Commit d8c70cbc authored by Andreas Gustafsson's avatar Andreas Gustafsson
Browse files

use new AML code for checking "allow-update"

parent dac2799e
......@@ -28,6 +28,7 @@
#include <isc/result.h>
#include <isc/taskpool.h>
#include <dns/aml.h>
#include <dns/confip.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
......@@ -1813,76 +1814,6 @@ ns_update_start(ns_client_t *client)
respond(client, result);
}
/*
* This could eventually be fleshed out to handle the other "allow-*"
* options, too.
*/
static isc_result_t
check_permissions(dns_message_t *request, dns_c_ipmatchlist_t *aml) {
dns_result_t result, sig_result;
dns_name_t signer;
dns_c_ipmatchelement_t *e;
dns_name_init(&signer, NULL);
/*
* Check for a TSIG. We log bad TSIGs regardless of whether they
* cause the request to be rejected or not (it may be approved
* because of another AML). We do not log the lack of a TSIG
* unless we are debugging.
*/
sig_result = result = dns_message_signer(request, &signer);
if (result == DNS_R_SUCCESS) {
isc_log_write(UPDATE_DEBUG_LOGARGS, "signature is OK");
} else if (result == DNS_R_NOTFOUND) {
isc_log_write(UPDATE_DEBUG_LOGARGS, "request is not signed");
} else {
/* There is a signature, but it is bad. */
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
"signature verification failed: %s",
isc_result_totext(result));
}
if (aml == NULL) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
"dynamic update request denied: "
"no address match list configured");
FAIL(DNS_R_REFUSED);
}
for (e = ISC_LIST_HEAD(aml->elements);
e != NULL;
e = ISC_LIST_NEXT(e, next))
{
switch (e->type) {
case dns_c_ipmatch_key:
/* XXX temporary, dangerous hack: if any key
is allowed, we allow them all. */
if (sig_result == DNS_R_SUCCESS)
goto approve;
break;
case dns_c_ipmatch_pattern:
/* XXX temporary, dangerous hack: if any IP address
is allowed, we allow them all. */
goto approve;
default:
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_WARNING,
"address match list contains "
"unsupported element type");
break;
}
}
FAIL(DNS_R_REFUSED);
approve:
result = DNS_R_SUCCESS;
failure:
return (result);
}
static void
update_action(isc_task_t *task, isc_event_t *event)
{
......@@ -2011,8 +1942,11 @@ update_action(isc_task_t *task, isc_event_t *event)
* Check Requestor's Permissions. It seems a bit silly to do this
* only after prerequisite testing, but that is what RFC2136 says.
*/
CHECK(check_permissions(request, dns_zone_getupdateacl(zone)));
CHECK(dns_aml_checkrequest(request, ns_client_getsockaddr(client),
dns_zone_getupdateacl(zone),
ns_g_confctx->acls,
"update", ISC_FALSE));
/* Perform the Update Section Prescan. */
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment