Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017)

author Mukund Sivaraman <muks@isc.org>

Fri, 21 Apr 2017 10:49:28 +0000 (16:19 +0530)

committer Mukund Sivaraman <muks@isc.org>

Fri, 21 Apr 2017 10:51:49 +0000 (16:21 +0530)
author Mukund Sivaraman <muks@isc.org>
Fri, 21 Apr 2017 10:49:28 +0000 (16:19 +0530)
committer Mukund Sivaraman <muks@isc.org>
Fri, 21 Apr 2017 10:51:49 +0000 (16:21 +0530)
diff --git a/CHANGES b/CHANGES

index 49241e6faea526775c057dee1f6e605a26c644fb..cfc32bab12c2848752dd59fd84c2b8d13cff2bab 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4597.  [bug]           The validator now ignores SHA-1 DS digest type
+                       when a DS record with SHA-384 digest type is
+                       present and is a supported digest type.
+                       [RT #45017]
+
  4596.  [bug]           Validate glue before adding it to the additional
                         section. This also fixes incorrect TTL capping
                         when the RRSIG expired earlier than the TTL.
diff --git a/lib/dns/validator.c b/lib/dns/validator.c

index 77e21a1104738a04c5e0d16836e607fbc9c0bb39..90911602dcbafabf3ae1891a770514ffbc008fa5 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1823,10 +1823,10 @@ dlv_validatezonekey(dns_validator_t *val) {
         supported_algorithm = ISC_FALSE;
  
         /*
-        * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-        * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-        * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-        * is present.
+        * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+        * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+        * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+        * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
          */
         memset(digest_types, 1, sizeof(digest_types));
         for (result = dns_rdataset_first(&val->dlv);
@@ -1837,13 +1837,21 @@ dlv_validatezonekey(dns_validator_t *val) {
                 result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
                 RUNTIME_CHECK(result == ISC_R_SUCCESS);
  
+               if (!dns_resolver_ds_digest_supported(val->view->resolver,
+                                                     val->event->name,
+                                                     dlv.digest_type))
+                       continue;
+
                 if (!dns_resolver_algorithm_supported(val->view->resolver,
                                                       val->event->name,
                                                       dlv.algorithm))
                         continue;
  
-               if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
-                   dlv.length == ISC_SHA256_DIGESTLENGTH) {
+               if ((dlv.digest_type == DNS_DSDIGEST_SHA256 &&
+                    dlv.length == ISC_SHA256_DIGESTLENGTH) ||
+                   (dlv.digest_type == DNS_DSDIGEST_SHA384 &&
+                    dlv.length == ISC_SHA384_DIGESTLENGTH))
+               {
                         digest_types[DNS_DSDIGEST_SHA1] = 0;
                         break;
                 }
@@ -2175,10 +2183,10 @@ validatezonekey(dns_validator_t *val) {
         supported_algorithm = ISC_FALSE;
  
         /*
-        * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-        * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-        * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-        * is present.
+        * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+        * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+        * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+        * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
          */
         memset(digest_types, 1, sizeof(digest_types));
         for (result = dns_rdataset_first(val->dsset);
@@ -2189,13 +2197,21 @@ validatezonekey(dns_validator_t *val) {
                 result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
                 RUNTIME_CHECK(result == ISC_R_SUCCESS);
  
+               if (!dns_resolver_ds_digest_supported(val->view->resolver,
+                                                     val->event->name,
+                                                     ds.digest_type))
+                       continue;
+
                 if (!dns_resolver_algorithm_supported(val->view->resolver,
                                                       val->event->name,
                                                       ds.algorithm))
                         continue;
  
-               if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
-                   ds.length == ISC_SHA256_DIGESTLENGTH) {
+               if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
+                    ds.length == ISC_SHA256_DIGESTLENGTH) ||
+                   (ds.digest_type == DNS_DSDIGEST_SHA384 &&
+                    ds.length == ISC_SHA384_DIGESTLENGTH))
+               {
                         digest_types[DNS_DSDIGEST_SHA1] = 0;
                         break;
                 }
author	Mukund Sivaraman <muks@isc.org>
	Fri, 21 Apr 2017 10:49:28 +0000 (16:19 +0530)
committer	Mukund Sivaraman <muks@isc.org>
	Fri, 21 Apr 2017 10:51:49 +0000 (16:21 +0530)
CHANGES		patch \| blob \| blame \| history
lib/dns/validator.c		patch \| blob \| blame \| history