pullup:

1100.   [bug]           libbind: DNSSEC key ids were computed incorrectly.

diff --git a/CHANGES b/CHANGES
index 28f73ea3f4abae3e520fa39c0205cc76b2a7406b..64ac0bc66de0ac516b575714114ca896cb5555ba 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,8 @@
 
 1101.  [bug]           Array bounds read error in lwres_gai_strerror.
 
+1100.  [bug]           libbind: DNSSEC key ids were computed incorrectly.
+
 1099.  [cleanup]       libbind: defining REPORT_ERRORS in lib/bind/dst caused
                        compile time errors.
 

diff --git a/lib/bind/dst/dst_api.c b/lib/bind/dst/dst_api.c
index c69004353890c718c2d1211b0674e30f6523439f..197eb217689940371839eb19177d4c7302874036 100644 (file)
--- a/lib/bind/dst/dst_api.c
+++ b/lib/bind/dst/dst_api.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/dst_api.c,v 1.4.2.2 2001/11/02 21:38:18 gson Exp $";
+static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/dst_api.c,v 1.4.2.3 2001/11/02 22:25:28 gson Exp $";
 #endif
 
 /*
@@ -658,6 +658,7 @@ dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
 
        if (in_name == NULL)
                return (NULL);
+       key_st->dk_id = dst_s_dns_key_id(rdata, len);
        key_st->dk_flags = dst_s_get_int16(rdata);
        key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
        if (key_st->dk_flags & DST_EXTEND_FLAG) {
@@ -761,6 +762,8 @@ dst_buffer_to_key(const char *key_name,             /* name of the key */
 {
        
        DST_KEY *dkey = NULL; 
+       int dnslen;
+       u_char dns[2048];
 
        if (!dst_check_algorithm(alg)) { /* make sure alg is available */
                EREPORT(("dst_buffer_to_key(): Algorithm %d not suppored\n", alg));
@@ -772,14 +775,17 @@ dst_buffer_to_key(const char *key_name,           /* name of the key */
 
        if (dkey == NULL)
                return (NULL);
-       if (dkey->dk_func != NULL && dkey->dk_func->from_dns_key != NULL) {
-               if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
-                       EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
-                       return (dst_free_key(dkey));
-               }
-               return (dkey);
+       if (dkey->dk_func == NULL || dkey->dk_func->from_dns_key == NULL)
+               return NULL;
+
+       if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
+               EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
+               return (dst_free_key(dkey));
        }
-       return (NULL);
+
+       dnslen = dst_key_to_dnskey(dkey, dns, sizeof(dns));
+       dkey->dk_id = dst_s_dns_key_id(dns, dnslen);
+       return (dkey);
 }
 
 int 
@@ -817,10 +823,12 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
                            int in_alg)
 {
        int cnt, alg, len, major, minor, file_major, file_minor;
-       int id;
+       int ret, id;
        char filename[PATH_MAX];
        u_char in_buff[RAW_KEY_SIZE], *p;
        FILE *fp;
+       int dnslen;
+       u_char dns[2048];
 
        if (name == NULL || pk_key == NULL) {
                EREPORT(("dst_read_private_key_file(): No key name given\n"));
@@ -887,10 +895,13 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
        if (pk_key->dk_func == NULL || pk_key->dk_func->from_file_fmt == NULL)
                goto fail;
 
-       id = pk_key->dk_func->from_file_fmt(pk_key, (char *)p, &in_buff[len] - p);
-       if (id < 0)
+       ret = pk_key->dk_func->from_file_fmt(pk_key, (char *)p, &in_buff[len] - p);
+       if (ret < 0)
                goto fail;
 
+       dnslen = dst_key_to_dnskey(pk_key, dns, sizeof(dns));
+       id = dst_s_dns_key_id(dns, dnslen);
+
        /* Make sure the actual key tag matches the input tag used in the filename
         */
        if (id != in_id) {
@@ -943,6 +954,9 @@ dst_generate_key(const char *name, const int bits, const int exp,
 {
        DST_KEY *new_key = NULL;
        int res;
+       int dnslen;
+       u_char dns[2048];
+
        if (name == NULL)
                return (NULL);
 
@@ -967,6 +981,13 @@ dst_generate_key(const char *name, const int bits, const int exp,
                         new_key->dk_key_size, exp));
                return (dst_free_key(new_key));
        }
+
+       dnslen = dst_key_to_dnskey(new_key, dns, sizeof(dns));
+       if (dnslen != UNSUPPORTED_KEYALG)
+               new_key->dk_id = dst_s_dns_key_id(dns, dnslen);
+       else
+               new_key->dk_id = 0;
+
        return (new_key);
 }
 

diff --git a/lib/bind/dst/support.c b/lib/bind/dst/support.c
index e669a411d5404fb88ca712f31e1701ab217df09a..db092bf929a6ea4407354934d45271e6bad64f04 100644 (file)
--- a/lib/bind/dst/support.c
+++ b/lib/bind/dst/support.c
@@ -1,4 +1,4 @@
-static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/support.c,v 1.2 2001/04/03 00:48:09 bwelling Exp $";
+static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/support.c,v 1.2.2.1 2001/11/02 22:25:29 gson Exp $";
 
 
 /*
@@ -91,7 +91,7 @@ dst_s_calculate_bits(const u_char *str, const int max_bits)
 
 
 /*
- * calculates a checksum used in kmt for a id.
+ * calculates a checksum used in dst for an id.
  * takes an array of bytes and a length.
  * returns a 16  bit checksum.
  */
@@ -116,34 +116,30 @@ dst_s_id_calc(const u_char *key, const int keysize)
 }
 
 /* 
- * dst_s_dns_key_id() Function to calculated DNSSEC footprint from KEY reocrd
- *   rdata (all of  record)
+ * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
+ *   rdata
  * Input:
  *     dns_key_rdata: the raw data in wire format 
  *      rdata_len: the size of the input data 
  * Output:
- *      the key footprint/id calcuated from the key data 
+ *      the key footprint/id calculated from the key data 
  */ 
 u_int16_t
 dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
 {
-       int key_data = 4;
-
-       if (!dns_key_rdata || (rdata_len < key_data))
+       if (!dns_key_rdata)
                return 0;
 
-       /* check the extended parameters bit in the DNS Key RR flags */
-       if (dst_s_get_int16(dns_key_rdata) & DST_EXTEND_FLAG)
-               key_data += 2;
-
        /* compute id */
        if (dns_key_rdata[3] == KEY_RSA)        /* Algorithm RSA */
                return dst_s_get_int16((const u_char *)
                                       &dns_key_rdata[rdata_len - 3]);
+       else if (dns_key_rdata[3] == KEY_HMAC_MD5)
+               /* compatibility */
+               return 0;
        else
                /* compute a checksum on the key part of the key rr */
-               return dst_s_id_calc(&dns_key_rdata[key_data],
-                                    (rdata_len - key_data));
+               return dst_s_id_calc(dns_key_rdata, rdata_len);
 }
 
 /*