From: Matthijs Mekking Date: Wed, 19 Dec 2018 17:47:43 +0000 (+0100) Subject: Update keyfetch_done compute_tag check X-Git-Tag: v9.12.4rc1~5^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f93529a53c62d26f2f1eafd11723a2ed42dbbd3;p=thirdparty%2Fbind9.git Update keyfetch_done compute_tag check If in keyfetch_done the compute_tag fails (because for example the algorithm is not supported), don't crash, but instead ignore the key. (cherry picked from commit b1d5411569ae10830b63f07560091193646cc739) --- diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 0a3e343e573..6ba1e136aff 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -70,8 +70,7 @@ typedef struct dst_context dst_context_t; #define DST_ALG_HMACSHA512 165 /* XXXMPA */ #define DST_ALG_INDIRECT 252 #define DST_ALG_PRIVATE 254 -#define DST_ALG_EXPAND 255 -#define DST_MAX_ALGS 255 +#define DST_MAX_ALGS 256 /*% A buffer of this size is large enough to hold any key */ #define DST_KEY_MAXSIZE 1280 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 0667beb9422..df39dfb4d0a 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9501,6 +9501,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_keydata_todnskey(&keydata, &dnskey, NULL); result = compute_tag(keyname, &dnskey, mctx, &keytag); + if (result != ISC_R_SUCCESS) { + /* + * Skip if we cannot compute the key tag. + * This may happen if the algorithm is unsupported + */ + dns_zone_log(zone, ISC_LOG_ERROR, + "Cannot compute tag for key in zone %s: %s " + "(skipping)", + namebuf, dns_result_totext(result)); + continue; + } RUNTIME_CHECK(result == ISC_R_SUCCESS); /* @@ -9613,6 +9624,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } result = compute_tag(keyname, &dnskey, mctx, &keytag); + if (result != ISC_R_SUCCESS) { + /* + * Skip if we cannot compute the key tag. + * This may happen if the algorithm is unsupported + */ + dns_zone_log(zone, ISC_LOG_ERROR, + "Cannot compute tag for key in zone %s: %s " + "(skipping)", + namebuf, dns_result_totext(result)); + continue; + } RUNTIME_CHECK(result == ISC_R_SUCCESS); revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);