[master] geoip security fixes

4003. [security] When geoip-directory was reconfigured during named run-time, the previously loaded GeoIP data could remain, potentially causing wrong ACLs to be used or wrong results to be served based on geolocation. [RT #37720] 4002. [security] Lookups in GeoIP databases that were not loaded could cause an assertion failure. [RT #37679] 4001. [security] The caching of GeoIP lookups did not always handle address families correctly, potentially resulting in an assertion failure. [RT #37672]
2014-11-16 08:43:22 -08:00
parent aee6c351d3
commit a0b4f6d952
8 changed files with 177 additions and 47 deletions
--- a/bin/tests/system/geoip/tests.sh
+++ b/bin/tests/system/geoip/tests.sh
@@ -23,6 +23,7 @@ n=0
 rm -f dig.out.*

 DIGOPTS="+tcp +short -p 5300 @10.53.0.2"
+DIGOPTS6="+tcp +short -p 5300 @fd92:7065:b8e:ffff::2"

 n=`expr $n + 1`
 echo "I:checking GeoIP country database by code ($n)"
@@ -159,6 +160,18 @@ cp -f ns2/named6.conf ns2/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
 sleep 3

+if $TESTSOCK6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo "I:checking GeoIP city database by city name using IPv6 ($n)"
+  ret=0
+  $DIG +tcp +short -p 5300 @fd92:7065:b8e:ffff::1 -6 txt example -b fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+  [ $ret -eq 0 ] || echo "I:failed"
+  status=`expr $status + $ret`
+else
+  echo "I:IPv6 unavailable; skipping"
+fi
+
 n=`expr $n + 1`
 echo "I:checking GeoIP city database by city name ($n)"
 ret=0
@@ -306,7 +319,7 @@ done
 status=`expr $status + $ret`

 n=`expr $n + 1`
-echo "I:checking GeoIP domain database (using client subnet) ($n)"
+echo "I:checking GeoIP asnum database - ASNNNN only (using client subnet) ($n)"
 ret=0
 lret=0
 for i in 1 2 3 4 5 6 7; do
@@ -338,6 +351,20 @@ done
 [ $ret -eq 0 ] || echo "I:failed"
 status=`expr $status + $ret`

+n=`expr $n + 1`
+echo "I:checking GeoIP domain database (using client subnet) ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo "I:failed"
+status=`expr $status + $ret`
+
 echo "I:reloading server"
 cp -f ns2/named12.conf ns2/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
@@ -427,5 +454,28 @@ done
 [ $ret -eq 0 ] || echo "I:failed"
 status=`expr $status + $ret`

+n=`expr $n + 1`
+echo "I:reloading server with different geoip-directory ($n)"
+cp -f ns2/named15.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
+sleep 3
+awk '/using "..\/data2" as GeoIP directory/ {m=1} ; { if (m>0) { print } }' ns2/named.run | grep "GeoIP City .* DB not available" > /dev/null || ret=1
+[ $ret -eq 0 ] || echo "I:failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking GeoIP v4/v6 when only IPv6 database is available ($n)"
+ret=0
+$DIG $DIGOPTS -4 txt example -b 10.53.0.2 > dig.out.ns2.test$n.1 || ret=1
+j=`cat dig.out.ns2.test$n.1 | tr -d '"'`
+[ "$j" = "bogus" ] || ret=1
+if $TESTSOCK6 fd92:7065:b8e:ffff::2; then
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n.2 || ret=1
+    j=`cat dig.out.ns2.test$n.2 | tr -d '"'`
+    [ "$j" = "2" ] || ret=1
+fi
+[ $ret -eq 0 ] || echo "I:failed"
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status