Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
bind.14040
bsc1161168-cookie-secrets-were-not-being-proper...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bsc1161168-cookie-secrets-were-not-being-properly-checked-by-named-checkconf.patch of Package bind.14040
From 6e1f755f19ef244422e1efa4551fe23775e1a38c Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 31 Aug 2017 12:19:37 +1000 Subject: [PATCH] 4695. [bug] cookie-secrets were not being properly checked by named-checkconf. [RT #45886] (cherry picked from commit 2e743d9bdc61132183b9965e37fbe8418e3beb8a) --- CHANGES | 3 +++ bin/tests/system/cookie/bad-cookie-badsha1.conf | 12 ++++++++++++ bin/tests/system/cookie/bad-cookie-badsha256.conf | 12 ++++++++++++ bin/tests/system/cookie/good-cookie-sha1.conf | 12 ++++++++++++ bin/tests/system/cookie/good-cookie-sha256.conf | 12 ++++++++++++ bin/tests/system/cookie/tests.sh | 17 ++++++++++++++--- lib/bind9/check.c | 12 ++++++------ 7 files changed, 71 insertions(+), 9 deletions(-) create mode 100644 bin/tests/system/cookie/bad-cookie-badsha1.conf create mode 100644 bin/tests/system/cookie/bad-cookie-badsha256.conf create mode 100644 bin/tests/system/cookie/good-cookie-sha1.conf create mode 100644 bin/tests/system/cookie/good-cookie-sha256.conf diff --git a/CHANGES b/CHANGES index 4f12d9f33c..770c5a01a9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ 4697. [bug] Restore workaround for Microsoft Windows TSIG hash computation bug. [RT #45854] +4695. [bug] cookie-secrets were not being properly checked by + named-checkconf. [RT #45886] + --- 9.11.2-P1 released --- 4858. [security] Addresses could be referenced after being freed diff --git a/bin/tests/system/cookie/bad-cookie-badsha1.conf b/bin/tests/system/cookie/bad-cookie-badsha1.conf new file mode 100644 index 0000000000..a2c91d83c8 --- /dev/null +++ b/bin/tests/system/cookie/bad-cookie-badsha1.conf @@ -0,0 +1,12 @@ +/* + * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +options { + cookie-algorithm sha1; + cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272fff"; // 168 bits +}; diff --git a/bin/tests/system/cookie/bad-cookie-badsha256.conf b/bin/tests/system/cookie/bad-cookie-badsha256.conf new file mode 100644 index 0000000000..701a4a9de0 --- /dev/null +++ b/bin/tests/system/cookie/bad-cookie-badsha256.conf @@ -0,0 +1,12 @@ +/* + * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +options { + cookie-algorithm sha256; + cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272f"; // 160 bits +}; diff --git a/bin/tests/system/cookie/good-cookie-sha1.conf b/bin/tests/system/cookie/good-cookie-sha1.conf new file mode 100644 index 0000000000..1de15ed79c --- /dev/null +++ b/bin/tests/system/cookie/good-cookie-sha1.conf @@ -0,0 +1,12 @@ +/* + * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +options { + cookie-algorithm sha1; + cookie-secret "ebc7701beabb4a40c57d140eeb6733fafba4272f"; // 160 bits +}; diff --git a/bin/tests/system/cookie/good-cookie-sha256.conf b/bin/tests/system/cookie/good-cookie-sha256.conf new file mode 100644 index 0000000000..b91ee17e17 --- /dev/null +++ b/bin/tests/system/cookie/good-cookie-sha256.conf @@ -0,0 +1,12 @@ +/* + * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +options { + cookie-algorithm sha256; + cookie-secret "b174e3800b6734f73268f15831c957860a8ee1229cfb9039c1514836f53efbed"; +}; diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh index 5b66a87003..8695ffff80 100755 --- a/bin/tests/system/cookie/tests.sh +++ b/bin/tests/system/cookie/tests.sh @@ -32,10 +32,21 @@ havetc() { for bad in bad*.conf do + n=`expr $n + 1` + echo "I:checking that named-checkconf detects error in $bad ($n)" ret=0 - echo "I:checking that named-checkconf detects error in $bad" - $CHECKCONF $bad > /dev/null 2>&1 - if [ $? != 1 ]; then echo "I:failed"; ret=1; fi + $CHECKCONF $bad > /dev/null 2>&1 && ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +done + +for good in good*.conf +do + n=`expr $n + 1` + echo "I:checking that named-checkconf detects accepts $good ($n)" + ret=0 + $CHECKCONF $good > /dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` done diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d8ffa057fc..0d755741ba 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1377,24 +1377,24 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, result = tresult; if (tresult == ISC_R_SUCCESS && - strcasecmp(ccalg, "aes") != 0 && + strcasecmp(ccalg, "aes") == 0 && isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "AES cookie-secret must be on 128 bits"); + "AES cookie-secret must be 128 bits"); result = ISC_R_RANGE; } if (tresult == ISC_R_SUCCESS && - strcasecmp(ccalg, "sha1") != 0 && + strcasecmp(ccalg, "sha1") == 0 && isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "SHA1 cookie-secret must be on 160 bits"); + "SHA1 cookie-secret must be 160 bits"); result = ISC_R_RANGE; } if (tresult == ISC_R_SUCCESS && - strcasecmp(ccalg, "sha256") != 0 && + strcasecmp(ccalg, "sha256") == 0 && isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "SHA256 cookie-secret must be on 256 bits"); + "SHA256 cookie-secret must be 256 bits"); result = ISC_R_RANGE; } } -- 2.16.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor