File bsc1161168-cookie-secrets-were-not-being-proper... of Package bind.14040

Overview Repositories Revisions Requests Users Attributes Meta

File bsc1161168-cookie-secrets-were-not-being-properly-checked-by-named-checkconf.patch of Package bind.14040

From 6e1f755f19ef244422e1efa4551fe23775e1a38c Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 31 Aug 2017 12:19:37 +1000
Subject: [PATCH] 4695.   [bug]           cookie-secrets were not being
 properly checked by                         named-checkconf. [RT #45886]
 (cherry picked from commit 2e743d9bdc61132183b9965e37fbe8418e3beb8a)

---
 CHANGES                                           |  3 +++
 bin/tests/system/cookie/bad-cookie-badsha1.conf   | 12 ++++++++++++
 bin/tests/system/cookie/bad-cookie-badsha256.conf | 12 ++++++++++++
 bin/tests/system/cookie/good-cookie-sha1.conf     | 12 ++++++++++++
 bin/tests/system/cookie/good-cookie-sha256.conf   | 12 ++++++++++++
 bin/tests/system/cookie/tests.sh                  | 17 ++++++++++++++---
 lib/bind9/check.c                                 | 12 ++++++------
 7 files changed, 71 insertions(+), 9 deletions(-)
 create mode 100644 bin/tests/system/cookie/bad-cookie-badsha1.conf
 create mode 100644 bin/tests/system/cookie/bad-cookie-badsha256.conf
 create mode 100644 bin/tests/system/cookie/good-cookie-sha1.conf
 create mode 100644 bin/tests/system/cookie/good-cookie-sha256.conf

diff --git a/CHANGES b/CHANGES
index 4f12d9f33c..770c5a01a9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
 4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
 			computation bug. [RT #45854]
 
+4695.	[bug]		cookie-secrets were not being properly checked by
+			named-checkconf. [RT #45886]
+
 	--- 9.11.2-P1 released ---

4858.	[security]	Addresses could be referenced after being freed
diff --git a/bin/tests/system/cookie/bad-cookie-badsha1.conf b/bin/tests/system/cookie/bad-cookie-badsha1.conf
new file mode 100644
index 0000000000..a2c91d83c8
--- /dev/null
+++ b/bin/tests/system/cookie/bad-cookie-badsha1.conf
@@ -0,0 +1,12 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+	cookie-algorithm sha1;
+	cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272fff";  // 168 bits
+};
diff --git a/bin/tests/system/cookie/bad-cookie-badsha256.conf b/bin/tests/system/cookie/bad-cookie-badsha256.conf
new file mode 100644
index 0000000000..701a4a9de0
--- /dev/null
+++ b/bin/tests/system/cookie/bad-cookie-badsha256.conf
@@ -0,0 +1,12 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+	cookie-algorithm sha256;
+        cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272f";  // 160 bits
+};
diff --git a/bin/tests/system/cookie/good-cookie-sha1.conf b/bin/tests/system/cookie/good-cookie-sha1.conf
new file mode 100644
index 0000000000..1de15ed79c
--- /dev/null
+++ b/bin/tests/system/cookie/good-cookie-sha1.conf
@@ -0,0 +1,12 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+	cookie-algorithm sha1;
+        cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272f";  // 160 bits
+};
diff --git a/bin/tests/system/cookie/good-cookie-sha256.conf b/bin/tests/system/cookie/good-cookie-sha256.conf
new file mode 100644
index 0000000000..b91ee17e17
--- /dev/null
+++ b/bin/tests/system/cookie/good-cookie-sha256.conf
@@ -0,0 +1,12 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+	cookie-algorithm sha256;
+	cookie-secret "b174e3800b6734f73268f15831c957860a8ee1229cfb9039c1514836f53efbed";
+};
diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh
index 5b66a87003..8695ffff80 100755
--- a/bin/tests/system/cookie/tests.sh
+++ b/bin/tests/system/cookie/tests.sh
@@ -32,10 +32,21 @@ havetc() {
 
 for bad in bad*.conf
 do
+	n=`expr $n + 1`
+        echo "I:checking that named-checkconf detects error in $bad ($n)"
         ret=0
-        echo "I:checking that named-checkconf detects error in $bad"
-        $CHECKCONF $bad > /dev/null 2>&1
-        if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
+        $CHECKCONF $bad > /dev/null 2>&1 && ret=1
+        if [ $ret != 0 ]; then echo "I:failed"; fi
+        status=`expr $status + $ret`
+done
+
+for good in good*.conf
+do
+	n=`expr $n + 1`
+        echo "I:checking that named-checkconf detects accepts $good ($n)"
+        ret=0
+        $CHECKCONF $good > /dev/null 2>&1 || ret=1
+        if [ $ret != 0 ]; then echo "I:failed"; fi
         status=`expr $status + $ret`
 done
 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index d8ffa057fc..0d755741ba 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1377,24 +1377,24 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 			result = tresult;
 
 		if (tresult == ISC_R_SUCCESS &&
-		    strcasecmp(ccalg, "aes") != 0 &&
+		    strcasecmp(ccalg, "aes") == 0 &&
 		    isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "AES cookie-secret must be on 128 bits");
+				    "AES cookie-secret must be 128 bits");
 			result = ISC_R_RANGE;
 		}
 		if (tresult == ISC_R_SUCCESS &&
-		    strcasecmp(ccalg, "sha1") != 0 &&
+		    strcasecmp(ccalg, "sha1") == 0 &&
 		    isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "SHA1 cookie-secret must be on 160 bits");
+				    "SHA1 cookie-secret must be 160 bits");
 			result = ISC_R_RANGE;
 		}
 		if (tresult == ISC_R_SUCCESS &&
-		    strcasecmp(ccalg, "sha256") != 0 &&
+		    strcasecmp(ccalg, "sha256") == 0 &&
 		    isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "SHA256 cookie-secret must be on 256 bits");
+				    "SHA256 cookie-secret must be 256 bits");
 			result = ISC_R_RANGE;
 		}
 	}
-- 
2.16.4

Places

File bsc1161168-cookie-secrets-were-not-being-properly-checked-by-named-checkconf.patch of Package bind.14040

Places