Commit 2e743d9b authored by Mark Andrews's avatar Mark Andrews
Browse files

Squashed commit of the following:

commit 2a0e5695da2e0f701191e2783209ac05c9d01e6c
Author: Mark Andrews <marka@isc.org>
Date:   Thu Aug 31 12:15:05 2017 +1000

    remove 'on' from error message

commit f18a8d699b69be35b938cfe2b30ebb30cd78e814
Author: Mark Andrews <marka@isc.org>
Date:   Thu Aug 31 11:58:41 2017 +1000

    add more cookie-secret named-checkconf tests

commit ca8f5f5f57ccbeb970310866523a909eb411a554
Author: Mark Andrews <marka@isc.org>
Date:   Thu Aug 31 11:31:57 2017 +1000

    properly check algorithm names
parent 5c8de9e2
4594. [func] dnssec-keygen no longer uses RSASHA1 by default;
4695. [bug] cookie-secrets were not being properly checked by
named-checkconf. [RT #45886]
4694. [func] dnssec-keygen no longer uses RSASHA1 by default;
the signing algorithm must be specified on
the command line with the "-a" option. Signing
scripts that rely on the existing default behavior
......
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
options {
cookie-algorithm sha1;
cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272fff"; // 168 bits
};
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
options {
cookie-algorithm sha256;
cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272f"; // 160 bits
};
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
options {
cookie-algorithm sha1;
cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272f"; // 160 bits
};
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
options {
cookie-algorithm sha256;
cookie-secret "b174e3800b6734f73268f15831c957860a8ee1229cfb9039c1514836f53efbed";
};
......@@ -32,10 +32,21 @@ havetc() {
for bad in bad*.conf
do
n=`expr $n + 1`
echo "I:checking that named-checkconf detects error in $bad ($n)"
ret=0
echo "I:checking that named-checkconf detects error in $bad"
$CHECKCONF $bad > /dev/null 2>&1
if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
$CHECKCONF $bad > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
done
for good in good*.conf
do
n=`expr $n + 1`
echo "I:checking that named-checkconf detects accepts $good ($n)"
ret=0
$CHECKCONF $good > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
done
......
......@@ -1378,24 +1378,24 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
result = tresult;
if (tresult == ISC_R_SUCCESS &&
strcasecmp(ccalg, "aes") != 0 &&
strcasecmp(ccalg, "aes") == 0 &&
isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"AES cookie-secret must be on 128 bits");
"AES cookie-secret must be 128 bits");
result = ISC_R_RANGE;
}
if (tresult == ISC_R_SUCCESS &&
strcasecmp(ccalg, "sha1") != 0 &&
strcasecmp(ccalg, "sha1") == 0 &&
isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA1 cookie-secret must be on 160 bits");
"SHA1 cookie-secret must be 160 bits");
result = ISC_R_RANGE;
}
if (tresult == ISC_R_SUCCESS &&
strcasecmp(ccalg, "sha256") != 0 &&
strcasecmp(ccalg, "sha256") == 0 &&
isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA256 cookie-secret must be on 256 bits");
"SHA256 cookie-secret must be 256 bits");
result = ISC_R_RANGE;
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment