From: Mukund Sivaraman Date: Fri, 21 Apr 2017 10:49:28 +0000 (+0530) Subject: Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017) X-Git-Tag: v9.12.0a1~366 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d01eab088e5ec135f74a796b3b15e5feb77ba84;p=thirdparty%2Fbind9.git Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017) --- diff --git a/CHANGES b/CHANGES index 0e281f5bb63..3e6f2b82663 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4597. [bug] The validator now ignores SHA-1 DS digest type + when a DS record with SHA-384 digest type is + present and is a supported digest type. + [RT #45017] + 4596. [bug] Validate glue before adding it to the additional section. This also fixes incorrect TTL capping when the RRSIG expired earlier than the TTL. diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 80894e5f9ea..f008e5b8d77 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1812,10 +1812,10 @@ dlv_validatezonekey(dns_validator_t *val) { supported_algorithm = ISC_FALSE; /* - * If DNS_DSDIGEST_SHA256 is present we are required to prefer - * it over DNS_DSDIGEST_SHA1. This in practice means that we - * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 - * is present. + * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we + * are required to prefer it over DNS_DSDIGEST_SHA1. This in + * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a + * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present. */ memset(digest_types, 1, sizeof(digest_types)); for (result = dns_rdataset_first(&val->dlv); @@ -1826,13 +1826,21 @@ dlv_validatezonekey(dns_validator_t *val) { result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (!dns_resolver_ds_digest_supported(val->view->resolver, + val->event->name, + dlv.digest_type)) + continue; + if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, dlv.algorithm)) continue; - if (dlv.digest_type == DNS_DSDIGEST_SHA256 && - dlv.length == ISC_SHA256_DIGESTLENGTH) { + if ((dlv.digest_type == DNS_DSDIGEST_SHA256 && + dlv.length == ISC_SHA256_DIGESTLENGTH) || + (dlv.digest_type == DNS_DSDIGEST_SHA384 && + dlv.length == ISC_SHA384_DIGESTLENGTH)) + { digest_types[DNS_DSDIGEST_SHA1] = 0; break; } @@ -2164,10 +2172,10 @@ validatezonekey(dns_validator_t *val) { supported_algorithm = ISC_FALSE; /* - * If DNS_DSDIGEST_SHA256 is present we are required to prefer - * it over DNS_DSDIGEST_SHA1. This in practice means that we - * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 - * is present. + * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we + * are required to prefer it over DNS_DSDIGEST_SHA1. This in + * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a + * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present. */ memset(digest_types, 1, sizeof(digest_types)); for (result = dns_rdataset_first(val->dsset); @@ -2178,13 +2186,21 @@ validatezonekey(dns_validator_t *val) { result = dns_rdata_tostruct(&dsrdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (!dns_resolver_ds_digest_supported(val->view->resolver, + val->event->name, + ds.digest_type)) + continue; + if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, ds.algorithm)) continue; - if (ds.digest_type == DNS_DSDIGEST_SHA256 && - ds.length == ISC_SHA256_DIGESTLENGTH) { + if ((ds.digest_type == DNS_DSDIGEST_SHA256 && + ds.length == ISC_SHA256_DIGESTLENGTH) || + (ds.digest_type == DNS_DSDIGEST_SHA384 && + ds.length == ISC_SHA384_DIGESTLENGTH)) + { digest_types[DNS_DSDIGEST_SHA1] = 0; break; }