Restore the ability to read legacy K*+157+* files

The ability to read legacy HMAC-MD5 K* keyfile pairs using algorithm
number 157 was accidentally lost when the algorithm numbers were
consolidated into a single block, in commit
09f7e0607a34d90eae53f862954e98c31b5ae532.

The assumption was that these algorithm numbers were only known
internally, but they were also used in key files. But since HMAC-MD5
got renumbered from 157 to 160, legacy HMAC-MD5 key files no longer
work.

Move HMAC-MD5 back to 157 and GSSAPI back to 160.  Add exception for
GSSAPI to list_hmac_algorithms.

(cherry picked from commit 3f93d3f757ce3e5ea92c3e899e262aa2318b32fc)

diff --git a/CHANGES b/CHANGES
index 79d5a49a6454bbcc0f60bc00dc2101dcf703baf0..ce55e61dc2fa9c789e786c047bce238df0969ed7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6205.  [bug]           Restore support to read legacy HMAC-MD5 K file pairs.
+                       [GL #4154]
+
 6204.  [bug]           Use NS records for relaxed QNAME-minimization mode.
                        This reduces the number of queries named makes when
                        resolving, as it allows the non-existence of NS RRsets

diff --git a/bin/named/main.c b/bin/named/main.c
index bb7798c667bcf090e9f707dd9d2964601db6eee7..154e17efa789204715d287c8cd47b2982fc0dfad 100644 (file)
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -498,6 +498,9 @@ list_hmac_algorithms(isc_buffer_t *b) {
        for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST;
             i++)
        {
+               if (i == DST_ALG_GSSAPI) {
+                       continue;
+               }
                if (dst_algorithm_supported(i)) {
                        isc_buffer_putstr(b, " ");
                        isc_buffer_putstr(b, dst_hmac_algorithm_totext(i));

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index f2d095f916954be640bec585a7fa7e0021715be3..966c891e2a8732b88ce9971295d8f51291e8dd3e 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3376,7 +3376,7 @@ do
        2) # Diffie Helman
            alg=$((alg+1))
            continue;;
-       159|160|161|162|163|164|165) # private - non standard
+       157|160|161|162|163|164|165) # private - non standard
            alg=$((alg+1))
            continue;;
        1|5|7|8|10) # RSA algorithms

diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 3e60ee3def8f3d2018cdb9bbf6fdbaf33110a96d..ca292b0ef0400949d6e85c9880e1bddc32d53238 100644 (file)
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -95,15 +95,22 @@ typedef enum dst_algorithm {
        DST_ALG_ECDSA384 = 14,
        DST_ALG_ED25519 = 15,
        DST_ALG_ED448 = 16,
-       DST_ALG_GSSAPI = 159,
-       DST_ALG_HMACMD5 = 160,
+
+       /*
+        * Do not renumber HMAC algorithms as they are used externally to named
+        * in legacy K* key pair files.
+        * Do not add non HMAC between DST_ALG_HMACMD5 and DST_ALG_HMACSHA512.
+        */
+       DST_ALG_HMACMD5 = 157,
        DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5,
+       DST_ALG_GSSAPI = 160,     /* Internal use only. Exception. */
        DST_ALG_HMACSHA1 = 161,   /* XXXMPA */
        DST_ALG_HMACSHA224 = 162, /* XXXMPA */
        DST_ALG_HMACSHA256 = 163, /* XXXMPA */
        DST_ALG_HMACSHA384 = 164, /* XXXMPA */
        DST_ALG_HMACSHA512 = 165, /* XXXMPA */
        DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512,
+
        DST_ALG_INDIRECT = 252,
        DST_ALG_PRIVATE = 254,
        DST_MAX_ALGS = 256,