Commit 9860862c authored by Mark Andrews's avatar Mark Andrews

2183. [bug] dnssec-signzone didn't handle offline private keys

                        well.  [RT #16832]
parent 25e28241
2183. [bug] dnssec-signzone didn't handle offline private keys
well. [RT #16832]
2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
could return ISC_R_SUCCESS when they ran out of
memory. [RT #16365]
......
......@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.199 2006/08/30 22:57:16 marka Exp $ */
/* $Id: dnssec-signzone.c,v 1.200 2007/05/18 05:50:35 marka Exp $ */
/*! \file */
......@@ -1481,7 +1481,7 @@ loadzonekeys(dns_db_t *db) {
for (i = 0; i < nkeys; i++) {
signer_key_t *key;
key = newkeystruct(keys[i], ISC_TRUE);
key = newkeystruct(keys[i], dst_key_isprivate(keys[i]));
ISC_LIST_APPEND(keylist, key, link);
}
dns_db_detachnode(db, &node);
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.132 2007/03/29 23:47:04 tbox Exp $ */
/* $Id: update.c,v 1.133 2007/05/18 05:50:35 marka Exp $ */
#include <config.h>
......@@ -1658,6 +1658,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
if (check_ksk && type != dns_rdatatype_dnskey &&
(dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
continue;
if (!dst_key_isprivate(keys[i]))
continue;
/* Calculate the signature, creating a RRSIG RDATA. */
CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
......
......@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.87 2006/03/07 00:34:55 marka Exp $
* $Id: dnssec.c,v 1.88 2007/05/18 05:50:35 marka Exp $
*/
/*! \file */
......@@ -531,6 +531,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dst_key_t *pubkey = NULL;
unsigned int count = 0;
REQUIRE(nkeys != NULL);
REQUIRE(keys != NULL);
*nkeys = 0;
dns_rdataset_init(&rdataset);
RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
......@@ -540,7 +543,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
pubkey = NULL;
dns_rdataset_current(&rdataset, &rdata);
RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
if (!is_zone_key(pubkey))
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto next;
keys[count] = NULL;
result = dst_key_fromfile(dst_key_name(pubkey),
......@@ -549,17 +553,23 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory,
mctx, &keys[count]);
if (result == ISC_R_FILENOTFOUND)
if (result == ISC_R_FILENOTFOUND) {
keys[count] = pubkey;
pubkey = NULL;
count++;
goto next;
}
if (result != ISC_R_SUCCESS)
goto failure;
if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
/* We should never get here. */
dst_key_free(&keys[count]);
goto next;
}
count++;
next:
dst_key_free(&pubkey);
if (pubkey != NULL)
dst_key_free(&pubkey);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rdataset);
}
......@@ -575,6 +585,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dns_rdataset_disassociate(&rdataset);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (result != ISC_R_SUCCESS)
while (count > 0)
dst_key_free(&keys[--count]);
*nkeys = count;
return (result);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment