Commit f6837f7a authored by Daniel Salzman's avatar Daniel Salzman

acl: unify checks and logging

parent a235e5a8
......@@ -57,12 +57,9 @@ int internet_process_query(knot_pkt_t *pkt, knotd_qdata_t *qdata);
/*! \brief Require authentication. */
#define NS_NEED_AUTH(qdata, zone_name, action) \
if (!process_query_acl_check(conf(), (zone_name), (action), (qdata))) { \
if (!process_query_acl_check(conf(), (zone_name), (action), (qdata)) || \
process_query_verify(qdata) != KNOT_EOK) { \
return KNOT_STATE_FAIL; \
} else { \
if (process_query_verify(qdata) != KNOT_EOK) { \
return KNOT_STATE_FAIL; \
} \
}
/*! \brief Require maximum number of unsigned messages. */
......
......@@ -652,6 +652,26 @@ int process_query_verify(knotd_qdata_t *qdata)
break;
}
/* Log possible error. */
if (qdata->rcode != KNOT_RCODE_NOERROR) {
const knot_lookup_t *item = NULL;
if (qdata->rcode_tsig != KNOT_RCODE_NOERROR) {
item = knot_lookup_by_id(knot_tsig_rcode_names, qdata->rcode_tsig);
if (item == NULL) {
item = knot_lookup_by_id(knot_rcode_names, qdata->rcode_tsig);
}
} else {
item = knot_lookup_by_id(knot_rcode_names, qdata->rcode);
}
char *key_name = knot_dname_to_str_alloc(ctx->tsig_key.name);
log_zone_debug(qdata->extra->zone->name,
"TSIG, key '%s', verification failed '%s'",
(key_name != NULL) ? key_name : "",
(item != NULL) ? item->name : "");
free(key_name);
}
return ret;
}
......
......@@ -307,19 +307,10 @@ static void forward_requests(conf_t *conf, zone_t *zone, list_t *requests)
static bool update_tsig_check(conf_t *conf, knotd_qdata_t *qdata, struct knot_request *req)
{
// Check that ACL is still valid.
if (!process_query_acl_check(conf, qdata->extra->zone->name, ACL_ACTION_UPDATE, qdata)) {
UPDATE_LOG(LOG_WARNING, qdata, "ACL check failed");
if (!process_query_acl_check(conf, qdata->extra->zone->name, ACL_ACTION_UPDATE, qdata) ||
process_query_verify(qdata) != KNOT_EOK) {
knot_wire_set_rcode(req->resp->wire, qdata->rcode);
return false;
} else {
// Check TSIG validity.
int ret = process_query_verify(qdata);
if (ret != KNOT_EOK) {
UPDATE_LOG(LOG_WARNING, qdata, "failed (%s)",
knot_strerror(ret));
knot_wire_set_rcode(req->resp->wire, qdata->rcode);
return false;
}
}
// Store signing context for response.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment