mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve

Browse Source 
sit-secrets documentation. [RT #36980]
This commit is contained in:
Mark Andrews
2014-08-29 14:35:21 +10:00
parent 05d81eae94
commit 7c73ac5e13
6 changed files with 84 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secrets documentation. [RT #36980]
3933. [bug] Corrected the implementation of dns_rdata_casecompare()
for the HIP rdata type. [RT #36911]

3
bin/tests/system/sit/bad-sit-badhex.conf Normal file
View File

@@ -0,0 +1,3 @@
options {
sit-secret "012345678901234567890123456789012345678901234567890123456789012";
};

3
bin/tests/system/sit/bad-sit-toolong.conf Normal file
View File

@@ -0,0 +1,3 @@
options {
sit-secret "01234567890123456789012345678901234567890123456789012345678901234567890";
};

9
bin/tests/system/sit/tests.sh
View File

@@ -32,6 +32,15 @@ havetc() {
grep 'flags:.* tc[^;]*;' $1 > /dev/null
}
for bad in bad*.conf
do
ret=0
echo "I:checking that named-checkconf detects error in $bad"
$CHECKCONF $bad > /dev/null 2>&1
if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
done
n=`expr $n + 1`
echo "I:checking SIT token returned to empty SIT option ($n)"
ret=0

8
doc/arm/Bv9ARM-book.xml
View File

@@ -6421,12 +6421,16 @@ options {
</varlistentry>
<varlistentry>
<term><command>sit-secret</command></term> <listitem>
<term><command>sit-secret</command></term>
<listitem>
<para>
If set, this is a shared secret used for generating
and verifying Source Identity Token EDNS options
within a anycast cluster. If not set the system
will generate a random secret at startup.
will generate a random secret at startup. The
shared secret is encoded as a hex string and needs
to be 128 bits for AES128, 160 bits for SHA1 and
256 bits for SHA256.
</para>
</listitem>
</varlistentry>

60
lib/bind9/check.c
View File

@@ -24,10 +24,12 @@
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/file.h>
#include <isc/hex.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/platform.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
@@ -35,6 +37,18 @@
#include <isc/symtab.h>
#include <isc/util.h>
#ifdef ISC_PLATFORM_USESIT
#ifdef AES_SIT
#include <isc/aes.h>
#endif
#ifdef HMAC_SHA1_SIT
#include <isc/sha1.h>
#endif
#ifdef HMAC_SHA256_SIT
#include <isc/sha2.h>
#endif
#endif
#include <dns/acl.h>
#include <dns/fixedname.h>
#include <dns/rdataclass.h>
@@ -1186,6 +1200,52 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"(%d seconds)", recheck, lifetime);
}
#ifdef ISC_PLATFORM_USESIT
obj = NULL;
(void) cfg_map_get(options, "sit-secret", &obj);
if (obj != NULL) {
isc_buffer_t b;
unsigned char secret[32];
memset(secret, 0, sizeof(secret));
isc_buffer_init(&b, secret, sizeof(secret));
tresult = isc_hex_decodestring(cfg_obj_asstring(obj), &b);
if (tresult == ISC_R_NOSPACE) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"sit-secret: too long");
} else if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"sit-secret: invalid hex string");
}
if (tresult != ISC_R_SUCCESS)
result = tresult;
#ifdef AES_SIT
if (tresult == ISC_R_SUCCESS &&
isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"AES sit-secret must be on 128 bits");
result = ISC_R_RANGE;
}
#endif
#ifdef HMAC_SHA1_SIT
if (tresult == ISC_R_SUCCESS &&
isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA1 sit-secret must be on 160 bits");
result = ISC_R_RANGE;
}
#endif
#ifdef HMAC_SHA256_SIT
if (tresult == ISC_R_SUCCESS &&
isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA256 sit-secret must be on 256 bits");
result = ISC_R_RANGE;
}
#endif
}
#endif
return (result);
}