Commit 841b557d authored by Evan Hunt's avatar Evan Hunt
Browse files

allow multiple key algorithms in the same control listener

if a control channel listener was configured with more than one
key algorithm, message verification would be attempted with each
algorithm in turn. if the first key failed due to the wrong
signature length, the entire verification process was aborted,
rather than continuing on to try with another key.
parent f663701b
......@@ -445,10 +445,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
}
isc_mem_put(listener->mctx, conn->secret.rstart,
REGION_SIZE(conn->secret));
if (result != ISCCC_R_BADAUTH) {
log_invalid(&conn->ccmsg, result);
goto cleanup;
}
}
if (key == NULL) {
......
......@@ -45,3 +45,12 @@ make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
make_key 5 ${EXTRAPORT5} hmac-sha384
make_key 6 ${EXTRAPORT6} hmac-sha512
cat >> ns4/named.conf <<- EOF
controls {
inet 10.53.0.4 port ${EXTRAPORT7}
allow { any; } keys { "key1"; "key2"; "key3";
"key4"; "key5"; "key6"; };
};
EOF
......@@ -412,6 +412,16 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "testing single control channel with multiple algorithms ($n)"
ret=0
for i in 1 2 3 4 5 6
do
$RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "testing automatic zones are reported ($n)"
ret=0
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment