Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
5ac42705
Commit
5ac42705
authored
May 05, 2016
by
Mark Andrews
Browse files
4360. [bug] Silence spurious 'bad key type' message when there is
a existing TSIG key. [RT #42195]
parent
594d15df
Changes
6
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
5ac42705
4360. [bug] Silence spurious 'bad key type' message when there is
a existing TSIG key. [RT #42195]
4359. [bug] Inherited 'also-notify' lists were not being checked
by named-checkconf. [RT #42174]
...
...
bin/dnssec/dnssectool.c
View file @
5ac42705
...
...
@@ -30,6 +30,7 @@
#include
<isc/commandline.h>
#include
<isc/dir.h>
#include
<isc/entropy.h>
#include
<isc/file.h>
#include
<isc/heap.h>
#include
<isc/list.h>
#include
<isc/mem.h>
...
...
@@ -473,6 +474,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
isc_uint16_t
id
,
oldid
;
isc_uint32_t
rid
,
roldid
;
dns_secalg_t
alg
;
char
filename
[
ISC_DIR_NAMEMAX
];
isc_buffer_t
fileb
;
if
(
exact
!=
NULL
)
*
exact
=
ISC_FALSE
;
...
...
@@ -481,6 +484,28 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
rid
=
dst_key_rid
(
dstkey
);
alg
=
dst_key_alg
(
dstkey
);
/*
* For HMAC and Diffie Hellman just check if there is a
* direct collision as they can't be revoked. Additionally
* dns_dnssec_findmatchingkeys only handles DNSKEY which is
* not used for HMAC.
*/
switch
(
alg
)
{
case
DST_ALG_HMACMD5
:
case
DST_ALG_HMACSHA1
:
case
DST_ALG_HMACSHA224
:
case
DST_ALG_HMACSHA256
:
case
DST_ALG_HMACSHA384
:
case
DST_ALG_HMACSHA512
:
case
DST_ALG_DH
:
isc_buffer_init
(
&
fileb
,
filename
,
sizeof
(
filename
));
result
=
dst_key_buildfilename
(
dstkey
,
DST_TYPE_PRIVATE
,
dir
,
&
fileb
);
if
(
result
!=
ISC_R_SUCCESS
)
return
(
ISC_TRUE
);
return
(
isc_file_exists
(
filename
));
}
ISC_LIST_INIT
(
matchkeys
);
result
=
dns_dnssec_findmatchingkeys
(
name
,
dir
,
mctx
,
&
matchkeys
);
if
(
result
==
ISC_R_NOTFOUND
)
...
...
bin/tests/system/tsig/clean.sh
View file @
5ac42705
...
...
@@ -24,3 +24,5 @@ rm -f dig.out.*
rm
-f
*
/named.memstats
rm
-f
*
/named.run
rm
-f
ns
*
/named.lock
rm
-f
Kexample.net.+163+
*
rm
-f
keygen.out?
bin/tests/system/tsig/setup.sh
0 → 100644
View file @
5ac42705
#!/bin/sh
#
# Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
sh clean.sh
bin/tests/system/tsig/tests.sh
View file @
5ac42705
...
...
@@ -233,6 +233,15 @@ grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
if
[
$ret
-eq
1
]
;
then
echo
"I: failed"
;
status
=
1
fi
exit
$status
echo
"I:check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning"
ret
=
0
$KEYGEN
-a
hmac-sha256
-b
128
-n
host example.net
>
keygen.out1 2>&1
||
ret
=
1
grep
dns_dnssec_findmatchingkeys keygen.out1
>
/dev/null
&&
ret
=
1
$KEYGEN
-a
hmac-sha256
-b
128
-n
host example.net
>
keygen.out2 2>&1
||
ret
=
1
grep
dns_dnssec_findmatchingkeys keygen.out2
>
/dev/null
&&
ret
=
1
if
[
$ret
-eq
1
]
;
then
echo
"I: failed"
;
status
=
1
fi
exit
$status
lib/dns/dnssec.c
View file @
5ac42705
...
...
@@ -1411,6 +1411,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
isc_stdtime_t
now
,
isc_mem_t
*
mctx
,
dns_dnsseckeylist_t
*
keylist
)
{
const
char
*
digits
=
"0123456789"
;
isc_result_t
result
=
ISC_R_SUCCESS
;
isc_boolean_t
dir_open
=
ISC_FALSE
;
dns_dnsseckeylist_t
list
;
...
...
@@ -1419,7 +1420,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
dst_key_t
*
dstkey
=
NULL
;
char
namebuf
[
DNS_NAME_FORMATSIZE
];
isc_buffer_t
b
;
unsigned
int
len
,
i
;
unsigned
int
len
,
i
,
alg
;
REQUIRE
(
keylist
!=
NULL
);
ISC_LIST_INIT
(
list
);
...
...
@@ -1442,11 +1443,20 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
strncasecmp
(
dir
.
entry
.
name
+
1
,
namebuf
,
len
)
!=
0
)
continue
;
for
(
i
=
len
+
1
+
1
;
i
<
dir
.
entry
.
length
;
i
++
)
alg
=
0
;
for
(
i
=
len
+
1
+
1
;
i
<
dir
.
entry
.
length
;
i
++
)
{
if
(
dir
.
entry
.
name
[
i
]
<
'0'
||
dir
.
entry
.
name
[
i
]
>
'9'
)
break
;
alg
*=
10
;
alg
+=
strchr
(
digits
,
dir
.
entry
.
name
[
i
])
-
digits
;
}
if
(
i
==
len
+
1
+
1
||
i
>=
dir
.
entry
.
length
||
/*
* Did we not read exactly 3 digits?
* Did we overflow?
* Did we correctly terminate?
*/
if
(
i
!=
len
+
1
+
1
+
3
||
i
>=
dir
.
entry
.
length
||
dir
.
entry
.
name
[
i
]
!=
'+'
)
continue
;
...
...
@@ -1454,7 +1464,13 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
if
(
dir
.
entry
.
name
[
i
]
<
'0'
||
dir
.
entry
.
name
[
i
]
>
'9'
)
break
;
if
(
strcmp
(
dir
.
entry
.
name
+
i
,
".private"
)
!=
0
)
/*
* Did we not read exactly 5 more digits?
* Did we overflow?
* Did we correctly terminate?
*/
if
(
i
!=
len
+
1
+
1
+
3
+
1
+
5
||
i
>=
dir
.
entry
.
length
||
strcmp
(
dir
.
entry
.
name
+
i
,
".private"
)
!=
0
)
continue
;
dstkey
=
NULL
;
...
...
@@ -1464,6 +1480,17 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
DST_TYPE_PRIVATE
,
mctx
,
&
dstkey
);
switch
(
alg
)
{
case
DST_ALG_HMACMD5
:
case
DST_ALG_HMACSHA1
:
case
DST_ALG_HMACSHA224
:
case
DST_ALG_HMACSHA256
:
case
DST_ALG_HMACSHA384
:
case
DST_ALG_HMACSHA512
:
if
(
result
==
DST_R_BADKEYTYPE
)
continue
;
}
if
(
result
!=
ISC_R_SUCCESS
)
{
isc_log_write
(
dns_lctx
,
DNS_LOGCATEGORY_GENERAL
,
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment