mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-23 10:39:16 +00:00
Code Issues Releases Wiki Activity

use new AML code for checking "allow-update"

Browse Source
This commit is contained in:
Andreas Gustafsson 1999-11-30 22:11:11 +00:00
parent dac2799ea1
commit d8c70cbcd7
1 changed files with 6 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
bin/named/update.c
View File

@ -28,6 +28,7 @@
#include <isc/result.h> #include <isc/result.h>
#include <isc/taskpool.h> #include <isc/taskpool.h>
#include <dns/aml.h>
#include <dns/confip.h> #include <dns/confip.h>
#include <dns/db.h> #include <dns/db.h>
#include <dns/dbiterator.h> #include <dns/dbiterator.h>
@ -1813,76 +1814,6 @@ ns_update_start(ns_client_t *client)
respond(client, result); respond(client, result);
} }
/*
* This could eventually be fleshed out to handle the other "allow-*"
* options, too.
*/
static isc_result_t
check_permissions(dns_message_t *request, dns_c_ipmatchlist_t *aml) {
dns_result_t result, sig_result;
dns_name_t signer;
dns_c_ipmatchelement_t *e;
dns_name_init(&signer, NULL);
/*
* Check for a TSIG. We log bad TSIGs regardless of whether they
* cause the request to be rejected or not (it may be approved
* because of another AML). We do not log the lack of a TSIG
* unless we are debugging.
*/
sig_result = result = dns_message_signer(request, &signer);
if (result == DNS_R_SUCCESS) {
isc_log_write(UPDATE_DEBUG_LOGARGS, "signature is OK");
} else if (result == DNS_R_NOTFOUND) {
isc_log_write(UPDATE_DEBUG_LOGARGS, "request is not signed");
} else {
/* There is a signature, but it is bad. */
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
"signature verification failed: %s",
isc_result_totext(result));
}
if (aml == NULL) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
"dynamic update request denied: "
"no address match list configured");
FAIL(DNS_R_REFUSED);
}
for (e = ISC_LIST_HEAD(aml->elements);
e != NULL;
e = ISC_LIST_NEXT(e, next))
{
switch (e->type) {
case dns_c_ipmatch_key:
/* XXX temporary, dangerous hack: if any key
is allowed, we allow them all. */
if (sig_result == DNS_R_SUCCESS)
goto approve;
break;
case dns_c_ipmatch_pattern:
/* XXX temporary, dangerous hack: if any IP address
is allowed, we allow them all. */
goto approve;
default:
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_WARNING,
"address match list contains "
"unsupported element type");
break;
}
}
FAIL(DNS_R_REFUSED);
approve:
result = DNS_R_SUCCESS;
failure:
return (result);
}
static void static void
update_action(isc_task_t *task, isc_event_t *event) update_action(isc_task_t *task, isc_event_t *event)
{ {
@ -2011,8 +1942,11 @@ update_action(isc_task_t *task, isc_event_t *event)
* Check Requestor's Permissions. It seems a bit silly to do this * Check Requestor's Permissions. It seems a bit silly to do this
* only after prerequisite testing, but that is what RFC2136 says. * only after prerequisite testing, but that is what RFC2136 says.
*/ */
CHECK(check_permissions(request, dns_zone_getupdateacl(zone))); CHECK(dns_aml_checkrequest(request, ns_client_getsockaddr(client),
dns_zone_getupdateacl(zone),
ns_g_confctx->acls,
"update", ISC_FALSE));
/* Perform the Update Section Prescan. */ /* Perform the Update Section Prescan. */
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);