mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

dns_aml_checkrequest() now takes signer name, not message

Browse Source
This commit is contained in:
Andreas Gustafsson
1999-12-10 18:14:49 +00:00
parent 211e0a6fc2
commit 5cee8302fc
6 changed files with 42 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
bin/named/client.c
View File

@@ -549,6 +549,31 @@ client_request(isc_task_t *task, isc_event_t *event) {
}
}
/*
* Check for a signature. We log bad signatures regardless of
* whether they ultimately cause the request to be rejected or
* not. We do not log the lack of a signature unless we are
* debugging.
*/
client->signer = NULL;
result = dns_message_signer(client->message, &client->signername);
if (result == DNS_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request has valid signature");
client->signer = &client->signername;
} else if (result == DNS_R_NOTFOUND) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request is not signed");
} else {
/* There is a signature, but it is bad. */
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
"request has invalid signature: %s",
isc_result_totext(result));
}
/*
* XXXRTH View list management code will be moving to its own module
* soon.
@@ -685,6 +710,7 @@ client_create(ns_clientmgr_t *manager, ns_clienttype_t type,
client->opt = NULL;
client->udpsize = 512;
client->next = NULL;
dns_name_init(&client->signername, NULL);
ISC_LINK_INIT(client, link);
/*

3
bin/named/include/named/client.h
View File

@@ -22,6 +22,7 @@
#include <isc/stdtime.h>
#include <isc/buffer.h>
#include <dns/name.h>
#include <dns/types.h>
#include <dns/tcpmsg.h>
@@ -70,6 +71,8 @@ struct ns_client {
ns_query_t query;
isc_stdtime_t requesttime;
isc_stdtime_t now;
dns_name_t signername; /* [T]SIG key name */
dns_name_t * signer; /* NULL if not valid sig */
ISC_LINK(struct ns_client) link;
};

2
bin/named/update.c
View File

@@ -1942,7 +1942,7 @@ update_action(isc_task_t *task, isc_event_t *event)
* Check Requestor's Permissions. It seems a bit silly to do this
* only after prerequisite testing, but that is what RFC2136 says.
*/
CHECK(dns_aml_checkrequest(request, ns_client_getsockaddr(client),
CHECK(dns_aml_checkrequest(client->signer, ns_client_getsockaddr(client),
ns_g_confctx->acls, "update",
dns_zone_getupdateacl(zone),
NULL, ISC_FALSE));

4
bin/named/xfrout.c
View File

@@ -15,7 +15,7 @@
* SOFTWARE.
*/
/* $Id: xfrout.c,v 1.26 1999/12/06 18:11:49 gson Exp $ */
/* $Id: xfrout.c,v 1.27 1999/12/10 18:14:49 gson Exp $ */
#include <config.h>
@@ -888,7 +888,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
mnemonic);
/* Decide whether to allow this transfer. */
CHECK(dns_aml_checkrequest(request,
CHECK(dns_aml_checkrequest(client->signer,
ns_client_getsockaddr(client),
ns_g_confctx->acls,
"zone transfer",

33
lib/dns/aml.c
View File

@@ -31,44 +31,17 @@
#include <dns/types.h>
isc_result_t
dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
dns_aml_checkrequest(dns_name_t *signer, isc_sockaddr_t *reqaddr,
dns_c_acltable_t *acltable, const char *opname,
dns_c_ipmatchlist_t *main_aml,
dns_c_ipmatchlist_t *fallback_aml,
isc_boolean_t default_allow)
{
isc_result_t result, sig_result;
dns_name_t signer;
isc_result_t result;
dns_name_t *ok_signer = NULL;
int match;
dns_c_ipmatchlist_t *aml = NULL;
dns_name_init(&signer, NULL);
/*
* Check for a TSIG. We log bad TSIGs regardless of whether they
* cause the request to be rejected or not (it may be allowd
* because of another AML). We do not log the lack of a TSIG
* unless we are debugging.
*/
sig_result = result = dns_message_signer(request, &signer);
if (result == DNS_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
DNS_LOGMODULE_AML, ISC_LOG_DEBUG(3),
"request has valid signature");
ok_signer = &signer;
} else if (result == DNS_R_NOTFOUND) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
DNS_LOGMODULE_AML, ISC_LOG_DEBUG(3),
"request is not signed");
} else {
/* There is a signature, but it is bad. */
isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
DNS_LOGMODULE_AML, ISC_LOG_ERROR,
"request has invalid signature: %s",
isc_result_totext(result));
}
if (main_aml != NULL)
aml = main_aml;
else if (fallback_aml != NULL)
@@ -78,7 +51,7 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
else
goto deny;
result = dns_aml_match(reqaddr, ok_signer, aml,
result = dns_aml_match(reqaddr, signer, aml,
acltable, &match, NULL);
if (result != DNS_R_SUCCESS)
goto deny; /* Internal error, already logged. */

10
lib/dns/include/dns/aml.h
View File

@@ -42,7 +42,7 @@
ISC_LANG_BEGINDECLS
isc_result_t
dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
dns_aml_checkrequest(dns_name_t *signer, isc_sockaddr_t *reqaddr,
dns_c_acltable_t *acltable, const char *opname,
dns_c_ipmatchlist_t *main_aml,
dns_c_ipmatchlist_t *fallback_aml,
@@ -50,8 +50,10 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
/*
* Convenience function for "typical" DNS request permission checking.
*
* Check the DNS request 'request', from IP address 'reqaddr',
* against the address match list 'main_aml'. If main_aml is NULL,
* Check the DNS request signed by the key whose name is 'signer',
* from IP address 'reqaddr', against the address match list 'main_aml'.
*
* If main_aml is NULL,
* check against 'fallback_aml' instead. If fallback_aml
* is also NULL, allow the request iff 'default_allow' is ISC_TRUE.
* Log the outcome of the check if deemed appropriate.
@@ -67,7 +69,7 @@ dns_aml_checkrequest(dns_message_t *request, isc_sockaddr_t *reqaddr,
* the case of the blackhole list this would be backwards.
*
* Requires:
* 'request' points to a valid DNS message.
* 'signer' points to a valid name or is NULL.
* 'reqaddr' points to a valid socket address.
* 'acltable' points to a valid ACL table.
* 'opname' points to a null-terminated string.