use new AML code for checking "allow-update"

2025-08-22 18:19:42 +00:00 · 1999-11-30 22:11:11 +00:00 · 1999-11-30 22:11:11 +00:00 · d8c70cbcd7
commit d8c70cbcd7
parent dac2799ea1
1 changed files with 6 additions and 72 deletions
--- a/bin/named/update.c
+++ b/bin/named/update.c
@ -28,6 +28,7 @@
 #include <isc/result.h>
 #include <isc/taskpool.h>

+#include <dns/aml.h>
 #include <dns/confip.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
@ -1813,76 +1814,6 @@ ns_update_start(ns_client_t *client)
 	respond(client, result);
 }

-/*
- * This could eventually be fleshed out to handle the other "allow-*"
- * options, too.
- */
-static isc_result_t
-check_permissions(dns_message_t *request, dns_c_ipmatchlist_t *aml) {
-	dns_result_t result, sig_result;
-	dns_name_t signer;
-	dns_c_ipmatchelement_t *e;
-
-	dns_name_init(&signer, NULL);
-	
-	/*
-	 * Check for a TSIG.  We log bad TSIGs regardless of whether they
-	 * cause the request to be rejected or not (it may be approved 
-	 * because of another AML).  We do not log the lack of a TSIG
-	 * unless we are debugging.
-	 */
-	sig_result = result = dns_message_signer(request, &signer);
-	if (result == DNS_R_SUCCESS) {
-		isc_log_write(UPDATE_DEBUG_LOGARGS, "signature is OK");
-	} else if (result == DNS_R_NOTFOUND) {
-		isc_log_write(UPDATE_DEBUG_LOGARGS, "request is not signed");
-	} else {
-		/* There is a signature, but it is bad. */
-		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
-			      "signature verification failed: %s",
-			      isc_result_totext(result));
-	}
-
-	if (aml == NULL) {
-		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
-			      "dynamic update request denied: "
-			      "no address match list configured");
-		FAIL(DNS_R_REFUSED);
-	}
-
-	for (e = ISC_LIST_HEAD(aml->elements);
-	     e != NULL;
-	     e = ISC_LIST_NEXT(e, next))
-	{
-		switch (e->type) {
-		case dns_c_ipmatch_key:
-			/* XXX temporary, dangerous hack: if any key
-			   is allowed, we allow them all. */
-			if (sig_result == DNS_R_SUCCESS)
-				goto approve;
-			break;
-		case dns_c_ipmatch_pattern:
-			/* XXX temporary, dangerous hack: if any IP address
-			   is allowed, we allow them all. */
-			goto approve;
-		default:
-			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_UPDATE, ISC_LOG_WARNING,
-				      "address match list contains "
-				      "unsupported element type");
-			break;
-		}
-	}
-	FAIL(DNS_R_REFUSED);
-	
-approve:
-	result = DNS_R_SUCCESS;
-failure:
-	return (result);
-}
-
 static void
 update_action(isc_task_t *task, isc_event_t *event)
 {
@ -2011,8 +1942,11 @@ update_action(isc_task_t *task, isc_event_t *event)
 	 * Check Requestor's Permissions.  It seems a bit silly to do this
 	 * only after prerequisite testing, but that is what RFC2136 says.
 	 */
-	CHECK(check_permissions(request, dns_zone_getupdateacl(zone)));
-	
+	CHECK(dns_aml_checkrequest(request, ns_client_getsockaddr(client),
+				   dns_zone_getupdateacl(zone),
+				   ns_g_confctx->acls,
+				   "update", ISC_FALSE));
+
 	/* Perform the Update Section Prescan. */

 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);