1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
/*
* Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $ISC: ssu.h,v 1.11.206.3 2004/03/08 09:04:39 marka Exp $ */
#ifndef DNS_SSU_H
#define DNS_SSU_H 1
#include <isc/lang.h>
#include <dns/types.h>
ISC_LANG_BEGINDECLS
#define DNS_SSUMATCHTYPE_NAME 0
#define DNS_SSUMATCHTYPE_SUBDOMAIN 1
#define DNS_SSUMATCHTYPE_WILDCARD 2
#define DNS_SSUMATCHTYPE_SELF 3
isc_result_t
dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
/*
* Creates a table that will be used to store simple-secure-update rules.
* Note: all locking must be provided by the client.
*
* Requires:
* 'mctx' is a valid memory context
* 'table' is not NULL, and '*table' is NULL
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMEMORY
*/
void
dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
/*
* Attach '*targetp' to 'source'.
*
* Requires:
* 'source' is a valid SSU table
* 'targetp' points to a NULL dns_ssutable_t *.
*
* Ensures:
* *targetp is attached to source.
*/
void
dns_ssutable_detach(dns_ssutable_t **tablep);
/*
* Detach '*tablep' from its simple-secure-update rule table.
*
* Requires:
* 'tablep' points to a valid dns_ssutable_t
*
* Ensures:
* *tablep is NULL
* If '*tablep' is the last reference to the SSU table, all
* resources used by the table will be freed.
*/
isc_result_t
dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
dns_name_t *identity, unsigned int matchtype,
dns_name_t *name, unsigned int ntypes,
dns_rdatatype_t *types);
/*
* Adds a new rule to a simple-secure-update rule table. The rule
* either grants or denies update privileges of an identity (or set of
* identities) to modify a name (or set of names) or certain types present
* at that name.
*
* Notes:
* If 'matchtype' is SELF, this rule only matches if the name
* to be updated matches the signing identity.
*
* If 'ntypes' is 0, this rule applies to all types except
* NS, SOA, RRSIG, and NSEC.
*
* If 'types' includes ANY, this rule applies to all types
* except NSEC.
*
* Requires:
* 'table' is a valid SSU table
* 'identity' is a valid absolute name
* 'matchtype' must be one of the defined constants.
* 'name' is a valid absolute name
* If 'ntypes' > 0, 'types' must not be NULL
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMEMORY
*/
isc_boolean_t
dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
dns_name_t *name, dns_rdatatype_t type);
/*
* Checks that the attempted update of (name, type) is allowed according
* to the rules specified in the simple-secure-update rule table. If
* no rules are matched, access is denied. If signer is NULL, access
* is denied.
*
* Requires:
* 'table' is a valid SSU table
* 'signer' is NULL or a valid absolute name
* 'name' is a valid absolute name
*/
isc_boolean_t dns_ssurule_isgrant(const dns_ssurule_t *rule);
dns_name_t * dns_ssurule_identity(const dns_ssurule_t *rule);
unsigned int dns_ssurule_matchtype(const dns_ssurule_t *rule);
dns_name_t * dns_ssurule_name(const dns_ssurule_t *rule);
unsigned int dns_ssurule_types(const dns_ssurule_t *rule,
dns_rdatatype_t **types);
/*
* Accessor functions to extract rule components
*/
isc_result_t dns_ssutable_firstrule(const dns_ssutable_t *table,
dns_ssurule_t **rule);
/*
* Initiates a rule iterator. There is no need to maintain any state.
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMORE
*/
isc_result_t dns_ssutable_nextrule(dns_ssurule_t *rule,
dns_ssurule_t **nextrule);
/*
* Returns the next rule in the table.
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMORE
*/
ISC_LANG_ENDDECLS
#endif /* DNS_SSU_H */
|
