"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.11.23/lib/dns/include/dns/ssu.h" (7 Sep 2020, 8307 Bytes) of package /linux/misc/dns/bind9/9.11.23/bind-9.11.23.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "ssu.h" see the Fossies "Dox" file reference documentation.

    1 /*
    2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
    3  *
    4  * This Source Code Form is subject to the terms of the Mozilla Public
    5  * License, v. 2.0. If a copy of the MPL was not distributed with this
    6  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
    7  *
    8  * See the COPYRIGHT file distributed with this work for additional
    9  * information regarding copyright ownership.
   10  */
   11 
   12 #ifndef DNS_SSU_H
   13 #define DNS_SSU_H 1
   14 
   15 /*! \file dns/ssu.h */
   16 
   17 #include <stdbool.h>
   18 
   19 #include <isc/lang.h>
   20 
   21 #include <dns/acl.h>
   22 #include <dns/types.h>
   23 #include <dst/dst.h>
   24 
   25 ISC_LANG_BEGINDECLS
   26 
   27 typedef enum {
   28     dns_ssumatchtype_name = 0,
   29     dns_ssumatchtype_subdomain = 1,
   30     dns_ssumatchtype_wildcard = 2,
   31     dns_ssumatchtype_self    = 3,
   32     dns_ssumatchtype_selfsub = 4,
   33     dns_ssumatchtype_selfwild = 5,
   34     dns_ssumatchtype_selfkrb5 = 6,
   35     dns_ssumatchtype_selfms  = 7,
   36     dns_ssumatchtype_subdomainms = 8,
   37     dns_ssumatchtype_subdomainkrb5 = 9,
   38     dns_ssumatchtype_tcpself = 10,
   39     dns_ssumatchtype_6to4self = 11,
   40     dns_ssumatchtype_external = 12,
   41     dns_ssumatchtype_local = 13,
   42     dns_ssumatchtype_selfsubms = 14,
   43     dns_ssumatchtype_selfsubkrb5 = 15,
   44     dns_ssumatchtype_max = 15,  /* max value */
   45 
   46     dns_ssumatchtype_dlz = 16   /* intentionally higher than _max */
   47 } dns_ssumatchtype_t;
   48 
   49 #define DNS_SSUMATCHTYPE_NAME       dns_ssumatchtype_name
   50 #define DNS_SSUMATCHTYPE_SUBDOMAIN  dns_ssumatchtype_subdomain
   51 #define DNS_SSUMATCHTYPE_WILDCARD   dns_ssumatchtype_wildcard
   52 #define DNS_SSUMATCHTYPE_SELF       dns_ssumatchtype_self
   53 #define DNS_SSUMATCHTYPE_SELFSUB    dns_ssumatchtype_selfsub
   54 #define DNS_SSUMATCHTYPE_SELFWILD   dns_ssumatchtype_selfwild
   55 #define DNS_SSUMATCHTYPE_SELFKRB5   dns_ssumatchtype_selfkrb5
   56 #define DNS_SSUMATCHTYPE_SELFMS     dns_ssumatchtype_selfms
   57 #define DNS_SSUMATCHTYPE_SUBDOMAINMS    dns_ssumatchtype_subdomainms
   58 #define DNS_SSUMATCHTYPE_SUBDOMAINKRB5  dns_ssumatchtype_subdomainkrb5
   59 #define DNS_SSUMATCHTYPE_TCPSELF    dns_ssumatchtype_tcpself
   60 #define DNS_SSUMATCHTYPE_6TO4SELF   dns_ssumatchtype_6to4self
   61 #define DNS_SSUMATCHTYPE_EXTERNAL   dns_ssumatchtype_external
   62 #define DNS_SSUMATCHTYPE_LOCAL      dns_ssumatchtype_local
   63 #define DNS_SSUMATCHTYPE_MAX        dns_ssumatchtype_max  /* max value */
   64 
   65 #define DNS_SSUMATCHTYPE_DLZ        dns_ssumatchtype_dlz  /* intentionally higher than _MAX */
   66 
   67 isc_result_t
   68 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
   69 /*%<
   70  *  Creates a table that will be used to store simple-secure-update rules.
   71  *  Note: all locking must be provided by the client.
   72  *
   73  *  Requires:
   74  *\li       'mctx' is a valid memory context
   75  *\li       'table' is not NULL, and '*table' is NULL
   76  *
   77  *  Returns:
   78  *\li       ISC_R_SUCCESS
   79  *\li       ISC_R_NOMEMORY
   80  */
   81 
   82 isc_result_t
   83 dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
   84                dns_dlzdb_t *dlzdatabase);
   85 /*%<
   86  * Create an SSU table that contains a dlzdatabase pointer, and a
   87  * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU
   88  * table is used by writeable DLZ drivers to offload authorization for
   89  * updates to the driver.
   90  */
   91 
   92 void
   93 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
   94 /*%<
   95  *  Attach '*targetp' to 'source'.
   96  *
   97  *  Requires:
   98  *\li       'source' is a valid SSU table
   99  *\li       'targetp' points to a NULL dns_ssutable_t *.
  100  *
  101  *  Ensures:
  102  *\li       *targetp is attached to source.
  103  */
  104 
  105 void
  106 dns_ssutable_detach(dns_ssutable_t **tablep);
  107 /*%<
  108  *  Detach '*tablep' from its simple-secure-update rule table.
  109  *
  110  *  Requires:
  111  *\li       'tablep' points to a valid dns_ssutable_t
  112  *
  113  *  Ensures:
  114  *\li       *tablep is NULL
  115  *\li       If '*tablep' is the last reference to the SSU table, all
  116  *          resources used by the table will be freed.
  117  */
  118 
  119 isc_result_t
  120 dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
  121              dns_name_t *identity, unsigned int matchtype,
  122              dns_name_t *name, unsigned int ntypes,
  123              dns_rdatatype_t *types);
  124 /*%<
  125  *  Adds a new rule to a simple-secure-update rule table.  The rule
  126  *  either grants or denies update privileges of an identity (or set of
  127  *  identities) to modify a name (or set of names) or certain types present
  128  *  at that name.
  129  *
  130  *  Notes:
  131  *\li       If 'matchtype' is of SELF type, this rule only matches if the
  132  *              name to be updated matches the signing identity.
  133  *
  134  *\li       If 'ntypes' is 0, this rule applies to all types except
  135  *      NS, SOA, RRSIG, and NSEC.
  136  *
  137  *\li       If 'types' includes ANY, this rule applies to all types
  138  *      except NSEC.
  139  *
  140  *  Requires:
  141  *\li       'table' is a valid SSU table
  142  *\li       'identity' is a valid absolute name
  143  *\li       'matchtype' must be one of the defined constants.
  144  *\li       'name' is a valid absolute name
  145  *\li       If 'ntypes' > 0, 'types' must not be NULL
  146  *
  147  *  Returns:
  148  *\li       ISC_R_SUCCESS
  149  *\li       ISC_R_NOMEMORY
  150  */
  151 
  152 bool
  153 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
  154             dns_name_t *name, isc_netaddr_t *addr,
  155             dns_rdatatype_t type, const dst_key_t *key);
  156 bool
  157 dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer,
  158             dns_name_t *name, isc_netaddr_t *addr,
  159             bool tcp, const dns_aclenv_t *env,
  160             dns_rdatatype_t type, const dst_key_t *key);
  161 /*%<
  162  *  Checks that the attempted update of (name, type) is allowed according
  163  *  to the rules specified in the simple-secure-update rule table.  If
  164  *  no rules are matched, access is denied.
  165  *
  166  *  Notes:
  167  *      In dns_ssutable_checkrules(), 'addr' should only be
  168  *      set if the request received via TCP.  This provides a
  169  *      weak assurance that the request was not spoofed.
  170  *      'addr' is to to validate DNS_SSUMATCHTYPE_TCPSELF
  171  *      and DNS_SSUMATCHTYPE_6TO4SELF rules.
  172  *
  173  *      In dns_ssutable_checkrules2(), 'addr' can also be passed for
  174  *      UDP requests and TCP is specified via the 'tcp' parameter.
  175  *      In addition to DNS_SSUMATCHTYPE_TCPSELF and
  176  *      tcp_ssumatchtype_6to4self  rules, the address
  177  *      also be used to check DNS_SSUMATCHTYPE_LOCAL rules.
  178  *      If 'addr' is set then 'env' must also be set so that
  179  *      requests from non-localhost addresses can be rejected.
  180  *
  181  *      For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
  182  *      the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
  183  *      RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
  184  *      Section 2.5, "IP6.ARPA Domain".
  185  *
  186  *      For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
  187  *      to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
  188  *      the top 48 bits of the IPv6 address are mapped to the reverse
  189  *      name. This is independent of whether the most significant 16
  190  *      bits match 2002::/16, assigned for 6to4 prefixes, or not.
  191  *
  192  *  Requires:
  193  *\li       'table' is a valid SSU table
  194  *\li       'signer' is NULL or a valid absolute name
  195  *\li       'addr' is NULL or a valid network address.
  196  *\li       'aclenv' is NULL or a valid ACL environment.
  197  *\li       'name' is a valid absolute name
  198  *\li       if 'addr' is not NULL, 'env' is not NULL.
  199  */
  200 
  201 
  202 /*% Accessor functions to extract rule components */
  203 bool    dns_ssurule_isgrant(const dns_ssurule_t *rule);
  204 /*% Accessor functions to extract rule components */
  205 dns_name_t *    dns_ssurule_identity(const dns_ssurule_t *rule);
  206 /*% Accessor functions to extract rule components */
  207 unsigned int    dns_ssurule_matchtype(const dns_ssurule_t *rule);
  208 /*% Accessor functions to extract rule components */
  209 dns_name_t *    dns_ssurule_name(const dns_ssurule_t *rule);
  210 /*% Accessor functions to extract rule components */
  211 unsigned int    dns_ssurule_types(const dns_ssurule_t *rule,
  212                   dns_rdatatype_t **types);
  213 
  214 isc_result_t    dns_ssutable_firstrule(const dns_ssutable_t *table,
  215                        dns_ssurule_t **rule);
  216 /*%<
  217  * Initiates a rule iterator.  There is no need to maintain any state.
  218  *
  219  * Returns:
  220  *\li   #ISC_R_SUCCESS
  221  *\li   #ISC_R_NOMORE
  222  */
  223 
  224 isc_result_t    dns_ssutable_nextrule(dns_ssurule_t *rule,
  225                       dns_ssurule_t **nextrule);
  226 /*%<
  227  * Returns the next rule in the table.
  228  *
  229  * Returns:
  230  *\li   #ISC_R_SUCCESS
  231  *\li   #ISC_R_NOMORE
  232  */
  233 
  234 bool
  235 dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer,
  236                dns_name_t *name, isc_netaddr_t *tcpaddr,
  237                dns_rdatatype_t type, const dst_key_t *key,
  238                isc_mem_t *mctx);
  239 /*%<
  240  * Check a policy rule via an external application
  241  */
  242 
  243 isc_result_t
  244 dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype);
  245 /*%<
  246  * Set 'mtype' from 'str'
  247  *
  248  * Requires:
  249  *\li       'str' is not NULL.
  250  *\li       'mtype' is not NULL,
  251  *
  252  * Returns:
  253  *\li   #ISC_R_SUCCESS
  254  *\li   #ISC_R_NOTFOUND
  255  */
  256 
  257 ISC_LANG_ENDDECLS
  258 
  259 #endif /* DNS_SSU_H */