From 5d01eab088e5ec135f74a796b3b15e5feb77ba84 Mon Sep 17 00:00:00 2001 From: Mukund Sivaraman Date: Fri, 21 Apr 2017 16:19:28 +0530 Subject: [PATCH] Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017) --- CHANGES | 5 +++++ lib/dns/validator.c | 40 ++++++++++++++++++++++++++++------------ 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 0e281f5bb6..3e6f2b8266 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4597. [bug] The validator now ignores SHA-1 DS digest type + when a DS record with SHA-384 digest type is + present and is a supported digest type. + [RT #45017] + 4596. [bug] Validate glue before adding it to the additional section. This also fixes incorrect TTL capping when the RRSIG expired earlier than the TTL. diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 80894e5f9e..f008e5b8d7 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1812,10 +1812,10 @@ dlv_validatezonekey(dns_validator_t *val) { supported_algorithm = ISC_FALSE; /* - * If DNS_DSDIGEST_SHA256 is present we are required to prefer - * it over DNS_DSDIGEST_SHA1. This in practice means that we - * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 - * is present. + * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we + * are required to prefer it over DNS_DSDIGEST_SHA1. This in + * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a + * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present. */ memset(digest_types, 1, sizeof(digest_types)); for (result = dns_rdataset_first(&val->dlv); @@ -1826,13 +1826,21 @@ dlv_validatezonekey(dns_validator_t *val) { result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (!dns_resolver_ds_digest_supported(val->view->resolver, + val->event->name, + dlv.digest_type)) + continue; + if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, dlv.algorithm)) continue; - if (dlv.digest_type == DNS_DSDIGEST_SHA256 && - dlv.length == ISC_SHA256_DIGESTLENGTH) { + if ((dlv.digest_type == DNS_DSDIGEST_SHA256 && + dlv.length == ISC_SHA256_DIGESTLENGTH) || + (dlv.digest_type == DNS_DSDIGEST_SHA384 && + dlv.length == ISC_SHA384_DIGESTLENGTH)) + { digest_types[DNS_DSDIGEST_SHA1] = 0; break; } @@ -2164,10 +2172,10 @@ validatezonekey(dns_validator_t *val) { supported_algorithm = ISC_FALSE; /* - * If DNS_DSDIGEST_SHA256 is present we are required to prefer - * it over DNS_DSDIGEST_SHA1. This in practice means that we - * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 - * is present. + * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we + * are required to prefer it over DNS_DSDIGEST_SHA1. This in + * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a + * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present. */ memset(digest_types, 1, sizeof(digest_types)); for (result = dns_rdataset_first(val->dsset); @@ -2178,13 +2186,21 @@ validatezonekey(dns_validator_t *val) { result = dns_rdata_tostruct(&dsrdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (!dns_resolver_ds_digest_supported(val->view->resolver, + val->event->name, + ds.digest_type)) + continue; + if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, ds.algorithm)) continue; - if (ds.digest_type == DNS_DSDIGEST_SHA256 && - ds.length == ISC_SHA256_DIGESTLENGTH) { + if ((ds.digest_type == DNS_DSDIGEST_SHA256 && + ds.length == ISC_SHA256_DIGESTLENGTH) || + (ds.digest_type == DNS_DSDIGEST_SHA384 && + ds.length == ISC_SHA384_DIGESTLENGTH)) + { digest_types[DNS_DSDIGEST_SHA1] = 0; break; } -- GitLab