Commit b05b3fab authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] fix RSA parsing when md5 disabled

4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
			[RT #45300]
parent 91623448
4645. [bug] Fix PKCS#11 RSA parsing when MD5 is disabled.
[RT #45300]
4644. [placeholder] 4644. [placeholder]
4643. [security] An error in TSIG handling could permit unauthorized 4643. [security] An error in TSIG handling could permit unauthorized
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/. # file, You can obtain one at http://mozilla.org/MPL/2.0/.
rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
rm -f dig.out pin rm -f dig.out* pin upd.log*
rm -f ns1/*.key ns1/named.memstats rm -f ns1/*.key ns1/named.memstats
rm -f supported rm -f supported
rm -f ns*/named.lock rm -f ns*/named.lock
...@@ -37,7 +37,12 @@ for alg in $algs; do ...@@ -37,7 +37,12 @@ for alg in $algs; do
echo "I:testing inline signing with PKCS#11 keys ($alg)" echo "I:testing inline signing with PKCS#11 keys ($alg)"
$NSUPDATE > /dev/null <<END || status=1 $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg.0 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
count0=`grep RRSIG dig.out.$alg.0 | wc -l`
$NSUPDATE -v > upd.log.$alg <<END || status=1
server 10.53.0.1 5300 server 10.53.0.1 5300
ttl 300 ttl 300
zone $alg.example. zone $alg.example.
...@@ -48,11 +53,11 @@ END ...@@ -48,11 +53,11 @@ END
echo "I:waiting 20 seconds for key changes to take effect" echo "I:waiting 20 seconds for key changes to take effect"
sleep 20 sleep 20
$DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out || ret=1 $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
count=`grep RRSIG dig.out | wc -l` count=`grep RRSIG dig.out.$alg | wc -l`
if [ $count != 4 ]; then echo "I:failed"; status=1; fi if [ $count -le $count0 ]; then echo "I:failed"; status=1; fi
echo "I:testing PKCS#11 key destroy ($alg)" echo "I:testing PKCS#11 key destroy ($alg)"
ret=0 ret=0
......
...@@ -605,7 +605,12 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, ...@@ -605,7 +605,12 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
goto fail; goto fail;
} }
#ifdef PK11_MD5_DISABLE
check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
ISC_TRUE, external);
#else
check = check_data(priv, alg, ISC_TRUE, external); check = check_data(priv, alg, ISC_TRUE, external);
#endif
if (check < 0) { if (check < 0) {
ret = DST_R_INVALIDPRIVATEKEY; ret = DST_R_INVALIDPRIVATEKEY;
goto fail; goto fail;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment