mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

dns_aml_checkrequest() now takes signer name, not message

Browse Source
This commit is contained in:
Andreas Gustafsson
1999-12-10 18:14:49 +00:00
parent 211e0a6fc2
commit 5cee8302fc
6 changed files with 42 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
bin/named/client.c
View File

@@ -549,6 +549,31 @@ client_request(isc_task_t *task, isc_event_t *event) {
} }
} }
/*
* Check for a signature. We log bad signatures regardless of
* whether they ultimately cause the request to be rejected or
* not. We do not log the lack of a signature unless we are
* debugging.
*/
client->signer = NULL;
result = dns_message_signer(client->message, &client->signername);
if (result == DNS_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request has valid signature");
client->signer = &client->signername;
} else if (result == DNS_R_NOTFOUND) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request is not signed");
} else {
/* There is a signature, but it is bad. */
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
"request has invalid signature: %s",
isc_result_totext(result));
}
/* /*
* XXXRTH View list management code will be moving to its own module * XXXRTH View list management code will be moving to its own module
* soon. * soon.
@@ -572,7 +597,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
ns_client_error(client, DNS_R_REFUSED); ns_client_error(client, DNS_R_REFUSED);
return; return;
} }
/* /*
* Dispatch the request. * Dispatch the request.
*/ */
@@ -685,6 +710,7 @@ client_create(ns_clientmgr_t *manager, ns_clienttype_t type,
client->opt = NULL; client->opt = NULL;
client->udpsize = 512; client->udpsize = 512;
client->next = NULL; client->next = NULL;
dns_name_init(&client->signername, NULL);
ISC_LINK_INIT(client, link); ISC_LINK_INIT(client, link);
/* /*

3
bin/named/include/named/client.h
View File

@@ -22,6 +22,7 @@
#include <isc/stdtime.h> #include <isc/stdtime.h>
#include <isc/buffer.h> #include <isc/buffer.h>
#include <dns/name.h>
#include <dns/types.h> #include <dns/types.h>
#include <dns/tcpmsg.h> #include <dns/tcpmsg.h>
@@ -70,6 +71,8 @@ struct ns_client {
ns_query_t query; ns_query_t query;
isc_stdtime_t requesttime; isc_stdtime_t requesttime;
isc_stdtime_t now; isc_stdtime_t now;
dns_name_t signername; /* [T]SIG key name */
dns_name_t * signer; /* NULL if not valid sig */
ISC_LINK(struct ns_client) link; ISC_LINK(struct ns_client) link;
}; };

2
bin/named/update.c
View File

@@ -1942,7 +1942,7 @@ update_action(isc_task_t *task, isc_event_t *event)
* Check Requestor's Permissions. It seems a bit silly to do this * Check Requestor's Permissions. It seems a bit silly to do this
* only after prerequisite testing, but that is what RFC2136 says. * only after prerequisite testing, but that is what RFC2136 says.
*/ */
CHECK(dns_aml_checkrequest(request, ns_client_getsockaddr(client), CHECK(dns_aml_checkrequest(client->signer, ns_client_getsockaddr(client),
ns_g_confctx->acls, "update", ns_g_confctx->acls, "update",
dns_zone_getupdateacl(zone), dns_zone_getupdateacl(zone),
NULL, ISC_FALSE)); NULL, ISC_FALSE));

4
bin/named/xfrout.c
View File

@@ -15,7 +15,7 @@
* SOFTWARE. * SOFTWARE.
*/ */
/* $Id: xfrout.c,v 1.26 1999/12/06 18:11:49 gson Exp $ */ /* $Id: xfrout.c,v 1.27 1999/12/10 18:14:49 gson Exp $ */
#include <config.h> #include <config.h>
@@ -888,7 +888,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
mnemonic); mnemonic);
/* Decide whether to allow this transfer. */ /* Decide whether to allow this transfer. */
CHECK(dns_aml_checkrequest(request, CHECK(dns_aml_checkrequest(client->signer,
ns_client_getsockaddr(client), ns_client_getsockaddr(client),
ns_g_confctx->acls, ns_g_confctx->acls,
"zone transfer", "zone transfer",

33
lib/dns/aml.c
View File

@@ -31,44 +31,17 @@
#include <dns/types.h> #include <dns/types.h>
isc_result_t isc_result_t
dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr, dns_aml_checkrequest(dns_name_t *signer, isc_sockaddr_t *reqaddr,
dns_c_acltable_t *acltable, const char *opname, dns_c_acltable_t *acltable, const char *opname,
dns_c_ipmatchlist_t *main_aml, dns_c_ipmatchlist_t *main_aml,
dns_c_ipmatchlist_t *fallback_aml, dns_c_ipmatchlist_t *fallback_aml,
isc_boolean_t default_allow) isc_boolean_t default_allow)
{ {
isc_result_t result, sig_result; isc_result_t result;
dns_name_t signer;
dns_name_t *ok_signer = NULL; dns_name_t *ok_signer = NULL;
int match; int match;
dns_c_ipmatchlist_t *aml = NULL; dns_c_ipmatchlist_t *aml = NULL;
dns_name_init(&signer, NULL);
/*
* Check for a TSIG. We log bad TSIGs regardless of whether they
* cause the request to be rejected or not (it may be allowd
* because of another AML). We do not log the lack of a TSIG
* unless we are debugging.
*/
sig_result = result = dns_message_signer(request, &signer);
if (result == DNS_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
DNS_LOGMODULE_AML, ISC_LOG_DEBUG(3),
"request has valid signature");
ok_signer = &signer;
} else if (result == DNS_R_NOTFOUND) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
DNS_LOGMODULE_AML, ISC_LOG_DEBUG(3),
"request is not signed");
} else {
/* There is a signature, but it is bad. */
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
DNS_LOGMODULE_AML, ISC_LOG_ERROR,
"request has invalid signature: %s",
isc_result_totext(result));
}
if (main_aml != NULL) if (main_aml != NULL)
aml = main_aml; aml = main_aml;
else if (fallback_aml != NULL) else if (fallback_aml != NULL)
@@ -78,7 +51,7 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
else else
goto deny; goto deny;
result = dns_aml_match(reqaddr, ok_signer, aml, result = dns_aml_match(reqaddr, signer, aml,
acltable, &match, NULL); acltable, &match, NULL);
if (result != DNS_R_SUCCESS) if (result != DNS_R_SUCCESS)
goto deny; /* Internal error, already logged. */ goto deny; /* Internal error, already logged. */

10
lib/dns/include/dns/aml.h
View File

@@ -42,7 +42,7 @@
ISC_LANG_BEGINDECLS ISC_LANG_BEGINDECLS
isc_result_t isc_result_t
dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr, dns_aml_checkrequest(dns_name_t *signer, isc_sockaddr_t *reqaddr,
dns_c_acltable_t *acltable, const char *opname, dns_c_acltable_t *acltable, const char *opname,
dns_c_ipmatchlist_t *main_aml, dns_c_ipmatchlist_t *main_aml,
dns_c_ipmatchlist_t *fallback_aml, dns_c_ipmatchlist_t *fallback_aml,
@@ -50,8 +50,10 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
/* /*
* Convenience function for "typical" DNS request permission checking. * Convenience function for "typical" DNS request permission checking.
* *
* Check the DNS request 'request', from IP address 'reqaddr', * Check the DNS request signed by the key whose name is 'signer',
* against the address match list 'main_aml'. If main_aml is NULL, * from IP address 'reqaddr', against the address match list 'main_aml'.
*
* If main_aml is NULL,
* check against 'fallback_aml' instead. If fallback_aml * check against 'fallback_aml' instead. If fallback_aml
* is also NULL, allow the request iff 'default_allow' is ISC_TRUE. * is also NULL, allow the request iff 'default_allow' is ISC_TRUE.
* Log the outcome of the check if deemed appropriate. * Log the outcome of the check if deemed appropriate.
@@ -67,7 +69,7 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
* the case of the blackhole list this would be backwards. * the case of the blackhole list this would be backwards.
* *
* Requires: * Requires:
* 'request' points to a valid DNS message. * 'signer' points to a valid name or is NULL.
* 'reqaddr' points to a valid socket address. * 'reqaddr' points to a valid socket address.
* 'acltable' points to a valid ACL table. * 'acltable' points to a valid ACL table.
* 'opname' points to a null-terminated string. * 'opname' points to a null-terminated string.