2956. [bug] named-checkconf did not fail on a bad trusted key.

[RT #20705]
2025-08-31 06:25:31 +00:00 · 2010-03-04 06:17:01 +00:00
parent 5388178e8a
commit 92348098eb
3 changed files with 128 additions and 4 deletions
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: check.c,v 1.114 2009/12/04 21:09:33 marka Exp $ */
+/* $Id: check.c,v 1.115 2010/03/04 06:17:01 marka Exp $ */

 /*! \file */

@@ -42,6 +42,8 @@
 #include <dns/rdatatype.h>
 #include <dns/secalg.h>

+#include <dst/dst.h>
+
 #include <isccfg/aclconf.h>
 #include <isccfg/cfg.h>

@@ -1739,6 +1741,78 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	return (result);
 }

+static isc_result_t
+check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
+		  isc_log_t *logctx)
+{
+	const char *keystr, *keynamestr;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname;
+	isc_buffer_t keydatabuf;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_uint32_t flags, proto, alg;
+	unsigned char keydata[4096];
+
+        flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+        proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+        alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
+        keyname = dns_fixedname_name(&fkeyname);
+        keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+
+        if (flags > 0xffff) {
+                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+			    "flags too big: %u\n", flags);
+		result = ISC_R_FAILURE;
+	}
+        if (proto > 0xff) {
+                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+			    "protocol too big: %u\n", proto);
+		result = ISC_R_FAILURE;
+	}
+        if (alg > 0xff) {
+                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+			    "algorithm too big: %u\n", alg);
+		result = ISC_R_FAILURE;
+	}
+
+	if (managed) {
+                const char *initmethod;
+                initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
+
+                if (strcasecmp(initmethod, "initial-key") != 0) {
+                        cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+                                    "managed key '%s': "
+                                    "invalid initialization method '%s'",
+                                    keynamestr, initmethod);
+                        result = ISC_R_FAILURE;
+		}
+	}
+
+        isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+
+        keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+        tresult = isc_base64_decodestring(keystr, &keydatabuf);
+
+	if (tresult != ISC_R_SUCCESS) {
+                cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+			    "%s", isc_result_totext(tresult));
+		result = ISC_R_FAILURE;
+	} else {
+		isc_buffer_usedregion(&keydatabuf, &r);
+
+		if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
+		    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
+			cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+				    "%s key '%s' has a weak exponent",
+				    managed ? "managed" : "trusted",
+				    keynamestr);
+	}
+
+	return (result);
+}
+
 static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	       const char *viewname, dns_rdataclass_t vclass,
@@ -1746,7 +1820,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 {
 	const cfg_obj_t *zones = NULL;
 	const cfg_obj_t *keys = NULL;
-	const cfg_listelt_t *element;
+	const cfg_listelt_t *element, *element2;
 	isc_symtab_t *symtab = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
@@ -1887,6 +1961,53 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
 			    "'dnssec-validation yes;' and 'dnssec-enable no;'");

+	/*
+	 * Check trusted-keys and managed-keys.
+	 */
+	keys = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "trusted-keys", &keys);
+	if (keys == NULL)
+		(void)cfg_map_get(config, "trusted-keys", &keys);
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			obj = cfg_listelt_value(element2);
+			tresult = check_trusted_key(obj, ISC_FALSE, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	keys = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "managed-keys", &keys);
+	if (keys == NULL)
+		(void)cfg_map_get(config, "managed-keys", &keys);
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			obj = cfg_listelt_value(element2);
+			tresult = check_trusted_key(obj, ISC_TRUE, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+	/*
+	 * Check options.
+	 */
 	if (voptions != NULL)
 		tresult = check_options(voptions, logctx, mctx);
 	else