Report information
The Basics
Id:
45886
Status:
resolved
Priority:
Low/Low
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Mark Andrews <marka@isc.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.11.3, 9.12.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
bug
Dates
Created:Wed, 30 Aug 2017 21:29:34 -0400
Updated:Tue, 30 Jan 2018 06:36:09 -0500
Closed:Wed, 30 Aug 2017 23:31:56 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 30 Aug 2017 21:29:35 -0400 Mark Andrews <marka@isc.org> - Ticket created
Subject: cookie-secret lengths are not being properly checked by named-checkconf
Date: Wed, 30 Aug 2017 15:29:33 -1000
To: bind9-public@isc.org
From: marka@isc.org

diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d8ffa057fc..21c8ad790f 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1377,21 +1377,21 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, result = tresult; if (tresult == ISC_R_SUCCESS && - strcasecmp(ccalg, "aes") != 0 && + strcasecmp(ccalg, "aes") == 0 && isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "AES cookie-secret must be on 128 bits"); result = ISC_R_RANGE; } if (tresult == ISC_R_SUCCESS && - strcasecmp(ccalg, "sha1") != 0 && + strcasecmp(ccalg, "sha1") == 0 && isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "SHA1 cookie-secret must be on 160 bits"); result = ISC_R_RANGE; } if (tresult == ISC_R_SUCCESS && - strcasecmp(ccalg, "sha256") != 0 && + strcasecmp(ccalg, "sha256") == 0 && isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "SHA256 cookie-secret must be on 256 bits");
  Wed, 30 Aug 2017 21:59:58 -0400 Mark Andrews <marka@isc.org> - Correspondence added

ready for review
Wed, 30 Aug 2017 21:59:59 -0400 The RT System itself - Status changed from 'new' to 'open'
Wed, 30 Aug 2017 21:59:59 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'review'
Wed, 30 Aug 2017 22:08:03 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mark Andrews <marka@isc.org>
Wed, 30 Aug 2017 23:31:55 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.11.3, 9.12.0 added
  Wed, 30 Aug 2017 23:31:55 -0400 Mark Andrews <marka@isc.org> - Correspondence added

4695. [bug] cookie-secrets were not being properly checked by named-checkconf. [RT #45886]
Wed, 30 Aug 2017 23:31:56 -0400 Mark Andrews <marka@isc.org> - Status changed from 'review' to 'resolved'
Wed, 30 Aug 2017 23:31:56 -0400 Mark Andrews <marka@isc.org> - Untaken
Tue, 30 Jan 2018 06:36:09 -0500 Michał Kępień <michal@isc.org> - Reference by #46662: added