ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

named-checkconf needs to know if named will be running in FIPS mode

Browse Source 
Call dst_lib_init to set FIPS mode if it was turned on at configure
time.

Check that named-checkconf report that dnssec policies that wont
work in FIPS mode are reported if named would be running in FIPS
mode.
This commit is contained in:
Mark Andrews
2022-07-12 09:09:57 +10:00
parent d7cc90c032
commit d42b636d5a
3 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bin/check/named-checkconf.c
View File

@@ -720,6 +720,8 @@ main(int argc, char **argv) {
RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS);
RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
if (nodeprecate) {
@@ -748,12 +750,15 @@ main(int argc, char **argv) {
if (print && exit_status == 0) {
cfg_printx(config, flags, output, NULL);
}
cfg_obj_destroy(parser, &config);
cfg_parser_destroy(&parser);
isc_log_destroy(&logc);
dst_lib_destroy();
isc_mem_destroy(&mctx);
return (exit_status);

2
bin/tests/system/checkconf/kasp-bad-keylen.conf
View File

@@ -13,7 +13,7 @@
dnssec-policy "bad-keylen" {
keys {
csk lifetime P10Y algorithm rsasha1 511;
csk lifetime P10Y algorithm rsasha256 511;
};
};

8
bin/tests/system/checkconf/tests.sh
View File

@@ -536,7 +536,11 @@ n=`expr $n + 1`
echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
ret=0
$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
if $FEATURETEST --have-fips-mode; then
grep "dnssec-policy: algorithm rsasha1 not supported in FIPS mode" < checkconf.out$n > /dev/null || ret=1
else
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -544,7 +548,7 @@ n=`expr $n + 1`
echo_i "checking named-checkconf kasp key errors ($n)"
ret=0
$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`