Commit 5d01eab0 authored by Mukund Sivaraman's avatar Mukund Sivaraman

Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017)

parent b0dbcba2
4597. [bug] The validator now ignores SHA-1 DS digest type
when a DS record with SHA-384 digest type is
present and is a supported digest type.
[RT #45017]
4596. [bug] Validate glue before adding it to the additional 4596. [bug] Validate glue before adding it to the additional
section. This also fixes incorrect TTL capping section. This also fixes incorrect TTL capping
when the RRSIG expired earlier than the TTL. when the RRSIG expired earlier than the TTL.
......
...@@ -1812,10 +1812,10 @@ dlv_validatezonekey(dns_validator_t *val) { ...@@ -1812,10 +1812,10 @@ dlv_validatezonekey(dns_validator_t *val) {
supported_algorithm = ISC_FALSE; supported_algorithm = ISC_FALSE;
/* /*
* If DNS_DSDIGEST_SHA256 is present we are required to prefer * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
* it over DNS_DSDIGEST_SHA1. This in practice means that we * are required to prefer it over DNS_DSDIGEST_SHA1. This in
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
* is present. * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
*/ */
memset(digest_types, 1, sizeof(digest_types)); memset(digest_types, 1, sizeof(digest_types));
for (result = dns_rdataset_first(&val->dlv); for (result = dns_rdataset_first(&val->dlv);
...@@ -1826,13 +1826,21 @@ dlv_validatezonekey(dns_validator_t *val) { ...@@ -1826,13 +1826,21 @@ dlv_validatezonekey(dns_validator_t *val) {
result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS); RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (!dns_resolver_ds_digest_supported(val->view->resolver,
val->event->name,
dlv.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver, if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name, val->event->name,
dlv.algorithm)) dlv.algorithm))
continue; continue;
if (dlv.digest_type == DNS_DSDIGEST_SHA256 && if ((dlv.digest_type == DNS_DSDIGEST_SHA256 &&
dlv.length == ISC_SHA256_DIGESTLENGTH) { dlv.length == ISC_SHA256_DIGESTLENGTH) ||
(dlv.digest_type == DNS_DSDIGEST_SHA384 &&
dlv.length == ISC_SHA384_DIGESTLENGTH))
{
digest_types[DNS_DSDIGEST_SHA1] = 0; digest_types[DNS_DSDIGEST_SHA1] = 0;
break; break;
} }
...@@ -2164,10 +2172,10 @@ validatezonekey(dns_validator_t *val) { ...@@ -2164,10 +2172,10 @@ validatezonekey(dns_validator_t *val) {
supported_algorithm = ISC_FALSE; supported_algorithm = ISC_FALSE;
/* /*
* If DNS_DSDIGEST_SHA256 is present we are required to prefer * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
* it over DNS_DSDIGEST_SHA1. This in practice means that we * are required to prefer it over DNS_DSDIGEST_SHA1. This in
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
* is present. * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
*/ */
memset(digest_types, 1, sizeof(digest_types)); memset(digest_types, 1, sizeof(digest_types));
for (result = dns_rdataset_first(val->dsset); for (result = dns_rdataset_first(val->dsset);
...@@ -2178,13 +2186,21 @@ validatezonekey(dns_validator_t *val) { ...@@ -2178,13 +2186,21 @@ validatezonekey(dns_validator_t *val) {
result = dns_rdata_tostruct(&dsrdata, &ds, NULL); result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS); RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (!dns_resolver_ds_digest_supported(val->view->resolver,
val->event->name,
ds.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver, if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name, val->event->name,
ds.algorithm)) ds.algorithm))
continue; continue;
if (ds.digest_type == DNS_DSDIGEST_SHA256 && if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
ds.length == ISC_SHA256_DIGESTLENGTH) { ds.length == ISC_SHA256_DIGESTLENGTH) ||
(ds.digest_type == DNS_DSDIGEST_SHA384 &&
ds.length == ISC_SHA384_DIGESTLENGTH))
{
digest_types[DNS_DSDIGEST_SHA1] = 0; digest_types[DNS_DSDIGEST_SHA1] = 0;
break; break;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment