3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve

                        sit-secrets documentation. [RT #36980]

(cherry picked from commit 7c73ac5e130db18837724ab53d46b23ddb98ce6e)

diff --git a/CHANGES b/CHANGES
index a588f6085ab400e3f3e7ed4fc60343151c2e9036..620298746b2084532bd0f3a4bb9c30d4ded46da8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3934.  [bug]           Catch bad 'sit-secret' in named-checkconf.  Improve
+                       sit-secrets documentation. [RT #36980]
+
 3933.  [bug]           Corrected the implementation of dns_rdata_casecompare()
                        for the HIP rdata type.  [RT #36911]
 

diff --git a/bin/tests/system/sit/bad-sit-badhex.conf b/bin/tests/system/sit/bad-sit-badhex.conf
new file mode 100644 (file)
index 0000000..6b84d8a
--- /dev/null
+++ b/bin/tests/system/sit/bad-sit-badhex.conf
@@ -0,0 +1,3 @@
+options {
+       sit-secret "012345678901234567890123456789012345678901234567890123456789012";
+};

diff --git a/bin/tests/system/sit/bad-sit-toolong.conf b/bin/tests/system/sit/bad-sit-toolong.conf
new file mode 100644 (file)
index 0000000..aec4d25
--- /dev/null
+++ b/bin/tests/system/sit/bad-sit-toolong.conf
@@ -0,0 +1,3 @@
+options {
+       sit-secret "01234567890123456789012345678901234567890123456789012345678901234567890";
+};

diff --git a/bin/tests/system/sit/tests.sh b/bin/tests/system/sit/tests.sh
index fa1a71abb0adf9716c58a38c785f30685494cfa1..5842a9871421bb86790ac5d2dc1443b52a739e52 100755 (executable)
--- a/bin/tests/system/sit/tests.sh
+++ b/bin/tests/system/sit/tests.sh
@@ -32,6 +32,15 @@ havetc() {
        grep 'flags:.* tc[^;]*;' $1 > /dev/null
 }
 
+for bad in bad*.conf
+do
+        ret=0
+        echo "I:checking that named-checkconf detects error in $bad"
+        $CHECKCONF $bad > /dev/null 2>&1
+        if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
+        status=`expr $status + $ret`
+done
+
 n=`expr $n + 1`
 echo "I:checking SIT token returned to empty SIT option ($n)"
 ret=0

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 4d7c8c0aa9df3410014b4fd0770b2af0674f2dda..8551db603023ff801f3aad6fb3821d3c9bdd7764 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6318,12 +6318,16 @@ options {
            </varlistentry>
 
            <varlistentry>
-             <term><command>sit-secret</command></term> <listitem>
+             <term><command>sit-secret</command></term>
+             <listitem>
                <para>
                  If set, this is a shared secret used for generating
                  and verifying Source Identity Token EDNS options
                  within a anycast cluster.  If not set the system
-                 will generate a random secret at startup.
+                 will generate a random secret at startup.  The
+                 shared secret is encoded as a hex string and needs
+                 to be 128 bits for AES128, 160 bits for SHA1 and
+                 256 bits for SHA256.
                </para>
              </listitem>
            </varlistentry>

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index a4a5b356e1bacf6cc6b89f8e1665c016f36d0496..1c5192cf0f63c6cee6a54958d5b8056caaea52ba 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -24,10 +24,12 @@
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/file.h>
+#include <isc/hex.h>
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
+#include <isc/platform.h>
 #include <isc/region.h>
 #include <isc/result.h>
 #include <isc/sockaddr.h>
@@ -35,6 +37,18 @@
 #include <isc/symtab.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_USESIT
+#ifdef AES_SIT
+#include <isc/aes.h>
+#endif
+#ifdef HMAC_SHA1_SIT
+#include <isc/sha1.h>
+#endif
+#ifdef HMAC_SHA256_SIT
+#include <isc/sha2.h>
+#endif
+#endif
+
 #include <dns/acl.h>
 #include <dns/fixedname.h>
 #include <dns/rdataclass.h>
@@ -1153,6 +1167,52 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
        if (tresult != ISC_R_SUCCESS)
                result = tresult;
 
+#ifdef ISC_PLATFORM_USESIT
+        obj = NULL;
+        (void) cfg_map_get(options, "sit-secret", &obj);
+        if (obj != NULL) {
+                isc_buffer_t b;
+               unsigned char secret[32];
+
+                memset(secret, 0, sizeof(secret));
+                isc_buffer_init(&b, secret, sizeof(secret));
+                tresult = isc_hex_decodestring(cfg_obj_asstring(obj), &b);
+               if (tresult == ISC_R_NOSPACE) { 
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "sit-secret: too long");
+               } else if (tresult != ISC_R_SUCCESS) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "sit-secret: invalid hex string");
+               }
+               if (tresult != ISC_R_SUCCESS)
+                       result = tresult;
+#ifdef AES_SIT
+                if (tresult == ISC_R_SUCCESS &&
+                   isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                    "AES sit-secret must be on 128 bits");
+                       result = ISC_R_RANGE;
+               }
+#endif
+#ifdef HMAC_SHA1_SIT
+                if (tresult == ISC_R_SUCCESS &&
+                   isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "SHA1 sit-secret must be on 160 bits");
+                       result = ISC_R_RANGE;
+               }
+#endif
+#ifdef HMAC_SHA256_SIT
+                if (tresult == ISC_R_SUCCESS &&
+                   isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                    "SHA256 sit-secret must be on 256 bits");
+                       result = ISC_R_RANGE;
+               }
+#endif
+        }
+#endif
+
        return (result);
 }