use new AML code for checking "allow-update"

diff --git a/bin/named/update.c b/bin/named/update.c
index 4777b7e82517d6964d9bdec40c4522fbf08a237f..38f81a1a19f6105c77b4a38f5a23bd6ccd557155 100644 (file)
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -28,6 +28,7 @@
 #include <isc/result.h>
 #include <isc/taskpool.h>
 
+#include <dns/aml.h>
 #include <dns/confip.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
@@ -1813,76 +1814,6 @@ ns_update_start(ns_client_t *client)
        respond(client, result);
 }
 
-/*
- * This could eventually be fleshed out to handle the other "allow-*"
- * options, too.
- */
-static isc_result_t
-check_permissions(dns_message_t *request, dns_c_ipmatchlist_t *aml) {
-       dns_result_t result, sig_result;
-       dns_name_t signer;
-       dns_c_ipmatchelement_t *e;
-
-       dns_name_init(&signer, NULL);
-       
-       /*
-        * Check for a TSIG.  We log bad TSIGs regardless of whether they
-        * cause the request to be rejected or not (it may be approved 
-        * because of another AML).  We do not log the lack of a TSIG
-        * unless we are debugging.
-        */
-       sig_result = result = dns_message_signer(request, &signer);
-       if (result == DNS_R_SUCCESS) {
-               isc_log_write(UPDATE_DEBUG_LOGARGS, "signature is OK");
-       } else if (result == DNS_R_NOTFOUND) {
-               isc_log_write(UPDATE_DEBUG_LOGARGS, "request is not signed");
-       } else {
-               /* There is a signature, but it is bad. */
-               isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-                             NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
-                             "signature verification failed: %s",
-                             isc_result_totext(result));
-       }
-
-       if (aml == NULL) {
-               isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-                             NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
-                             "dynamic update request denied: "
-                             "no address match list configured");
-               FAIL(DNS_R_REFUSED);
-       }
-
-       for (e = ISC_LIST_HEAD(aml->elements);
-            e != NULL;
-            e = ISC_LIST_NEXT(e, next))
-       {
-               switch (e->type) {
-               case dns_c_ipmatch_key:
-                       /* XXX temporary, dangerous hack: if any key
-                          is allowed, we allow them all. */
-                       if (sig_result == DNS_R_SUCCESS)
-                               goto approve;
-                       break;
-               case dns_c_ipmatch_pattern:
-                       /* XXX temporary, dangerous hack: if any IP address
-                          is allowed, we allow them all. */
-                       goto approve;
-               default:
-                       isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-                                     NS_LOGMODULE_UPDATE, ISC_LOG_WARNING,
-                                     "address match list contains "
-                                     "unsupported element type");
-                       break;
-               }
-       }
-       FAIL(DNS_R_REFUSED);
-       
-approve:
-       result = DNS_R_SUCCESS;
-failure:
-       return (result);
-}
-
 static void
 update_action(isc_task_t *task, isc_event_t *event)
 {
@@ -2011,8 +1942,11 @@ update_action(isc_task_t *task, isc_event_t *event)
         * Check Requestor's Permissions.  It seems a bit silly to do this
         * only after prerequisite testing, but that is what RFC2136 says.
         */
-       CHECK(check_permissions(request, dns_zone_getupdateacl(zone)));
-       
+       CHECK(dns_aml_checkrequest(request, ns_client_getsockaddr(client),
+                                  dns_zone_getupdateacl(zone),
+                                  ns_g_confctx->acls,
+                                  "update", ISC_FALSE));
+
        /* Perform the Update Section Prescan. */
 
        for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);