Commit 7c73ac5e authored by Mark Andrews's avatar Mark Andrews
Browse files

3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve

                        sit-secrets documentation. [RT #36980]
parent 05d81eae
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secrets documentation. [RT #36980]
3933. [bug] Corrected the implementation of dns_rdata_casecompare()
for the HIP rdata type. [RT #36911]
......
options {
sit-secret "012345678901234567890123456789012345678901234567890123456789012";
};
options {
sit-secret "01234567890123456789012345678901234567890123456789012345678901234567890";
};
......@@ -32,6 +32,15 @@ havetc() {
grep 'flags:.* tc[^;]*;' $1 > /dev/null
}
for bad in bad*.conf
do
ret=0
echo "I:checking that named-checkconf detects error in $bad"
$CHECKCONF $bad > /dev/null 2>&1
if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
done
n=`expr $n + 1`
echo "I:checking SIT token returned to empty SIT option ($n)"
ret=0
......
......@@ -6421,12 +6421,16 @@ options {
</varlistentry>
<varlistentry>
<term><command>sit-secret</command></term> <listitem>
<term><command>sit-secret</command></term>
<listitem>
<para>
If set, this is a shared secret used for generating
and verifying Source Identity Token EDNS options
within a anycast cluster. If not set the system
will generate a random secret at startup.
will generate a random secret at startup. The
shared secret is encoded as a hex string and needs
to be 128 bits for AES128, 160 bits for SHA1 and
256 bits for SHA256.
</para>
</listitem>
</varlistentry>
......
......@@ -24,10 +24,12 @@
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/file.h>
#include <isc/hex.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/platform.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
......@@ -35,6 +37,18 @@
#include <isc/symtab.h>
#include <isc/util.h>
#ifdef ISC_PLATFORM_USESIT
#ifdef AES_SIT
#include <isc/aes.h>
#endif
#ifdef HMAC_SHA1_SIT
#include <isc/sha1.h>
#endif
#ifdef HMAC_SHA256_SIT
#include <isc/sha2.h>
#endif
#endif
#include <dns/acl.h>
#include <dns/fixedname.h>
#include <dns/rdataclass.h>
......@@ -1186,6 +1200,52 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"(%d seconds)", recheck, lifetime);
}
#ifdef ISC_PLATFORM_USESIT
obj = NULL;
(void) cfg_map_get(options, "sit-secret", &obj);
if (obj != NULL) {
isc_buffer_t b;
unsigned char secret[32];
memset(secret, 0, sizeof(secret));
isc_buffer_init(&b, secret, sizeof(secret));
tresult = isc_hex_decodestring(cfg_obj_asstring(obj), &b);
if (tresult == ISC_R_NOSPACE) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"sit-secret: too long");
} else if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"sit-secret: invalid hex string");
}
if (tresult != ISC_R_SUCCESS)
result = tresult;
#ifdef AES_SIT
if (tresult == ISC_R_SUCCESS &&
isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"AES sit-secret must be on 128 bits");
result = ISC_R_RANGE;
}
#endif
#ifdef HMAC_SHA1_SIT
if (tresult == ISC_R_SUCCESS &&
isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA1 sit-secret must be on 160 bits");
result = ISC_R_RANGE;
}
#endif
#ifdef HMAC_SHA256_SIT
if (tresult == ISC_R_SUCCESS &&
isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA256 sit-secret must be on 256 bits");
result = ISC_R_RANGE;
}
#endif
}
#endif
return (result);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment