\li #ISC_R_SUCCESS 213 *\li #ISC_R_NOMORE 214 */ 215 216 bool 217 dns_ssu_external_match(const dns_name_t *identity, const dns_name_t *signer, 218 const dns_name_t *name, const isc_netaddr_t *tcpaddr, 219 dns_rdatatype_t type, const dst_key_t *key, 220 isc_mem_t *mctx); 221 /*%< 222 * Check a policy rule via an external application 223 */ 224 225 isc_result_t 226 dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype); 227 /*%< 228 * Set 'mtype' from 'str' 229 * 230 * Requires: 231 *\li 'str' is not NULL. 232 *\li 'mtype' is not NULL, 233 * 234 * Returns: 235 *\li #ISC_R_SUCCESS 236 *\li #ISC_R_NOTFOUND 237 */ 238 239 ISC_LANG_ENDDECLS 240 241 #endif /* DNS_SSU_H */ 242