Commit 5ac42705 authored by Mark Andrews's avatar Mark Andrews

4360. [bug] Silence spurious 'bad key type' message when there is

                        a existing TSIG key. [RT #42195]
parent 594d15df
4360. [bug] Silence spurious 'bad key type' message when there is
a existing TSIG key. [RT #42195]
4359. [bug] Inherited 'also-notify' lists were not being checked
by named-checkconf. [RT #42174]
......
......@@ -30,6 +30,7 @@
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
......@@ -473,6 +474,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
isc_uint16_t id, oldid;
isc_uint32_t rid, roldid;
dns_secalg_t alg;
char filename[ISC_DIR_NAMEMAX];
isc_buffer_t fileb;
if (exact != NULL)
*exact = ISC_FALSE;
......@@ -481,6 +484,28 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
rid = dst_key_rid(dstkey);
alg = dst_key_alg(dstkey);
/*
* For HMAC and Diffie Hellman just check if there is a
* direct collision as they can't be revoked. Additionally
* dns_dnssec_findmatchingkeys only handles DNSKEY which is
* not used for HMAC.
*/
switch (alg) {
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
case DST_ALG_DH:
isc_buffer_init(&fileb, filename, sizeof(filename));
result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE,
dir, &fileb);
if (result != ISC_R_SUCCESS)
return (ISC_TRUE);
return (isc_file_exists(filename));
}
ISC_LIST_INIT(matchkeys);
result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
if (result == ISC_R_NOTFOUND)
......
......@@ -24,3 +24,5 @@ rm -f dig.out.*
rm -f */named.memstats
rm -f */named.run
rm -f ns*/named.lock
rm -f Kexample.net.+163+*
rm -f keygen.out?
#!/bin/sh
#
# Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
sh clean.sh
......@@ -233,6 +233,15 @@ grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
exit $status
echo "I:check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning"
ret=0
$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out1 2>&1 || ret=1
grep dns_dnssec_findmatchingkeys keygen.out1 > /dev/null && ret=1
$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out2 2>&1 || ret=1
grep dns_dnssec_findmatchingkeys keygen.out2 > /dev/null && ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
exit $status
......@@ -1411,6 +1411,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
isc_stdtime_t now, isc_mem_t *mctx,
dns_dnsseckeylist_t *keylist)
{
const char *digits = "0123456789";
isc_result_t result = ISC_R_SUCCESS;
isc_boolean_t dir_open = ISC_FALSE;
dns_dnsseckeylist_t list;
......@@ -1419,7 +1420,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
dst_key_t *dstkey = NULL;
char namebuf[DNS_NAME_FORMATSIZE];
isc_buffer_t b;
unsigned int len, i;
unsigned int len, i, alg;
REQUIRE(keylist != NULL);
ISC_LIST_INIT(list);
......@@ -1442,11 +1443,20 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
strncasecmp(dir.entry.name + 1, namebuf, len) != 0)
continue;
for (i = len + 1 + 1; i < dir.entry.length ; i++)
alg = 0;
for (i = len + 1 + 1; i < dir.entry.length ; i++) {
if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
break;
alg *= 10;
alg += strchr(digits, dir.entry.name[i]) - digits;
}
if (i == len + 1 + 1 || i >= dir.entry.length ||
/*
* Did we not read exactly 3 digits?
* Did we overflow?
* Did we correctly terminate?
*/
if (i != len + 1 + 1 + 3 || i >= dir.entry.length ||
dir.entry.name[i] != '+')
continue;
......@@ -1454,7 +1464,13 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
break;
if (strcmp(dir.entry.name + i, ".private") != 0)
/*
* Did we not read exactly 5 more digits?
* Did we overflow?
* Did we correctly terminate?
*/
if (i != len + 1 + 1 + 3 + 1 + 5 || i >= dir.entry.length ||
strcmp(dir.entry.name + i, ".private") != 0)
continue;
dstkey = NULL;
......@@ -1464,6 +1480,17 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
DST_TYPE_PRIVATE,
mctx, &dstkey);
switch (alg) {
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
if (result == DST_R_BADKEYTYPE)
continue;
}
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx,
DNS_LOGCATEGORY_GENERAL,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment