Commit 2b2b85c8 authored by Mark Andrews's avatar Mark Andrews
Browse files

4507. [bug] Name could incorrectly log 'allows updates by IP

                        address, which is insecure' [RT #43432]
parent 61747916
4507. [bug] Name could incorrectly log 'allows updates by IP
address, which is insecure' [RT #43432]
4506. [func] 'named-checkconf -l' will now list the zones found in
named.conf. [RT #43154]
......
......@@ -583,26 +583,39 @@ is_insecure(isc_prefix_t *prefix, void **data) {
bitlen = prefix->bitlen;
family = prefix->family;
/* Negated entries are always secure. */
off = ISC_RADIX_OFF(prefix);
if (data[off] != NULL && * (isc_boolean_t *) data[off])
fprintf(stderr, "%d %d %d %d %d %d %d\n",
bitlen, family, off,
data[0] ? (* (isc_boolean_t *) data[0]) : -1,
data[1] ? (* (isc_boolean_t *) data[1]) : -1,
data[2] ? (* (isc_boolean_t *) data[2]) : -1,
data[3] ? (* (isc_boolean_t *) data[3]) : -1);
/*
* If all nonexistent or negative then this node is secure.
*/
if ((data[0] == NULL || !* (isc_boolean_t *) data[0]) &&
(data[1] == NULL || !* (isc_boolean_t *) data[1]) &&
(data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
(data[3] == NULL || !* (isc_boolean_t *) data[3]))
return;
/* If loopback prefix found, return */
switch (family) {
case AF_INET:
if (bitlen == 32 &&
htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK)
return;
break;
case AF_INET6:
if (bitlen == 128 && IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6))
return;
break;
default:
break;
}
/*
* If a loopback address found and there is the other family
* doesn't exist or is negative, return.
*/
if (bitlen == 32 &&
htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK &&
(data[1] == NULL || !* (isc_boolean_t *) data[1]) &&
(data[3] == NULL || !* (isc_boolean_t *) data[3]))
return;
if (bitlen == 128 &&
IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6) &&
(data[0] == NULL || !* (isc_boolean_t *) data[0]) &&
(data[2] == NULL || !* (isc_boolean_t *) data[2]))
return;
/* Non-negated, non-loopback */
insecure_prefix_found = ISC_TRUE; /* LOCKED */
......
......@@ -30,7 +30,8 @@ DNSDEPLIBS = ../libdns.@A@
LIBS = @LIBS@ @ATFLIBS@
OBJS = dnstest.@O@
SRCS = db_test.c \
SRCS = acl_test.c \
db_test.c \
dbdiff_test.c \
dbiterator_test.c \
dh_test.c \
......@@ -57,7 +58,8 @@ SRCS = db_test.c \
zt_test.c
SUBDIRS =
TARGETS = db_test@EXEEXT@ \
TARGETS = acl_test@EXEEXT@ \
db_test@EXEEXT@ \
dbdiff_test@EXEEXT@ \
dbiterator_test@EXEEXT@ \
dbversion_test@EXEEXT@ \
......@@ -85,6 +87,11 @@ TARGETS = db_test@EXEEXT@ \
@BIND9_MAKE_RULES@
acl_test@EXEEXT@: acl_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
acl_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
master_test@EXEEXT@: master_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
test -d testdata || mkdir testdata
test -d testdata/master || mkdir testdata/master
......
/*
* Copyright (C) 2011-2013, 2015, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
/*! \file */
#include <config.h>
#include <atf-c.h>
#include <stdio.h>
#include <unistd.h>
#include <isc/print.h>
#include <dns/acl.h>
#include "dnstest.h"
/*
* Helper functions
*/
#define BUFLEN 255
#define BIGBUFLEN (70 * 1024)
#define TEST_ORIGIN "test"
ATF_TC(dns_acl_isinsecure);
ATF_TC_HEAD(dns_acl_isinsecure, tc) {
atf_tc_set_md_var(tc, "descr", "test that dns_acl_isinsecure works");
}
ATF_TC_BODY(dns_acl_isinsecure, tc) {
isc_result_t result;
dns_acl_t *any = NULL;
dns_acl_t *none = NULL;
dns_acl_t *notnone = NULL;
dns_acl_t *notany = NULL;
dns_acl_t *pos4pos6 = NULL;
dns_acl_t *notpos4pos6 = NULL;
dns_acl_t *neg4pos6 = NULL;
dns_acl_t *notneg4pos6 = NULL;
dns_acl_t *pos4neg6 = NULL;
dns_acl_t *notpos4neg6 = NULL;
dns_acl_t *neg4neg6 = NULL;
dns_acl_t *notneg4neg6 = NULL;
dns_acl_t *loop4 = NULL;
dns_acl_t *notloop4 = NULL;
dns_acl_t *loop6 = NULL;
dns_acl_t *notloop6 = NULL;
dns_acl_t *loop4pos6 = NULL;
dns_acl_t *notloop4pos6 = NULL;
dns_acl_t *loop4neg6 = NULL;
dns_acl_t *notloop4neg6 = NULL;
struct in_addr inaddr;
isc_netaddr_t addr;
UNUSED(tc);
result = dns_test_begin(NULL, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_any(mctx, &any);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_none(mctx, &none);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notnone);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notany);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notnone, none, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notany, any, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
fprintf(stderr, "any\n");
ATF_CHECK(dns_acl_isinsecure(any)); /* any; */
fprintf(stderr, "none\n");
ATF_CHECK(!dns_acl_isinsecure(none)); /* none; */
fprintf(stderr, "!any\n");
ATF_CHECK(!dns_acl_isinsecure(notany)); /* !any; */
fprintf(stderr, "!none\n");
ATF_CHECK(!dns_acl_isinsecure(notnone)); /* !none; */
dns_acl_detach(&any);
dns_acl_detach(&none);
dns_acl_detach(&notany);
dns_acl_detach(&notnone);
result = dns_acl_create(mctx, 1, &pos4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notpos4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &neg4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notneg4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &pos4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notpos4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &neg4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notneg4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* 0a00:: */
result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* 0a00::/8 */
result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !0a00::/8 */
result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !0a00::/8 */
result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
fprintf(stderr, "pos4pos6\n");
ATF_CHECK(dns_acl_isinsecure(pos4pos6));
fprintf(stderr, "notpos4pos6\n");
ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
fprintf(stderr, "neg4pos6\n");
ATF_CHECK(dns_acl_isinsecure(neg4pos6));
fprintf(stderr, "notneg4pos6\n");
ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
fprintf(stderr, "pos4neg6\n");
ATF_CHECK(dns_acl_isinsecure(pos4neg6));
fprintf(stderr, "notpos4neg6\n");
ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
fprintf(stderr, "neg4neg6\n");
ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
fprintf(stderr, "notneg4neg6\n");
ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
dns_acl_detach(&pos4pos6);
dns_acl_detach(&notpos4pos6);
dns_acl_detach(&neg4pos6);
dns_acl_detach(&notneg4pos6);
dns_acl_detach(&pos4neg6);
dns_acl_detach(&notpos4neg6);
dns_acl_detach(&neg4neg6);
dns_acl_detach(&notneg4neg6);
result = dns_acl_create(mctx, 1, &loop4);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &loop6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4, loop4, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_netaddr_fromin6(&addr, &in6addr_loopback); /* ::1 */
result = dns_iptable_addprefix2(loop6->iptable, &addr, 128,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop6, loop6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_CHECK(!dns_acl_isinsecure(loop4));
ATF_CHECK(!dns_acl_isinsecure(notloop4));
ATF_CHECK(!dns_acl_isinsecure(loop6));
ATF_CHECK(!dns_acl_isinsecure(notloop6));
dns_acl_detach(&loop4);
dns_acl_detach(&notloop4);
dns_acl_detach(&loop6);
dns_acl_detach(&notloop6);
result = dns_acl_create(mctx, 1, &loop4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &loop4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* f700:0001::/32 */
result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !f700:0001::/32 */
result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_CHECK(dns_acl_isinsecure(loop4pos6));
ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
dns_acl_detach(&loop4pos6);
dns_acl_detach(&notloop4pos6);
dns_acl_detach(&loop4neg6);
dns_acl_detach(&notloop4neg6);
dns_test_end();
}
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, dns_acl_isinsecure);
return (atf_no_error());
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment