+3174. [bug] Always compute to revoked key tag from scratch.
+ [RT #24711]
+
3173. [port] Correctly validate root DS responses. [RT #25726]
3172. [port] darwin 10.* and freebsd [89] are now built threaded by
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keyfromlabel.c,v 1.36 2011/03/18 02:16:43 marka Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.37 2011/10/20 21:20:01 marka Exp $ */
/*! \file */
* is a risk of ID collision due to this key or another key
* being revoked.
*/
- if (key_collision(dst_key_id(key), name, directory, alg, mctx, &exact))
- {
+ if (key_collision(key, name, directory, mctx, &exact)) {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, directory, &buf);
if (ret != ISC_R_SUCCESS)
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.118 2011/03/17 01:40:34 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.119 2011/10/20 21:20:01 marka Exp $ */
/*! \file */
* if there is a risk of ID collision due to this key
* or another key being revoked.
*/
- if (key_collision(dst_key_id(key), name, directory,
- alg, mctx, NULL)) {
+ if (key_collision(key, name, directory, mctx, NULL)) {
conflict = ISC_TRUE;
if (null_key) {
dst_key_free(&key);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-revoke.c,v 1.22 2010/05/06 23:50:56 tbox Exp $ */
+/* $Id: dnssec-revoke.c,v 1.23 2011/10/20 21:20:01 marka Exp $ */
/*! \file */
isc_buffer_t buf;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t remove = ISC_FALSE;
+ isc_boolean_t id = ISC_FALSE;
if (argc == 1)
usage();
isc_commandline_errprint = ISC_FALSE;
- while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
+ while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
case 'r':
remove = ISC_TRUE;
break;
+ case 'R':
+ id = ISC_TRUE;
+ break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("Invalid keyfile name %s: %s",
filename, isc_result_totext(result));
+ if (id) {
+ fprintf(stdout, "%u\n", dst_key_rid(key));
+ goto cleanup;
+ }
dst_key_format(key, keystr, sizeof(keystr));
if (verbose > 2)
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-revoke.docbook,v 1.7 2009/11/03 21:44:46 each Exp $ -->
+<!-- $Id: dnssec-revoke.docbook,v 1.8 2011/10/20 21:20:01 marka Exp $ -->
<refentry id="man.dnssec-revoke">
<refentryinfo>
<date>June 1, 2009</date>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f</option></arg>
+ <arg><option>-R</option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>-R</term>
+ <listitem>
+ <para>
+ Print the key tag of the key with the REVOKE bit set but do
+ not revoke the key.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.c,v 1.60 2010/01/19 23:48:56 tbox Exp $ */
+/* $Id: dnssectool.c,v 1.61 2011/10/20 21:20:01 marka Exp $ */
/*! \file */
}
isc_boolean_t
-key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
- dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact)
+key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
+ isc_mem_t *mctx, isc_boolean_t *exact)
{
isc_result_t result;
isc_boolean_t conflict = ISC_FALSE;
dns_dnsseckeylist_t matchkeys;
dns_dnsseckey_t *key = NULL;
- isc_uint16_t oldid, diff;
- isc_uint16_t bits = DNS_KEYFLAG_REVOKE; /* flag bits to look for */
+ isc_uint16_t id, oldid, flags;
+ isc_uint32_t rid, roldid;
+ dns_secalg_t alg;
if (exact != NULL)
*exact = ISC_FALSE;
+
+ id = dst_key_id(dstkey);
+ rid = dst_key_rid(dstkey);
+ alg = dst_key_alg(dstkey);
+ flags = dst_key_flags(dstkey);
ISC_LIST_INIT(matchkeys);
result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
goto next;
oldid = dst_key_id(key->key);
- diff = (oldid > id) ? (oldid - id) : (id - oldid);
- if ((diff & ~bits) == 0) {
+ roldid = dst_key_rid(key->key);
+
+ if (oldid == rid || roldid == id || id == oldid) {
conflict = ISC_TRUE;
- if (diff != 0) {
+ if (id != oldid) {
if (verbose > 1)
fprintf(stderr, "Key ID %d could "
"collide with %d\n",
return (conflict);
}
-
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.h,v 1.31 2010/01/19 23:48:56 tbox Exp $ */
+/* $Id: dnssectool.h,v 1.32 2011/10/20 21:20:01 marka Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
set_keyversion(dst_key_t *key);
isc_boolean_t
-key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
- dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact);
+key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
+ isc_mem_t *mctx, isc_boolean_t *exact);
+
#endif /* DNSSEC_DNSSECTOOL_H */
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: keygen.sh,v 1.6 2010/01/18 23:48:40 tbox Exp $
+# $Id: keygen.sh,v 1.7 2011/10/20 21:20:01 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
echo $zskunpub > ../unpub.key
echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
-echo $kskrev > ../rev.key
+$REVOKE -R $kskrev > ../rev.key
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.35 2011/10/15 05:00:15 marka Exp $
+# $Id: tests.sh,v 1.36 2011/10/20 21:20:01 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
echo "I:checking that revoked key is present ($n)"
ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
-id=`expr $id + 128`
-[ $id -gt 65535 ] && id=`expr $id % 65536 + 1`
+id=`cat rev.key`
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking that revoked key self-signs ($n)"
ret=0
-id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
-id=`expr $id + 128`
-[ $id -gt 65535 ] && id=`expr $id % 65536 + 1`
+id=`cat rev.key`
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.64 2011/09/05 18:00:22 each Exp $
+ * $Id: dst_api.c,v 1.65 2011/10/20 21:20:02 marka Exp $
*/
/*! \file */
dst_key_free(&key);
return (DST_R_INVALIDPRIVATEKEY);
}
- key->key_id = id;
*keyp = key;
return (ISC_R_SUCCESS);
isc_uint8_t alg, proto;
isc_uint32_t flags, extflags;
dst_key_t *key = NULL;
- dns_keytag_t id;
+ dns_keytag_t id, rid;
isc_region_t r;
isc_result_t result;
alg = isc_buffer_getuint8(source);
id = dst_region_computeid(&r, alg);
+ rid = dst_region_computerid(&r, alg);
if (flags & DNS_KEYFLAG_EXTENDED) {
if (isc_buffer_remaininglength(source) < 2)
if (result != ISC_R_SUCCESS)
return (result);
key->key_id = id;
+ key->key_rid = rid;
*keyp = key;
return (ISC_R_SUCCESS);
if (key1->key_alg != key2->key_alg)
return (ISC_FALSE);
- /*
- * For all algorithms except RSAMD5, revoking the key
- * changes the key ID, increasing it by 128. If we want to
- * be able to find matching keys even if one of them is the
- * revoked version of the other one, then we need to check
- * for that possibility.
- */
if (key1->key_id != key2->key_id) {
if (!match_revoked_key)
return (ISC_FALSE);
if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
(key2->key_flags & DNS_KEYFLAG_REVOKE))
return (ISC_FALSE);
- if ((key1->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&
- key1->key_id != ((key2->key_id + 128) & 0xffff))
- return (ISC_FALSE);
- if ((key2->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&
- key2->key_id != ((key1->key_id + 128) & 0xffff))
+ if (key1->key_id != key2->key_rid &&
+ key1->key_rid != key2->key_id)
return (ISC_FALSE);
}
isc_buffer_usedregion(&dnsbuf, &r);
key->key_id = dst_region_computeid(&r, key->key_alg);
+ key->key_rid = dst_region_computerid(&r, key->key_alg);
return (ISC_R_SUCCESS);
}
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_internal.h,v 1.30 2011/03/17 01:40:39 each Exp $ */
+/* $Id: dst_internal.h,v 1.31 2011/10/20 21:20:02 marka Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
unsigned int key_alg; /*%< algorithm of the key */
isc_uint32_t key_flags; /*%< flags of the public key */
isc_uint16_t key_id; /*%< identifier of the key */
+ isc_uint16_t key_rid; /*%< identifier of the key when
+ revoked */
isc_uint16_t key_bits; /*%< hmac digest bits */
dns_rdataclass_t key_class; /*%< class of the key record */
dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst.h,v 1.33 2011/03/21 19:54:03 each Exp $ */
+/* $Id: dst.h,v 1.34 2011/10/20 21:20:02 marka Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
dns_keytag_t
dst_key_id(const dst_key_t *key);
+dns_keytag_t
+dst_key_rid(const dst_key_t *key);
+
dns_rdataclass_t
dst_key_class(const dst_key_t *key);
isc_uint16_t
dst_region_computeid(const isc_region_t *source, unsigned int alg);
+isc_uint16_t
+dst_region_computerid(const isc_region_t *source, unsigned int alg);
/*%<
- * Computes the key id of the key stored in the provided region with the
- * given algorithm.
+ * Computes the (revoked) key id of the key stored in the provided
+ * region with the given algorithm.
*
* Requires:
*\li "source" contains a valid, non-NULL region.
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: key.c,v 1.10 2011/03/17 23:47:30 tbox Exp $ */
+/* $Id: key.c,v 1.11 2011/10/20 21:20:02 marka Exp $ */
#include <config.h>
return ((isc_uint16_t)(ac & 0xffff));
}
+isc_uint16_t
+dst_region_computerid(const isc_region_t *source, unsigned int alg) {
+ isc_uint32_t ac;
+ const unsigned char *p;
+ int size;
+
+ REQUIRE(source != NULL);
+ REQUIRE(source->length >= 4);
+
+ p = source->base;
+ size = source->length;
+
+ if (alg == DST_ALG_RSAMD5)
+ return ((p[size - 3] << 8) + p[size - 2]);
+
+ ac = ((*p) << 8) + *(p + 1);
+ ac |= DNS_KEYFLAG_REVOKE;
+ for (size -= 2, p +=2; size > 1; size -= 2, p += 2)
+ ac += ((*p) << 8) + *(p + 1);
+
+ if (size > 0)
+ ac += ((*p) << 8);
+ ac += (ac >> 16) & 0xffff;
+
+ return ((isc_uint16_t)(ac & 0xffff));
+}
+
dns_name_t *
dst_key_name(const dst_key_t *key) {
REQUIRE(VALID_KEY(key));
return (key->key_id);
}
+dns_keytag_t
+dst_key_rid(const dst_key_t *key) {
+ REQUIRE(VALID_KEY(key));
+ return (key->key_rid);
+}
+
dns_rdataclass_t
dst_key_class(const dst_key_t *key) {
REQUIRE(VALID_KEY(key));
dst_key_proto
dst_key_pubcompare
dst_key_restore
+dst_key_rid
dst_key_secretsize
dst_key_setbits
dst_key_setflags
dst_lib_init2
dst_lib_initmsgcat
dst_region_computeid
+dst_region_computerid
dst_result_register
dst_result_totext
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.c,v 1.635 2011/10/12 23:46:34 tbox Exp $ */
+/* $Id: zone.c,v 1.636 2011/10/20 21:20:02 marka Exp $ */
/*! \file */
if (dst_key_alg(dstkey) == sig.algorithm &&
(dst_key_id(dstkey) == sig.keyid ||
- (sig.algorithm != 1 && sig.keyid ==
- ((dst_key_id(dstkey) + 128) & 0xffff)))) {
+ dst_key_rid(dstkey) == sig.keyid)) {
result = dns_dnssec_verify2(keyname,
&kfetch->dnskeyset,
dstkey, ISC_FALSE, mctx, &sigrr,
projects / thirdparty / bind9.git / commitdiff
