Commit 5012c7b9 authored by Andreas Gustafsson's avatar Andreas Gustafsson
Browse files

obey the allow-update configuration statement, kind of -

allowing a key will currently allow any key, and allowing an IP address
will allow updates from any IP address
parent 2361fb6a
......@@ -28,6 +28,7 @@
#include <isc/result.h>
#include <isc/taskpool.h>
#include <dns/confip.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/dbtable.h>
......@@ -1812,6 +1813,76 @@ ns_update_start(ns_client_t *client)
respond(client, result);
}
/*
* This could eventually be fleshed out to handle the other "allow-*"
* options, too.
*/
static isc_result_t
check_permissions(dns_message_t *request, dns_c_ipmatchlist_t *aml) {
dns_result_t result, sig_result;
dns_name_t signer;
dns_c_ipmatchelement_t *e;
dns_name_init(&signer, NULL);
/*
* Check for a TSIG. We log bad TSIGs regardless of whether they
* cause the request to be rejected or not (it may be approved
* because of another AML). We do not log the lack of a TSIG
* unless we are debugging.
*/
sig_result = result = dns_message_signer(request, &signer);
if (result == DNS_R_SUCCESS) {
isc_log_write(UPDATE_DEBUG_LOGARGS, "signature is OK");
} else if (result == DNS_R_NOTFOUND) {
isc_log_write(UPDATE_DEBUG_LOGARGS, "request is not signed");
} else {
/* There is a signature, but it is bad. */
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
"signature verification failed: %s",
isc_result_totext(result));
}
if (aml == NULL) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
"dynamic update request denied: "
"no address match list configured");
FAIL(DNS_R_REFUSED);
}
for (e = ISC_LIST_HEAD(aml->elements);
e != NULL;
e = ISC_LIST_NEXT(e, next))
{
switch (e->type) {
case dns_c_ipmatch_key:
/* XXX temporary, dangerous hack: if any key
is allowed, we allow them all. */
if (sig_result == DNS_R_SUCCESS)
goto approve;
break;
case dns_c_ipmatch_pattern:
/* XXX temporary, dangerous hack: if any IP address
is allowed, we allow them all. */
goto approve;
default:
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_WARNING,
"address match list contains "
"unsupported element type");
break;
}
}
FAIL(DNS_R_REFUSED);
approve:
result = DNS_R_SUCCESS;
failure:
return (result);
}
static void
update_action(isc_task_t *task, isc_event_t *event)
{
......@@ -1831,13 +1902,11 @@ update_action(isc_task_t *task, isc_event_t *event)
dns_message_t *request = client->message;
dns_rdataclass_t zoneclass;
dns_name_t *zonename;
dns_name_t signer;
INSIST(event->type == DNS_EVENT_UPDATE);
dns_diff_init(mctx, &diff);
dns_diff_init(mctx, &temp);
dns_name_init(&signer, NULL);
CHECK(dns_zone_getdb(zone, &db));
zonename = dns_db_origin(db);
......@@ -1942,18 +2011,8 @@ update_action(isc_task_t *task, isc_event_t *event)
* Check Requestor's Permissions. It seems a bit silly to do this
* only after prerequisite testing, but that is what RFC2136 says.
*/
result = dns_message_signer(request, &signer);
if (result != DNS_R_SUCCESS) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
"dynamic update request denied: "
"signature verification failed: %s",
isc_result_totext(result));
FAIL(DNS_R_REFUSED);
} else {
isc_log_write(UPDATE_DEBUG_LOGARGS, "signature is OK");
}
CHECK(check_permissions(request, dns_zone_getupdateacl(zone)));
/* Perform the Update Section Prescan. */
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment