Commit ff6de396 authored by Mark Andrews's avatar Mark Andrews

3701. [func] named-checkconf can now suppress the printing of

                        shared secrets by specifying '-x'. [RT #34465]
parent 57a46f4b
3701. [func] named-checkconf can now suppress the printing of
shared secrets by specifying '-x'. [RT #34465]
3700. [func] Allow access to subgroups of XML statistics via
special URLs http://<server>:<port>/xml/v3/server,
/zones, /net, /tasks, /mem, and /status. [RT #35115]
......
......@@ -482,10 +482,11 @@ main(int argc, char **argv) {
isc_entropy_t *ectx = NULL;
isc_boolean_t load_zones = ISC_FALSE;
isc_boolean_t print = ISC_FALSE;
unsigned int flags = 0;
isc_commandline_errprint = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) {
while ((c = isc_commandline_parse(argc, argv, "dhjt:pvxz")) != EOF) {
switch (c) {
case 'd':
debug++;
......@@ -512,6 +513,10 @@ main(int argc, char **argv) {
printf(VERSION "\n");
exit(0);
case 'x':
flags |= CFG_PRINTER_XKEY;
break;
case 'z':
load_zones = ISC_TRUE;
docheckmx = ISC_FALSE;
......@@ -534,6 +539,11 @@ main(int argc, char **argv) {
}
}
if (((flags & CFG_PRINTER_XKEY) != 0) && !print) {
fprintf(stderr, "%s: -x cannot be used without -p\n", program);
exit(1);
}
if (isc_commandline_index + 1 < argc)
usage();
if (argv[isc_commandline_index] != NULL)
......@@ -574,7 +584,7 @@ main(int argc, char **argv) {
}
if (print && exit_status == 0)
cfg_print(config, output, NULL);
cfg_printx(config, flags, output, NULL);
cfg_obj_destroy(parser, &config);
cfg_parser_destroy(&parser);
......
......@@ -60,6 +60,7 @@
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req">filename</arg>
<arg><option>-p</option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
......@@ -129,6 +130,21 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
contents of <filename>named.conf</filename> and related
files to be shared &mdash; for example, when submitting
bug reports &mdash; without compromising private data.
This option cannot be used without <option>-p</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
......
......@@ -126,3 +126,7 @@ view "third" {
};
};
};
key "mykey" {
algorithm "hmac-md5";
secret "qwertyuiopasdfgh";
};
......@@ -34,6 +34,16 @@ cmp good.conf.in good.conf.out || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking that named-checkconf -x removes secrets"
ret=0
# ensure there is a secret and that it is not the check string.
grep 'secret "' good.conf.in > /dev/null || ret=1
grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
$CHECKCONF -p -x good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
for bad in bad*.conf
do
ret=0
......
......@@ -406,10 +406,20 @@ void
cfg_print(const cfg_obj_t *obj,
void (*f)(void *closure, const char *text, int textlen),
void *closure);
void
cfg_printx(const cfg_obj_t *obj, unsigned int flags,
void (*f)(void *closure, const char *text, int textlen),
void *closure);
#define CFG_PRINTER_XKEY 0x1 /* '?' out shared keys. */
/*%<
* Print the configuration object 'obj' by repeatedly calling the
* function 'f', passing 'closure' and a region of text starting
* at 'text' and comprising 'textlen' characters.
*
* If CFG_PRINTER_XKEY the contents of shared keys will be obscured
* by replacing them with question marks ('?')
*/
void
......
......@@ -86,6 +86,7 @@ struct cfg_printer {
void (*f)(void *closure, const char *text, int textlen);
void *closure;
int indent;
int flags;
};
/*% A clause definition. */
......@@ -271,6 +272,7 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint64;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sstring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddrdscp;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
......@@ -319,6 +321,9 @@ cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
isc_result_t
cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
isc_result_t
cfg_parse_sstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
isc_result_t
cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
......
......@@ -1773,7 +1773,7 @@ static cfg_type_t cfg_type_dynamically_loadable_zones_opts = {
static cfg_clausedef_t
key_clauses[] = {
{ "algorithm", &cfg_type_astring, 0 },
{ "secret", &cfg_type_astring, 0 },
{ "secret", &cfg_type_sstring, 0 },
{ NULL, NULL, 0 }
};
......
......@@ -182,15 +182,23 @@ void
cfg_print(const cfg_obj_t *obj,
void (*f)(void *closure, const char *text, int textlen),
void *closure)
{
cfg_printx(obj, 0, f, closure);
}
void
cfg_printx(const cfg_obj_t *obj, unsigned int flags,
void (*f)(void *closure, const char *text, int textlen),
void *closure)
{
cfg_printer_t pctx;
pctx.f = f;
pctx.closure = closure;
pctx.indent = 0;
pctx.flags = flags;
obj->type->print(&pctx, obj);
}
/* Tuples. */
isc_result_t
......@@ -762,6 +770,22 @@ cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type,
return (result);
}
isc_result_t
cfg_parse_sstring(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
isc_result_t result;
UNUSED(type);
CHECK(cfg_getstringtoken(pctx));
return (create_string(pctx,
TOKEN_STRING(pctx),
&cfg_type_sstring,
ret));
cleanup:
return (result);
}
isc_boolean_t
cfg_is_enum(const char *s, const char *const *enums) {
const char * const *p;
......@@ -818,6 +842,18 @@ print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
cfg_print_chars(pctx, "\"", 1);
}
static void
print_sstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
cfg_print_chars(pctx, "\"", 1);
if ((pctx->flags & CFG_PRINTER_XKEY) != 0) {
unsigned int len = obj->value.string.length;
while (len-- > 0)
cfg_print_chars(pctx, "?", 1);
} else
cfg_print_ustring(pctx, obj);
cfg_print_chars(pctx, "\"", 1);
}
static void
free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
isc_mem_put(pctx->mctx, obj->value.string.base,
......@@ -854,6 +890,15 @@ cfg_type_t cfg_type_astring = {
&cfg_rep_string, NULL
};
/*
* Any string (quoted or unquoted); printed with quotes.
* If CFG_PRINTER_XKEY is set when printing the string will be '?' out.
*/
cfg_type_t cfg_type_sstring = {
"string", cfg_parse_sstring, print_sstring, cfg_doc_terminal,
&cfg_rep_string, NULL
};
/*
* Booleans
*/
......@@ -2555,5 +2600,6 @@ cfg_print_grammar(const cfg_type_t *type,
pctx.f = f;
pctx.closure = closure;
pctx.indent = 0;
pctx.flags = 0;
cfg_doc_obj(&pctx, type);
}
......@@ -44,6 +44,7 @@ cfg_parser_create
cfg_parser_destroy
cfg_parser_setcallback
cfg_print
cfg_printx
cfg_tuple_get
; Exported Data
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment