Commit 8e333f42 authored by Mark Andrews's avatar Mark Andrews
Browse files

4540. [bug] Correctly handle ecs entries in dns_acl_isinsecure.

                        [RT #43601]
parent 762c4fc5
4540. [bug] Correctly handle ecs entries in dns_acl_isinsecure.
[RT #43601]
4539. [bug] Referencing a nonexistant zone with rpz could lead
to a assertion failure when configuring. [RT #43787]
......
......@@ -1366,8 +1366,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
if (updateacl != NULL && dns_acl_isinsecure(updateacl))
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"zone '%s' allows updates by IP "
"address, which is insecure",
"zone '%s' allows unsigned updates "
"from remote hosts, which is insecure",
zname);
RETERR(configure_zone_ssutable(zoptions, mayberaw, zname));
......
......@@ -589,19 +589,21 @@ is_insecure(isc_prefix_t *prefix, void **data) {
return;
/*
* If a loopback address found and the other family
* doesn't exist or is negative, return.
* If a loopback address found and the other family and
* ecs entry doesn't exist or is negative, return.
*/
if (prefix->bitlen == 32 &&
htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK &&
(data[1] == NULL || !* (isc_boolean_t *) data[1]) &&
(data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
(data[3] == NULL || !* (isc_boolean_t *) data[3]))
return;
if (prefix->bitlen == 128 &&
IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6) &&
(data[0] == NULL || !* (isc_boolean_t *) data[0]) &&
(data[2] == NULL || !* (isc_boolean_t *) data[2]))
(data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
(data[3] == NULL || !* (isc_boolean_t *) data[3]))
return;
/* Non-negated, non-loopback */
......
......@@ -36,6 +36,17 @@ ATF_TC_HEAD(dns_acl_isinsecure, tc) {
}
ATF_TC_BODY(dns_acl_isinsecure, tc) {
isc_result_t result;
unsigned int pass;
struct {
isc_boolean_t first;
isc_boolean_t second;
} ecs[] = {
{ ISC_FALSE, ISC_FALSE },
{ ISC_TRUE, ISC_TRUE },
{ ISC_TRUE, ISC_FALSE },
{ ISC_FALSE, ISC_TRUE }
};
dns_acl_t *any = NULL;
dns_acl_t *none = NULL;
dns_acl_t *notnone = NULL;
......@@ -97,192 +108,218 @@ ATF_TC_BODY(dns_acl_isinsecure, tc) {
dns_acl_detach(&notany);
dns_acl_detach(&notnone);
result = dns_acl_create(mctx, 1, &pos4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notpos4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &neg4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notneg4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &pos4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notpos4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &neg4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notneg4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* 0a00:: */
result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* 0a00::/8 */
result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !0a00::/8 */
result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !0a00::/8 */
result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_CHECK(dns_acl_isinsecure(pos4pos6));
ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
ATF_CHECK(dns_acl_isinsecure(neg4pos6));
ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
ATF_CHECK(dns_acl_isinsecure(pos4neg6));
ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
dns_acl_detach(&pos4pos6);
dns_acl_detach(&notpos4pos6);
dns_acl_detach(&neg4pos6);
dns_acl_detach(&notneg4pos6);
dns_acl_detach(&pos4neg6);
dns_acl_detach(&notpos4neg6);
dns_acl_detach(&neg4neg6);
dns_acl_detach(&notneg4neg6);
result = dns_acl_create(mctx, 1, &loop4);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &loop6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4, loop4, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_netaddr_fromin6(&addr, &in6addr_loopback); /* ::1 */
result = dns_iptable_addprefix2(loop6->iptable, &addr, 128,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop6, loop6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_CHECK(!dns_acl_isinsecure(loop4));
ATF_CHECK(!dns_acl_isinsecure(notloop4));
ATF_CHECK(!dns_acl_isinsecure(loop6));
ATF_CHECK(!dns_acl_isinsecure(notloop6));
dns_acl_detach(&loop4);
dns_acl_detach(&notloop4);
dns_acl_detach(&loop6);
dns_acl_detach(&notloop6);
result = dns_acl_create(mctx, 1, &loop4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &loop4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* f700:0001::/32 */
result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
ISC_TRUE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !f700:0001::/32 */
result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
ISC_FALSE, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_CHECK(dns_acl_isinsecure(loop4pos6));
ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
dns_acl_detach(&loop4pos6);
dns_acl_detach(&notloop4pos6);
dns_acl_detach(&loop4neg6);
dns_acl_detach(&notloop4neg6);
for (pass = 0; pass < sizeof(ecs)/sizeof(ecs[0]); pass++) {
result = dns_acl_create(mctx, 1, &pos4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notpos4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &neg4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notneg4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &pos4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notpos4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &neg4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notneg4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
ISC_TRUE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* 0a00:: */
result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
ISC_TRUE, ecs[pass].second);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
ISC_FALSE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* 0a00::/8 */
result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
ISC_TRUE, ecs[pass].second);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
ISC_TRUE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !0a00::/8 */
result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
ISC_FALSE, ecs[pass].second);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
ISC_FALSE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !0a00::/8 */
result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
ISC_FALSE, ecs[pass].second);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_CHECK(dns_acl_isinsecure(pos4pos6));
ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
ATF_CHECK(dns_acl_isinsecure(neg4pos6));
ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
ATF_CHECK(dns_acl_isinsecure(pos4neg6));
ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
dns_acl_detach(&pos4pos6);
dns_acl_detach(&notpos4pos6);
dns_acl_detach(&neg4pos6);
dns_acl_detach(&notneg4pos6);
dns_acl_detach(&pos4neg6);
dns_acl_detach(&notpos4neg6);
dns_acl_detach(&neg4neg6);
dns_acl_detach(&notneg4neg6);
result = dns_acl_create(mctx, 1, &loop4);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &loop6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4->iptable, &addr, 32,
ISC_TRUE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4, loop4, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_netaddr_fromin6(&addr, &in6addr_loopback); /* ::1 */
result = dns_iptable_addprefix2(loop6->iptable, &addr, 128,
ISC_TRUE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop6, loop6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
if (!ecs[pass].first) {
ATF_CHECK(!dns_acl_isinsecure(loop4));
ATF_CHECK(!dns_acl_isinsecure(notloop4));
ATF_CHECK(!dns_acl_isinsecure(loop6));
ATF_CHECK(!dns_acl_isinsecure(notloop6));
} else if (ecs[pass].first) {
ATF_CHECK(dns_acl_isinsecure(loop4));
ATF_CHECK(!dns_acl_isinsecure(notloop4));
ATF_CHECK(dns_acl_isinsecure(loop6));
ATF_CHECK(!dns_acl_isinsecure(notloop6));
}
dns_acl_detach(&loop4);
dns_acl_detach(&notloop4);
dns_acl_detach(&loop6);
dns_acl_detach(&notloop6);
result = dns_acl_create(mctx, 1, &loop4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4pos6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &loop4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_create(mctx, 1, &notloop4neg6);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
ISC_TRUE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* f700:0001::/32 */
result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
ISC_TRUE, ecs[pass].second);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
isc_netaddr_fromin(&addr, &inaddr);
result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
ISC_TRUE, ecs[pass].first);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
addr.family = AF_INET6; /* !f700:0001::/32 */
result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
ISC_FALSE, ecs[pass].second);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
if (!ecs[pass].first && !ecs[pass].second) {
ATF_CHECK(dns_acl_isinsecure(loop4pos6));
ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
} else if (ecs[pass].first && !ecs[pass].second) {
ATF_CHECK(dns_acl_isinsecure(loop4pos6));
ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
ATF_CHECK(dns_acl_isinsecure(loop4neg6));
ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
} else if (!ecs[pass].first && ecs[pass].second) {
ATF_CHECK(dns_acl_isinsecure(loop4pos6));
ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
} else {
ATF_CHECK(dns_acl_isinsecure(loop4pos6));
ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
ATF_CHECK(dns_acl_isinsecure(loop4neg6));
ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
}
dns_acl_detach(&loop4pos6);
dns_acl_detach(&notloop4pos6);
dns_acl_detach(&loop4neg6);
dns_acl_detach(&notloop4neg6);
}
dns_test_end();
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment