Commit fe9b2c6a authored by Marek Vavruša's avatar Marek Vavruša

acl: finally removed dup'd ACLs, added tests with TSIG

parent e27dff48
......@@ -460,13 +460,6 @@ static int conf_process(conf_t *conf)
if (conf->uid < 0) conf->uid = getuid();
if (conf->gid < 0) conf->gid = getgid();
/* Build remote control ACL. */
conf_remote_t *r = NULL;
WALK_LIST(r, conf->ctl.allow) {
conf_iface_t *i = r->remote;
acl_insert(conf->ctl.acl, &i->addr, i->prefix, i->key);
}
return ret;
}
......@@ -591,14 +584,6 @@ conf_t *conf_new(char* path)
/* DNSSEC. */
c->dnssec_enable = 0;
/* ACLs. */
c->ctl.acl = acl_new();
if (!c->ctl.acl) {
free(c->filename);
free(c);
c = NULL;
}
return c;
}
......@@ -756,9 +741,6 @@ void conf_truncate(conf_t *conf, int unload_hooks)
}
init_list(&conf->remotes);
/* Free remote control ACL. */
acl_truncate(conf->ctl.acl);
/* Free remote control iface. */
conf_free_iface(conf->ctl.iface);
}
......@@ -772,9 +754,6 @@ void conf_free(conf_t *conf)
/* Truncate config. */
conf_truncate(conf, 1);
/* Free remote control ACL. */
acl_delete(&conf->ctl.acl);
/* Free config. */
free(conf);
}
......
......@@ -193,7 +193,6 @@ typedef struct conf_key_t {
typedef struct conf_control_t {
conf_iface_t *iface; /*!< Remote control interface. */
list_t allow; /*!< List of allowed remotes. */
acl_t* acl; /*!< ACL. */
bool have; /*!< Set if configured. */
} conf_control_t;
......
......@@ -782,7 +782,7 @@ int remote_process(server_t *s, conf_iface_t *ctl_if, int sock,
if (pkt->tsig_rr) {
tsig_name = pkt->tsig_rr->owner;
}
acl_match_t *match = acl_find(conf()->ctl.acl, &ss, tsig_name);
conf_iface_t *match = acl_find(&conf()->ctl.allow, &ss, tsig_name);
uint16_t ts_rc = 0;
uint16_t ts_trc = 0;
uint64_t ts_tmsigned = 0;
......
......@@ -18,6 +18,7 @@
#include "knot/nameserver/query_module.h"
#include "knot/nameserver/process_query.h"
#include "knot/nameserver/internet.h"
#include "knot/conf/conf.h"
#include "common/descriptor.h"
/* Defines. */
......@@ -40,7 +41,7 @@ typedef struct synth_template {
const char *prefix;
const char *zone;
uint32_t ttl;
netblock_t subnet;
conf_iface_t subnet;
} synth_template_t;
/*! \brief Substitute all occurences of given character. */
......@@ -93,7 +94,7 @@ static int reverse_addr_parse(struct query_data *qdata, synth_template_t *tpl, c
}
/* Write formatted address string. */
char sep = str_separator(tpl->subnet.ss.ss_family);
char sep = str_separator(tpl->subnet.addr.ss_family);
int sep_frequency = 1;
if (sep == ':') {
sep_frequency = 4; /* Separator per 4 hexdigits. */
......@@ -133,7 +134,7 @@ static int forward_addr_parse(struct query_data *qdata, synth_template_t *tpl, c
memcpy(addr_str, addr_label + 1 + prefix_len, addr_len);
/* Restore correct address format. */
char sep = str_separator(tpl->subnet.ss.ss_family);
char sep = str_separator(tpl->subnet.addr.ss_family);
str_subst(addr_str, addr_len, '-', sep);
return KNOT_EOK;
......@@ -173,7 +174,7 @@ static knot_dname_t *synth_ptrname(const char *addr_str, synth_template_t *tpl)
int written = prefix_len;
/* Write address with substituted separator to '-'. */
char sep = str_separator(tpl->subnet.ss.ss_family);
char sep = str_separator(tpl->subnet.addr.ss_family);
memcpy(ptrname + written, addr_str, addr_len);
str_subst(ptrname + written, addr_len, sep, '-');
written += addr_len;
......@@ -205,15 +206,15 @@ static int reverse_rr(char *addr_str, synth_template_t *tpl, knot_pkt_t *pkt, kn
static int forward_rr(char *addr_str, synth_template_t *tpl, knot_pkt_t *pkt, knot_rrset_t *rr)
{
struct sockaddr_storage query_addr = {'\0'};
sockaddr_set(&query_addr, tpl->subnet.ss.ss_family, addr_str, 0);
sockaddr_set(&query_addr, tpl->subnet.addr.ss_family, addr_str, 0);
/* Specify address type and data. */
if (tpl->subnet.ss.ss_family == AF_INET6) {
if (tpl->subnet.addr.ss_family == AF_INET6) {
rr->type = KNOT_RRTYPE_AAAA;
const struct sockaddr_in6* ip = (const struct sockaddr_in6*)&query_addr;
knot_rrset_add_rdata(rr, (const uint8_t *)&ip->sin6_addr, sizeof(struct in6_addr),
tpl->ttl, &pkt->mm);
} else if (tpl->subnet.ss.ss_family == AF_INET) {
} else if (tpl->subnet.addr.ss_family == AF_INET) {
rr->type = KNOT_RRTYPE_A;
const struct sockaddr_in* ip = (const struct sockaddr_in*)&query_addr;
knot_rrset_add_rdata(rr, (const uint8_t *)&ip->sin_addr, sizeof(struct in_addr),
......@@ -261,7 +262,7 @@ static int template_match(int state, synth_template_t *tpl, knot_pkt_t *pkt, str
/* Match against template netblock. */
struct sockaddr_storage query_addr = { '\0' };
int provided_af = tpl->subnet.ss.ss_family;
int provided_af = tpl->subnet.addr.ss_family;
ret = sockaddr_set(&query_addr, provided_af, addr_str, 0);
if (ret == KNOT_EOK) {
ret = netblock_match(&tpl->subnet, &query_addr);
......@@ -393,7 +394,7 @@ int synth_record_load(struct query_plan *plan, struct query_module *self)
return KNOT_EMALF;
}
int ret = sockaddr_set(&tpl->subnet.ss, family, token, 0);
int ret = sockaddr_set(&tpl->subnet.addr, family, token, 0);
if (ret != KNOT_EOK) {
MODULE_ERR("invalid address '%s'.\n", token);
return KNOT_EMALF;
......
......@@ -196,7 +196,7 @@ int axfr_query(knot_pkt_t *pkt, struct query_data *qdata)
/* Check valid zone, transaction security and contents. */
NS_NEED_ZONE(qdata, KNOT_RCODE_NOTAUTH);
NS_NEED_AUTH(qdata->zone->xfr_out, qdata);
NS_NEED_AUTH(&qdata->zone->conf->acl.xfr_out, qdata);
NS_NEED_ZONE_CONTENTS(qdata, KNOT_RCODE_SERVFAIL); /* Check expiration. */
ret = axfr_query_init(qdata);
......
......@@ -881,7 +881,7 @@ int internet_query(knot_pkt_t *response, struct query_data *qdata)
/* No applicable ACL, refuse transaction security. */
if (knot_pkt_has_tsig(qdata->query)) {
/* We have been challenged... */
NS_NEED_AUTH(qdata->zone->xfr_out, qdata);
NS_NEED_AUTH(&qdata->zone->conf->acl.xfr_out, qdata);
/* Reserve space for TSIG. */
knot_pkt_reserve(response, tsig_wire_maxsize(qdata->sign.tsig_key));
......
......@@ -177,7 +177,7 @@ static int ixfr_query_check(struct query_data *qdata)
NS_NEED_QNAME(qdata, their_soa->owner, KNOT_RCODE_FORMERR);
/* Check transcation security and zone contents. */
NS_NEED_AUTH(qdata->zone->xfr_out, qdata);
NS_NEED_AUTH(&qdata->zone->conf->acl.xfr_out, qdata);
NS_NEED_ZONE_CONTENTS(qdata, KNOT_RCODE_SERVFAIL); /* Check expiration. */
return NS_PROC_DONE;
......
......@@ -58,7 +58,7 @@ int notify_query(knot_pkt_t *pkt, struct query_data *qdata)
/* Check valid zone, transaction security. */
NS_NEED_ZONE(qdata, KNOT_RCODE_NOTAUTH);
NS_NEED_AUTH(zone->notify_in, qdata);
NS_NEED_AUTH(&zone->conf->acl.notify_in, qdata);
/* Reserve space for TSIG. */
knot_pkt_reserve(pkt, tsig_wire_maxsize(qdata->sign.tsig_key));
......
......@@ -234,7 +234,7 @@ int process_query_err(knot_pkt_t *pkt, knot_process_t *ctx)
return NS_PROC_DONE;
}
bool process_query_acl_check(acl_t *acl, struct query_data *qdata)
bool process_query_acl_check(list_t *acl, struct query_data *qdata)
{
knot_pkt_t *query = qdata->query;
const struct sockaddr_storage *query_source = qdata->param->remote;
......@@ -251,7 +251,7 @@ bool process_query_acl_check(acl_t *acl, struct query_data *qdata)
key_name = query->tsig_rr->owner;
key_alg = tsig_rdata_alg(query->tsig_rr);
}
acl_match_t *match = acl_find(acl, query_source, key_name);
conf_iface_t *match = acl_find(acl, query_source, key_name);
/* Did not authenticate, no fitting rule found. */
if (match == NULL || (match->key && match->key->algorithm != key_alg)) {
......
......@@ -174,7 +174,7 @@ int process_query_err(knot_pkt_t *pkt, knot_process_t *ctx);
* \param qdata
* \return true if accepted, false if denied.
*/
bool process_query_acl_check(acl_t *acl, struct query_data *qdata);
bool process_query_acl_check(list_t *acl, struct query_data *qdata);
/*!
* \brief Verify current query transaction security and update query data.
......
......@@ -37,7 +37,7 @@ int update_answer(knot_pkt_t *pkt, struct query_data *qdata)
}
/* Need valid transaction security. */
NS_NEED_AUTH(zone->update_in, qdata);
NS_NEED_AUTH(&zone->conf->acl.update_in, qdata);
NS_NEED_ZONE_CONTENTS(qdata, KNOT_RCODE_SERVFAIL); /* Check expiration. */
/* Store update into DDNS queue. */
......
......@@ -24,6 +24,7 @@
#include "common/errcode.h"
#include "knot/updates/acl.h"
#include "knot/conf/conf.h"
#include "libknot/util/endian.h"
#include "libknot/rrtype/tsig.h"
......@@ -49,10 +50,10 @@ static inline uint32_t ip_chunk(const struct sockaddr_storage *ss, uint8_t idx)
}
/*! \brief Compare chunks using given mask. */
static int cmp_chunk(const netblock_t *a1, const struct sockaddr_storage *a2,
static int cmp_chunk(const conf_iface_t *a1, const struct sockaddr_storage *a2,
uint8_t idx, uint32_t mask)
{
const uint32_t c1 = ip_chunk(&a1->ss, idx) & mask;
const uint32_t c1 = ip_chunk(&a1->addr, idx) & mask;
const uint32_t c2 = ip_chunk(a2, idx) & mask;
if (c1 > c2)
......@@ -82,7 +83,7 @@ static uint32_t acl_fill_mask32(short nbits)
return htonl(r);
}
int netblock_match(const netblock_t *a1, const struct sockaddr_storage *a2)
int netblock_match(struct conf_iface_t *a1, const struct sockaddr_storage *a2)
{
int ret = 0;
uint32_t mask = 0xffffffff;
......@@ -90,8 +91,8 @@ int netblock_match(const netblock_t *a1, const struct sockaddr_storage *a2)
const short chunk_bits = sizeof(mask) * CHAR_BIT;
/* Check different length, IPv4 goes first. */
if (a1->ss.ss_family != a2->ss_family) {
if (a1->ss.ss_family < a2->ss_family) {
if (a1->addr.ss_family != a2->ss_family) {
if (a1->addr.ss_family < a2->ss_family) {
return -1;
} else {
return 1;
......@@ -119,61 +120,17 @@ int netblock_match(const netblock_t *a1, const struct sockaddr_storage *a2)
return ret;
}
acl_t *acl_new()
{
acl_t *acl = malloc(sizeof(acl_t));
if (acl == NULL) {
return NULL;
}
memset(acl, 0, sizeof(acl_t));
init_list(acl);
return acl;
}
void acl_delete(acl_t **acl)
{
if (acl == NULL || *acl == NULL) {
return;
}
acl_truncate(*acl);
/* Free ACL. */
free(*acl);
*acl = 0;
}
int acl_insert(acl_t *acl, const struct sockaddr_storage *addr, uint8_t prefix, knot_tsig_key_t *key)
{
if (acl == NULL || addr == NULL) {
return KNOT_EINVAL;
}
/* Create new match. */
acl_match_t *match = malloc(sizeof(acl_match_t));
if (match == NULL) {
return KNOT_ENOMEM;
}
match->netblock.prefix = prefix;
memcpy(&match->netblock.ss, addr, sizeof(struct sockaddr_storage));
match->key = key;
add_tail(acl, &match->n);
return KNOT_EOK;
}
acl_match_t* acl_find(acl_t *acl, const struct sockaddr_storage *addr, const knot_dname_t *key_name)
struct conf_iface_t* acl_find(list_t *acl, const struct sockaddr_storage *addr,
const knot_dname_t *key_name)
{
if (acl == NULL || addr == NULL) {
return NULL;
}
acl_match_t *cur = NULL;
WALK_LIST(cur, *acl) {
if (netblock_match(&cur->netblock, addr) == 0) {
conf_remote_t *remote = NULL;
WALK_LIST(remote, *acl) {
conf_iface_t *cur = remote->remote;
if (netblock_match(cur, addr) == 0) {
/* NOKEY entry. */
if (cur->key == NULL) {
if (key_name == NULL) {
......@@ -197,12 +154,3 @@ acl_match_t* acl_find(acl_t *acl, const struct sockaddr_storage *addr, const kno
return NULL;
}
void acl_truncate(acl_t *acl)
{
if (acl == NULL) {
return;
}
WALK_LIST_FREE(*acl);
}
......@@ -35,75 +35,23 @@
#include "common/mempattern.h"
#include "libknot/rrtype/tsig.h"
struct knot_tsig_key;
/*! \brief ACL structure. */
typedef list_t acl_t;
/*! \brief Netblock (address and prefix). */
typedef struct netblock {
struct sockaddr_storage ss; /*!< Address storage. */
uint8_t prefix; /*!< Address prefix. */
} netblock_t;
/*! \brief Single ACL match. */
typedef struct acl_match {
node_t n;
netblock_t netblock;
struct knot_tsig_key *key; /*!< \brief TSIG key. */
} acl_match_t;
struct conf_iface_t;
/*! \brief Match address against netblock. */
int netblock_match(const netblock_t *a1, const struct sockaddr_storage *a2);
/*!
* \brief Create a new ACL.
*
* \retval New ACL instance when successful.
* \retval NULL on errors.
*/
acl_t *acl_new();
/*!
* \brief Delete ACL structure.
*
* \param acl Pointer to ACL instance.
*/
void acl_delete(acl_t **acl);
/*!
* \brief Insert new ACL match.
*
* \param acl Pointer to ACL instance.
* \param addr Address.
* \param prefix Netblock prefix.
* \param key TSIG key.
*
* \retval KNOT_EOK if successful.
* \retval KNOT_EINVAL
* \retval KNOT_ENOMEM
*/
int acl_insert(acl_t *acl, const struct sockaddr_storage *addr, uint8_t prefix, knot_tsig_key_t *key);
int netblock_match(struct conf_iface_t *a1, const struct sockaddr_storage *a2);
/*!
* \brief Match address against ACL.
*
* \param acl Pointer to ACL instance.
* \param addr IP address.
* \param key_name TSIG key name (optional)
*
* \retval Matching rule instance if found.
* \retval NULL if it didn't find a match.
*/
acl_match_t* acl_find(acl_t *acl, const struct sockaddr_storage *addr, const knot_dname_t *key_name);
/*!
* \brief Truncate ACL.
*
* All but the default rule will be dropped.
*
* \param acl Pointer to ACL instance.
*/
void acl_truncate(acl_t *acl);
struct conf_iface_t* acl_find(list_t *acl, const struct sockaddr_storage *addr,
const knot_dname_t *key_name);
#endif /* _KNOTD_ACL_H_ */
......
......@@ -34,39 +34,6 @@
#include "libknot/util/utils.h"
#include "libknot/rrtype/soa.h"
/*!
* \brief Set ACL list from configuration.
*
* \param acl ACL to be created.
* \param acl_list List of remotes from configuration.
*
* \retval KNOT_EOK on success.
* \retval KNOT_EINVAL on invalid parameters.
* \retval KNOT_ENOMEM on failed memory allocation.
*/
static int set_acl(acl_t **acl, list_t* acl_list)
{
assert(acl);
assert(acl_list);
/* Create new ACL. */
acl_t *new_acl = acl_new();
if (new_acl == NULL) {
return KNOT_ENOMEM;
}
/* Load ACL rules. */
conf_remote_t *r = 0;
WALK_LIST(r, *acl_list) {
conf_iface_t *cfg_if = r->remote;
acl_insert(new_acl, &cfg_if->addr, cfg_if->prefix, cfg_if->key);
}
*acl = new_acl;
return KNOT_EOK;
}
static void free_ddns_queue(zone_t *z)
{
struct request_data *n = NULL;
......@@ -107,11 +74,6 @@ zone_t* zone_new(conf_zone_t *conf)
pthread_mutex_init(&zone->ddns_lock, 0);
init_list(&zone->ddns_queue);
// ACLs
set_acl(&zone->xfr_out, &conf->acl.xfr_out);
set_acl(&zone->notify_in, &conf->acl.notify_in);
set_acl(&zone->update_in, &conf->acl.update_in);
// Initialize events
zone_events_init(zone);
......@@ -130,9 +92,6 @@ void zone_free(zone_t **zone_ptr)
knot_dname_free(&zone->name, NULL);
acl_delete(&zone->xfr_out);
acl_delete(&zone->notify_in);
acl_delete(&zone->update_in);
free_ddns_queue(zone);
pthread_mutex_destroy(&zone->ddns_lock);
......
......@@ -61,11 +61,6 @@ typedef struct zone_t
pthread_mutex_t ddns_lock;
list_t ddns_queue;
/*! \brief Access control lists. */
acl_t *xfr_out; /*!< ACL for outgoing transfers.*/
acl_t *notify_in; /*!< ACL for incoming notifications.*/
acl_t *update_in; /*!< ACL for incoming updates.*/
/*! \brief Zone events. */
zone_events_t events; /*!< Zone events timers. */
uint32_t bootstrap_retry; /*!< AXFR/IN bootstrap retry. */
......
......@@ -22,92 +22,128 @@
#include "common/errcode.h"
#include "common/sockaddr.h"
#include "knot/updates/acl.h"
#include "knot/conf/conf.h"
static int acl_insert(list_t *acl, const struct sockaddr_storage *addr,
uint8_t prefix, knot_tsig_key_t *key)
{
assert(acl);
assert(addr);
conf_iface_t *iface = malloc(sizeof(conf_iface_t));
assert(iface);
conf_remote_t *remote = malloc(sizeof(conf_remote_t));
assert(remote);
remote->remote = iface;
memset(iface, 0, sizeof(conf_iface_t));
iface->prefix = prefix;
iface->key = key;
memcpy(&iface->addr, addr, sizeof(struct sockaddr_storage));
add_tail(acl, &remote->n);
return KNOT_EOK;
}
int main(int argc, char *argv[])
{
plan(14);
plan(15);
// 1. Create an ACL
acl_match_t *match = NULL;
acl_t *acl = acl_new();
ok(acl != 0, "acl: new");
conf_iface_t *match = NULL;
list_t acl;
init_list(&acl);
// 2. Create IPv4 address
// Create IPv4 address
struct sockaddr_storage test_v4;
int ret = sockaddr_set(&test_v4, AF_INET, "127.0.0.1", 12345);
ok(ret == KNOT_EOK, "acl: new IPv4 address");
// 3. Create IPv6 address
// Create IPv6 address
struct sockaddr_storage test_v6;
ret = sockaddr_set(&test_v6, AF_INET6, "::1", 54321);
ok(ret == KNOT_EOK, "acl: new IPv6 address");
// 4. Create simple IPv4 rule
ret = acl_insert(acl, &test_v4, IPV4_PREFIXLEN, NULL);
// Create simple IPv4 rule
ret = acl_insert(&acl, &test_v4, IPV4_PREFIXLEN, NULL);
ok(ret == KNOT_EOK, "acl: inserted IPv4 rule");
// 5. Create simple IPv6 rule
ret = acl_insert(acl, &test_v6, IPV6_PREFIXLEN, NULL);
// Create simple IPv6 rule
ret = acl_insert(&acl, &test_v6, IPV6_PREFIXLEN, NULL);
ok(ret == KNOT_EOK, "acl: inserted IPv6 rule");
// 7. Attempt to match unmatching address
// Attempt to match unmatching address
struct sockaddr_storage unmatch_v4;
sockaddr_set(&unmatch_v4, AF_INET, "10.10.10.10", 24424);
match = acl_find(acl, &unmatch_v4, NULL);
match = acl_find(&acl, &unmatch_v4, NULL);
ok(match == NULL, "acl: matching non-existing address");
// 8. Attempt to match unmatching IPv6 address
// Attempt to match unmatching IPv6 address
struct sockaddr_storage unmatch_v6;
sockaddr_set(&unmatch_v6, AF_INET6, "2001:db8::1428:57ab", 24424);
match = acl_find(acl, &unmatch_v6, NULL);
match = acl_find(&acl, &unmatch_v6, NULL);
ok(match == NULL, "acl: matching non-existing IPv6 address");
// 9. Attempt to match matching address
match = acl_find(acl, &test_v4, NULL);
// Attempt to match matching address
match = acl_find(&acl, &test_v4, NULL);
ok(match != NULL, "acl: matching existing address");
// 10. Attempt to match matching address
match = acl_find(acl, &test_v6, NULL);
// Attempt to match matching address
match = acl_find(&acl, &test_v6, NULL);
ok(match != NULL, "acl: matching existing IPv6 address");
// 14. Attempt to match subnet
// Attempt to match subnet
struct sockaddr_storage match_pf4, test_pf4;
sockaddr_set(&match_pf4, AF_INET, "192.168.1.0", 0);
acl_insert(acl, &match_pf4, 24, NULL);
acl_insert(&acl, &match_pf4, 24, NULL);
sockaddr_set(&test_pf4, AF_INET, "192.168.1.20", 0);
match = acl_find(acl, &test_pf4, NULL);
match = acl_find(&acl, &test_pf4, NULL);
ok(match != NULL, "acl: searching address in matching prefix /24");
// 15. Attempt to search non-matching subnet
// Attempt to search non-matching subnet
sockaddr_set(&test_pf4, AF_INET, "192.168.2.20", 0);
match = acl_find(acl, &test_pf4, NULL);
match = acl_find(&acl, &test_pf4, NULL);
ok(match == NULL, "acl: searching address in non-matching prefix /24");
// 16. Attempt to match v6 subnet
// Attempt to match v6 subnet
struct sockaddr_storage match_pf6, test_pf6;
sockaddr_set(&match_pf6, AF_INET6, "2001:0DB8:0400:000e:0:0:0:AB00", 0);
acl_insert(acl, &match_pf6, 120, NULL);
acl_insert(&acl, &match_pf6, 120, NULL);
sockaddr_set(&test_pf6, AF_INET6, "2001:0DB8:0400:000e:0:0:0:AB03", 0);
match = acl_find(acl, &test_pf6, NULL);
match = acl_find(&acl, &test_pf6, NULL);
ok(match != NULL, "acl: searching v6 address in matching prefix /120");
// 17. Attempt to search non-matching subnet
// Attempt to search non-matching subnet
sockaddr_set(&test_pf6, AF_INET6, "2001:0DB8:0400:000e:0:0:0:CCCC", 0);
match = acl_find(acl, &test_pf6, NULL);
match = acl_find(&acl, &test_pf6, NULL);
ok(match == NULL, "acl: searching v6 address in non-matching prefix /120");
// 18. Scenario after truncating
acl_truncate(acl);
sockaddr_set(&test_pf6, AF_INET6, "2001:a1b0:e11e:50d1::3:300", 0);
acl_insert(acl, &test_pf6, IPV6_PREFIXLEN, NULL);
sockaddr_set(&test_pf4, AF_INET, "231.17.67.223", 0);
acl_insert(acl, &test_pf4, IPV4_PREFIXLEN, NULL);
sockaddr_set(&test_pf4, AF_INET, "82.87.48.136", 0);
acl_insert(acl, &test_pf4, IPV4_PREFIXLEN, NULL);
sockaddr_set(&match_pf4, AF_INET, "82.87.48.136", 12345);
match = acl_find(acl, &match_pf4, NULL);
ok(match != NULL, "acl: scenario after truncating");
acl_delete(&acl);
// Attempt to search subnet with key (multiple keys)
knot_tsig_key_t key_a, key_b;
knot_tsig_create_key("tsig-key1", KNOT_TSIG_ALG_HMAC_MD5, "Wg==", &key_a);
knot_tsig_create_key("tsig-key2", KNOT_TSIG_ALG_HMAC_MD5, "Wg==", &key_b);
acl_insert(&acl, &match_pf6, 120, &key_a);
acl_insert(&acl, &match_pf6, 120, &key_b);
sockaddr_set(&test_pf6, AF_INET6, "2001:0DB8:0400:000e:0:0:0:AB03", 0);
match = acl_find(&acl, &test_pf6, key_a.name);
ok(match != NULL && match->key == &key_a, "acl: searching v6 address with TSIG key A");
match = acl_find(&acl, &test_pf6, key_b.name);
ok(match != NULL && match->key == &key_b, "acl: searching v6 address with TSIG key B");
// Attempt to search subnet with mismatching key
knot_tsig_key_t badkey;
knot_tsig_create_key("tsig-bad", KNOT_TSIG_ALG_HMAC_MD5, "Wg==", &badkey);
match = acl_find(&acl, &test_pf6, badkey.name);
ok(match == NULL, "acl: searching v6 address with bad TSIG key");
knot_tsig_key_free(&badkey);
knot_tsig_key_free(&key_a);
knot_tsig_key_free(&key_b);
conf_remote_t *remote = NULL, *next = NULL;
WALK_LIST_DELSAFE(remote, next, acl) {
free(remote->remote);
free(remote);
}
// Return
return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment