From 5cee8302fce56a10c73a66f2414e26adb621afbc Mon Sep 17 00:00:00 2001 From: Andreas Gustafsson Date: Fri, 10 Dec 1999 18:14:49 +0000 Subject: [PATCH] dns_aml_checkrequest() now takes signer name, not message --- bin/named/client.c | 28 ++++++++++++++++++++++++++- bin/named/include/named/client.h | 3 +++ bin/named/update.c | 2 +- bin/named/xfrout.c | 4 ++-- lib/dns/aml.c | 33 +++----------------------------- lib/dns/include/dns/aml.h | 10 ++++++---- 6 files changed, 42 insertions(+), 38 deletions(-) diff --git a/bin/named/client.c b/bin/named/client.c index 19ea1dbaf9..bd5262ed5e 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -549,6 +549,31 @@ client_request(isc_task_t *task, isc_event_t *event) { } } + /* + * Check for a signature. We log bad signatures regardless of + * whether they ultimately cause the request to be rejected or + * not. We do not log the lack of a signature unless we are + * debugging. + */ + client->signer = NULL; + result = dns_message_signer(client->message, &client->signername); + if (result == DNS_R_SUCCESS) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request has valid signature"); + client->signer = &client->signername; + } else if (result == DNS_R_NOTFOUND) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request is not signed"); + } else { + /* There is a signature, but it is bad. */ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + "request has invalid signature: %s", + isc_result_totext(result)); + } + /* * XXXRTH View list management code will be moving to its own module * soon. @@ -572,7 +597,7 @@ client_request(isc_task_t *task, isc_event_t *event) { ns_client_error(client, DNS_R_REFUSED); return; } - + /* * Dispatch the request. */ @@ -685,6 +710,7 @@ client_create(ns_clientmgr_t *manager, ns_clienttype_t type, client->opt = NULL; client->udpsize = 512; client->next = NULL; + dns_name_init(&client->signername, NULL); ISC_LINK_INIT(client, link); /* diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index 20e41bc5a3..2223106dda 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -22,6 +22,7 @@ #include #include +#include #include #include @@ -70,6 +71,8 @@ struct ns_client { ns_query_t query; isc_stdtime_t requesttime; isc_stdtime_t now; + dns_name_t signername; /* [T]SIG key name */ + dns_name_t * signer; /* NULL if not valid sig */ ISC_LINK(struct ns_client) link; }; diff --git a/bin/named/update.c b/bin/named/update.c index a55e689723..78df8a1027 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -1942,7 +1942,7 @@ update_action(isc_task_t *task, isc_event_t *event) * Check Requestor's Permissions. It seems a bit silly to do this * only after prerequisite testing, but that is what RFC2136 says. */ - CHECK(dns_aml_checkrequest(request, ns_client_getsockaddr(client), + CHECK(dns_aml_checkrequest(client->signer, ns_client_getsockaddr(client), ns_g_confctx->acls, "update", dns_zone_getupdateacl(zone), NULL, ISC_FALSE)); diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index 05afe6123b..3209013bca 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -15,7 +15,7 @@ * SOFTWARE. */ - /* $Id: xfrout.c,v 1.26 1999/12/06 18:11:49 gson Exp $ */ + /* $Id: xfrout.c,v 1.27 1999/12/10 18:14:49 gson Exp $ */ #include @@ -888,7 +888,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) mnemonic); /* Decide whether to allow this transfer. */ - CHECK(dns_aml_checkrequest(request, + CHECK(dns_aml_checkrequest(client->signer, ns_client_getsockaddr(client), ns_g_confctx->acls, "zone transfer", diff --git a/lib/dns/aml.c b/lib/dns/aml.c index 1eba379fe9..4ea003467d 100644 --- a/lib/dns/aml.c +++ b/lib/dns/aml.c @@ -31,44 +31,17 @@ #include isc_result_t -dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr, +dns_aml_checkrequest(dns_name_t *signer, isc_sockaddr_t *reqaddr, dns_c_acltable_t *acltable, const char *opname, dns_c_ipmatchlist_t *main_aml, dns_c_ipmatchlist_t *fallback_aml, isc_boolean_t default_allow) { - isc_result_t result, sig_result; - dns_name_t signer; + isc_result_t result; dns_name_t *ok_signer = NULL; int match; dns_c_ipmatchlist_t *aml = NULL; - dns_name_init(&signer, NULL); - - /* - * Check for a TSIG. We log bad TSIGs regardless of whether they - * cause the request to be rejected or not (it may be allowd - * because of another AML). We do not log the lack of a TSIG - * unless we are debugging. - */ - sig_result = result = dns_message_signer(request, &signer); - if (result == DNS_R_SUCCESS) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY, - DNS_LOGMODULE_AML, ISC_LOG_DEBUG(3), - "request has valid signature"); - ok_signer = &signer; - } else if (result == DNS_R_NOTFOUND) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY, - DNS_LOGMODULE_AML, ISC_LOG_DEBUG(3), - "request is not signed"); - } else { - /* There is a signature, but it is bad. */ - isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY, - DNS_LOGMODULE_AML, ISC_LOG_ERROR, - "request has invalid signature: %s", - isc_result_totext(result)); - } - if (main_aml != NULL) aml = main_aml; else if (fallback_aml != NULL) @@ -78,7 +51,7 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr, else goto deny; - result = dns_aml_match(reqaddr, ok_signer, aml, + result = dns_aml_match(reqaddr, signer, aml, acltable, &match, NULL); if (result != DNS_R_SUCCESS) goto deny; /* Internal error, already logged. */ diff --git a/lib/dns/include/dns/aml.h b/lib/dns/include/dns/aml.h index e6e54b9c81..7869cd59f7 100644 --- a/lib/dns/include/dns/aml.h +++ b/lib/dns/include/dns/aml.h @@ -42,7 +42,7 @@ ISC_LANG_BEGINDECLS isc_result_t -dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr, +dns_aml_checkrequest(dns_name_t *signer, isc_sockaddr_t *reqaddr, dns_c_acltable_t *acltable, const char *opname, dns_c_ipmatchlist_t *main_aml, dns_c_ipmatchlist_t *fallback_aml, @@ -50,8 +50,10 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr, /* * Convenience function for "typical" DNS request permission checking. * - * Check the DNS request 'request', from IP address 'reqaddr', - * against the address match list 'main_aml'. If main_aml is NULL, + * Check the DNS request signed by the key whose name is 'signer', + * from IP address 'reqaddr', against the address match list 'main_aml'. + * + * If main_aml is NULL, * check against 'fallback_aml' instead. If fallback_aml * is also NULL, allow the request iff 'default_allow' is ISC_TRUE. * Log the outcome of the check if deemed appropriate. @@ -67,7 +69,7 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr, * the case of the blackhole list this would be backwards. * * Requires: - * 'request' points to a valid DNS message. + * 'signer' points to a valid name or is NULL. * 'reqaddr' points to a valid socket address. * 'acltable' points to a valid ACL table. * 'opname' points to a null-terminated string.