2956. [bug] named-checkconf did not fail on a bad trusted key.

                        [RT #20705]

diff --git a/CHANGES b/CHANGES
index 2dfe4c04c9f112113cd72fb09691e48adb6c20d8..803f3a93746efbb9bf47f75d4e63fb93f0f49f6b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2956.  [bug]           named-checkconf did not fail on a bad trusted key.
+                       [RT #20705]
+
 2955.  [bug]           The size of a memory allocation was not always properly
                        recorded. [RT #20927]
 

diff --git a/bin/named/server.c b/bin/named/server.c
index 913ebe2dcb4a0b6f1b96986f86db9d2d9af5bbe9..436ce6301919c94f75ad85a331032e03edd48aaa 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.563 2010/02/25 04:39:12 marka Exp $ */
+/* $Id: server.c,v 1.564 2010/03/04 06:17:01 marka Exp $ */
 
 /*! \file */
 
@@ -479,7 +479,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
                const char *initmethod;
                initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
 
-               if (strcmp(initmethod, "initial-key") != 0) {
+               if (strcasecmp(initmethod, "initial-key") != 0) {
                        cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
                                    "managed key '%s': "
                                    "invalid initialization method '%s'",

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 785f58317199e20ea5e38d07f77bf1d9d3eb8f41..b6ca21821bc0ad5ae89475ce9b8a9efb462227bd 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.114 2009/12/04 21:09:33 marka Exp $ */
+/* $Id: check.c,v 1.115 2010/03/04 06:17:01 marka Exp $ */
 
 /*! \file */
 
@@ -42,6 +42,8 @@
 #include <dns/rdatatype.h>
 #include <dns/secalg.h>
 
+#include <dst/dst.h>
+
 #include <isccfg/aclconf.h>
 #include <isccfg/cfg.h>
 
@@ -1739,6 +1741,78 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
        return (result);
 }
 
+static isc_result_t
+check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
+                 isc_log_t *logctx)
+{
+       const char *keystr, *keynamestr;
+       dns_fixedname_t fkeyname;
+       dns_name_t *keyname;
+       isc_buffer_t keydatabuf;
+       isc_region_t r;
+       isc_result_t result = ISC_R_SUCCESS;
+       isc_result_t tresult;
+       isc_uint32_t flags, proto, alg;
+       unsigned char keydata[4096];
+
+        flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+        proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+        alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
+        keyname = dns_fixedname_name(&fkeyname);
+        keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+
+        if (flags > 0xffff) {
+                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+                           "flags too big: %u\n", flags);
+               result = ISC_R_FAILURE;
+       }
+        if (proto > 0xff) {
+                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+                           "protocol too big: %u\n", proto);
+               result = ISC_R_FAILURE;
+       }
+        if (alg > 0xff) {
+                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+                           "algorithm too big: %u\n", alg);
+               result = ISC_R_FAILURE;
+       }
+
+       if (managed) {
+                const char *initmethod;
+                initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
+
+                if (strcasecmp(initmethod, "initial-key") != 0) {
+                        cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+                                    "managed key '%s': "
+                                    "invalid initialization method '%s'",
+                                    keynamestr, initmethod);
+                        result = ISC_R_FAILURE;
+               }
+       }
+
+        isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+
+        keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+        tresult = isc_base64_decodestring(keystr, &keydatabuf);
+
+       if (tresult != ISC_R_SUCCESS) {
+                cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+                           "%s", isc_result_totext(tresult));
+               result = ISC_R_FAILURE;
+       } else {
+               isc_buffer_usedregion(&keydatabuf, &r);
+
+               if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
+                   r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
+                       cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+                                   "%s key '%s' has a weak exponent",
+                                   managed ? "managed" : "trusted",
+                                   keynamestr);
+       }
+
+       return (result);
+}
+
 static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
               const char *viewname, dns_rdataclass_t vclass,
@@ -1746,7 +1820,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 {
        const cfg_obj_t *zones = NULL;
        const cfg_obj_t *keys = NULL;
-       const cfg_listelt_t *element;
+       const cfg_listelt_t *element, *element2;
        isc_symtab_t *symtab = NULL;
        isc_result_t result = ISC_R_SUCCESS;
        isc_result_t tresult = ISC_R_SUCCESS;
@@ -1887,6 +1961,53 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
                cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
                            "'dnssec-validation yes;' and 'dnssec-enable no;'");
 
+       /*
+        * Check trusted-keys and managed-keys.
+        */
+       keys = NULL;
+       if (voptions != NULL)
+               (void)cfg_map_get(voptions, "trusted-keys", &keys);
+       if (keys == NULL)
+               (void)cfg_map_get(config, "trusted-keys", &keys);
+
+       for (element = cfg_list_first(keys);
+            element != NULL;
+            element = cfg_list_next(element))
+       {
+               const cfg_obj_t *keylist = cfg_listelt_value(element);
+               for (element2 = cfg_list_first(keylist);
+                    element2 != NULL;
+                    element2 = cfg_list_next(element2)) {
+                       obj = cfg_listelt_value(element2);
+                       tresult = check_trusted_key(obj, ISC_FALSE, logctx);
+                       if (tresult != ISC_R_SUCCESS)
+                               result = tresult;
+               }
+       }
+
+       keys = NULL;
+       if (voptions != NULL)
+               (void)cfg_map_get(voptions, "managed-keys", &keys);
+       if (keys == NULL)
+               (void)cfg_map_get(config, "managed-keys", &keys);
+
+       for (element = cfg_list_first(keys);
+            element != NULL;
+            element = cfg_list_next(element))
+       {
+               const cfg_obj_t *keylist = cfg_listelt_value(element);
+               for (element2 = cfg_list_first(keylist);
+                    element2 != NULL;
+                    element2 = cfg_list_next(element2)) {
+                       obj = cfg_listelt_value(element2);
+                       tresult = check_trusted_key(obj, ISC_TRUE, logctx);
+                       if (tresult != ISC_R_SUCCESS)
+                               result = tresult;
+               }
+       }
+       /*
+        * Check options.
+        */
        if (voptions != NULL)
                tresult = check_options(voptions, logctx, mctx);
        else