From 92348098ebe7ef4c26bfe2204a7364fa18735afc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Mar 2010 06:17:01 +0000 Subject: [PATCH] 2956. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705] --- CHANGES | 3 ++ bin/named/server.c | 4 +- lib/bind9/check.c | 125 ++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 128 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 2dfe4c04c9..803f3a9374 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2956. [bug] named-checkconf did not fail on a bad trusted key. + [RT #20705] + 2955. [bug] The size of a memory allocation was not always properly recorded. [RT #20927] diff --git a/bin/named/server.c b/bin/named/server.c index 913ebe2dcb..436ce63019 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.563 2010/02/25 04:39:12 marka Exp $ */ +/* $Id: server.c,v 1.564 2010/03/04 06:17:01 marka Exp $ */ /*! \file */ @@ -479,7 +479,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, const char *initmethod; initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init")); - if (strcmp(initmethod, "initial-key") != 0) { + if (strcasecmp(initmethod, "initial-key") != 0) { cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR, "managed key '%s': " "invalid initialization method '%s'", diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 785f583171..b6ca21821b 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.114 2009/12/04 21:09:33 marka Exp $ */ +/* $Id: check.c,v 1.115 2010/03/04 06:17:01 marka Exp $ */ /*! \file */ @@ -42,6 +42,8 @@ #include #include +#include + #include #include @@ -1739,6 +1741,78 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, return (result); } +static isc_result_t +check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, + isc_log_t *logctx) +{ + const char *keystr, *keynamestr; + dns_fixedname_t fkeyname; + dns_name_t *keyname; + isc_buffer_t keydatabuf; + isc_region_t r; + isc_result_t result = ISC_R_SUCCESS; + isc_result_t tresult; + isc_uint32_t flags, proto, alg; + unsigned char keydata[4096]; + + flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); + proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); + alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); + keyname = dns_fixedname_name(&fkeyname); + keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); + + if (flags > 0xffff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "flags too big: %u\n", flags); + result = ISC_R_FAILURE; + } + if (proto > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "protocol too big: %u\n", proto); + result = ISC_R_FAILURE; + } + if (alg > 0xff) { + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "algorithm too big: %u\n", alg); + result = ISC_R_FAILURE; + } + + if (managed) { + const char *initmethod; + initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init")); + + if (strcasecmp(initmethod, "initial-key") != 0) { + cfg_obj_log(key, logctx, ISC_LOG_ERROR, + "managed key '%s': " + "invalid initialization method '%s'", + keynamestr, initmethod); + result = ISC_R_FAILURE; + } + } + + isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); + + keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); + tresult = isc_base64_decodestring(keystr, &keydatabuf); + + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(key, logctx, ISC_LOG_ERROR, + "%s", isc_result_totext(tresult)); + result = ISC_R_FAILURE; + } else { + isc_buffer_usedregion(&keydatabuf, &r); + + if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) && + r.length > 1 && r.base[0] == 1 && r.base[1] == 3) + cfg_obj_log(key, logctx, ISC_LOG_WARNING, + "%s key '%s' has a weak exponent", + managed ? "managed" : "trusted", + keynamestr); + } + + return (result); +} + static isc_result_t check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const char *viewname, dns_rdataclass_t vclass, @@ -1746,7 +1820,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, { const cfg_obj_t *zones = NULL; const cfg_obj_t *keys = NULL; - const cfg_listelt_t *element; + const cfg_listelt_t *element, *element2; isc_symtab_t *symtab = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult = ISC_R_SUCCESS; @@ -1887,6 +1961,53 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, cfg_obj_log(obj, logctx, ISC_LOG_WARNING, "'dnssec-validation yes;' and 'dnssec-enable no;'"); + /* + * Check trusted-keys and managed-keys. + */ + keys = NULL; + if (voptions != NULL) + (void)cfg_map_get(voptions, "trusted-keys", &keys); + if (keys == NULL) + (void)cfg_map_get(config, "trusted-keys", &keys); + + for (element = cfg_list_first(keys); + element != NULL; + element = cfg_list_next(element)) + { + const cfg_obj_t *keylist = cfg_listelt_value(element); + for (element2 = cfg_list_first(keylist); + element2 != NULL; + element2 = cfg_list_next(element2)) { + obj = cfg_listelt_value(element2); + tresult = check_trusted_key(obj, ISC_FALSE, logctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + } + + keys = NULL; + if (voptions != NULL) + (void)cfg_map_get(voptions, "managed-keys", &keys); + if (keys == NULL) + (void)cfg_map_get(config, "managed-keys", &keys); + + for (element = cfg_list_first(keys); + element != NULL; + element = cfg_list_next(element)) + { + const cfg_obj_t *keylist = cfg_listelt_value(element); + for (element2 = cfg_list_first(keylist); + element2 != NULL; + element2 = cfg_list_next(element2)) { + obj = cfg_listelt_value(element2); + tresult = check_trusted_key(obj, ISC_TRUE, logctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + } + /* + * Check options. + */ if (voptions != NULL) tresult = check_options(voptions, logctx, mctx); else