]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
authorMark Andrews <marka@isc.org>
Fri, 29 Aug 2014 04:35:21 +0000 (14:35 +1000)
committerMark Andrews <marka@isc.org>
Fri, 29 Aug 2014 04:35:21 +0000 (14:35 +1000)
                        sit-secrets documentation. [RT #36980]

CHANGES
bin/tests/system/sit/bad-sit-badhex.conf [new file with mode: 0644]
bin/tests/system/sit/bad-sit-toolong.conf [new file with mode: 0644]
bin/tests/system/sit/tests.sh
doc/arm/Bv9ARM-book.xml
lib/bind9/check.c

diff --git a/CHANGES b/CHANGES
index 4e17e0333ec671bbf7e0f3c05215aaa43cb0f184..cdf0f420172c73ba2894f1d329eb8dededc45cd0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3934.  [bug]           Catch bad 'sit-secret' in named-checkconf.  Improve
+                       sit-secrets documentation. [RT #36980]
+
 3933.  [bug]           Corrected the implementation of dns_rdata_casecompare()
                        for the HIP rdata type.  [RT #36911]
 
diff --git a/bin/tests/system/sit/bad-sit-badhex.conf b/bin/tests/system/sit/bad-sit-badhex.conf
new file mode 100644 (file)
index 0000000..6b84d8a
--- /dev/null
@@ -0,0 +1,3 @@
+options {
+       sit-secret "012345678901234567890123456789012345678901234567890123456789012";
+};
diff --git a/bin/tests/system/sit/bad-sit-toolong.conf b/bin/tests/system/sit/bad-sit-toolong.conf
new file mode 100644 (file)
index 0000000..aec4d25
--- /dev/null
@@ -0,0 +1,3 @@
+options {
+       sit-secret "01234567890123456789012345678901234567890123456789012345678901234567890";
+};
index fa1a71abb0adf9716c58a38c785f30685494cfa1..5842a9871421bb86790ac5d2dc1443b52a739e52 100755 (executable)
@@ -32,6 +32,15 @@ havetc() {
        grep 'flags:.* tc[^;]*;' $1 > /dev/null
 }
 
+for bad in bad*.conf
+do
+        ret=0
+        echo "I:checking that named-checkconf detects error in $bad"
+        $CHECKCONF $bad > /dev/null 2>&1
+        if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
+        status=`expr $status + $ret`
+done
+
 n=`expr $n + 1`
 echo "I:checking SIT token returned to empty SIT option ($n)"
 ret=0
index 7562a331ed654d1ee4e68bc94ca6d7cc15cbb3aa..01f2c207c33620b64c35f7f582e34359d96e17bc 100644 (file)
@@ -6421,12 +6421,16 @@ options {
            </varlistentry>
 
            <varlistentry>
-             <term><command>sit-secret</command></term> <listitem>
+             <term><command>sit-secret</command></term>
+             <listitem>
                <para>
                  If set, this is a shared secret used for generating
                  and verifying Source Identity Token EDNS options
                  within a anycast cluster.  If not set the system
-                 will generate a random secret at startup.
+                 will generate a random secret at startup.  The
+                 shared secret is encoded as a hex string and needs
+                 to be 128 bits for AES128, 160 bits for SHA1 and
+                 256 bits for SHA256.
                </para>
              </listitem>
            </varlistentry>
index a8d5e00aa61211cacb94b39ebe002decbc314444..38c1b244ed4bbf04f5cefcb8301883b45a9d8216 100644 (file)
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/file.h>
+#include <isc/hex.h>
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
+#include <isc/platform.h>
 #include <isc/region.h>
 #include <isc/result.h>
 #include <isc/sockaddr.h>
 #include <isc/symtab.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_USESIT
+#ifdef AES_SIT
+#include <isc/aes.h>
+#endif
+#ifdef HMAC_SHA1_SIT
+#include <isc/sha1.h>
+#endif
+#ifdef HMAC_SHA256_SIT
+#include <isc/sha2.h>
+#endif
+#endif
+
 #include <dns/acl.h>
 #include <dns/fixedname.h>
 #include <dns/rdataclass.h>
@@ -1186,6 +1200,52 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
                                    "(%d seconds)", recheck, lifetime);
        }
 
+#ifdef ISC_PLATFORM_USESIT
+        obj = NULL;
+        (void) cfg_map_get(options, "sit-secret", &obj);
+        if (obj != NULL) {
+                isc_buffer_t b;
+               unsigned char secret[32];
+
+                memset(secret, 0, sizeof(secret));
+                isc_buffer_init(&b, secret, sizeof(secret));
+                tresult = isc_hex_decodestring(cfg_obj_asstring(obj), &b);
+               if (tresult == ISC_R_NOSPACE) { 
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "sit-secret: too long");
+               } else if (tresult != ISC_R_SUCCESS) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "sit-secret: invalid hex string");
+               }
+               if (tresult != ISC_R_SUCCESS)
+                       result = tresult;
+#ifdef AES_SIT
+                if (tresult == ISC_R_SUCCESS &&
+                   isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                    "AES sit-secret must be on 128 bits");
+                       result = ISC_R_RANGE;
+               }
+#endif
+#ifdef HMAC_SHA1_SIT
+                if (tresult == ISC_R_SUCCESS &&
+                   isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "SHA1 sit-secret must be on 160 bits");
+                       result = ISC_R_RANGE;
+               }
+#endif
+#ifdef HMAC_SHA256_SIT
+                if (tresult == ISC_R_SUCCESS &&
+                   isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                    "SHA256 sit-secret must be on 256 bits");
+                       result = ISC_R_RANGE;
+               }
+#endif
+        }
+#endif
+
        return (result);
 }