Content-Type: text/plain; charset="utf-8"
X-Mailer: MIME-tools 5.508 (Entity 5.508)
Subject: cookie-secret lengths are not being properly checked by
 named-checkconf
MIME-Version: 1.0
Message-ID: <rt-4.4.1-30403-1504142973-864.0-0-0@isc.org>
Date: Wed, 30 Aug 2017 15:29:33 -1000
To: bind9-public@isc.org
Content-Disposition: inline
X-RT-Interface: Web
From: marka@isc.org
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 1530

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index d8ffa057fc..21c8ad790f 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1377,21 +1377,21 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
                        result = tresult;
 
                if (tresult == ISC_R_SUCCESS &&
-                   strcasecmp(ccalg, "aes") != 0 &&
+                   strcasecmp(ccalg, "aes") == 0 &&
                    isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) {
                        cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                                    "AES cookie-secret must be on 128 bits");
                        result = ISC_R_RANGE;
                }
                if (tresult == ISC_R_SUCCESS &&
-                   strcasecmp(ccalg, "sha1") != 0 &&
+                   strcasecmp(ccalg, "sha1") == 0 &&
                    isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
                        cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                                    "SHA1 cookie-secret must be on 160 bits");
                        result = ISC_R_RANGE;
                }
                if (tresult == ISC_R_SUCCESS &&
-                   strcasecmp(ccalg, "sha256") != 0 &&
+                   strcasecmp(ccalg, "sha256") == 0 &&
                    isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) {
                        cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                                    "SHA256 cookie-secret must be on 256 bits");