]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
4360. [bug] Silence spurious 'bad key type' message when there is
authorMark Andrews <marka@isc.org>
Thu, 5 May 2016 12:27:08 +0000 (22:27 +1000)
committerMark Andrews <marka@isc.org>
Thu, 5 May 2016 12:27:08 +0000 (22:27 +1000)
                        a existing TSIG key. [RT #42195]

CHANGES
bin/dnssec/dnssectool.c
bin/tests/system/tsig/clean.sh
bin/tests/system/tsig/setup.sh [new file with mode: 0644]
bin/tests/system/tsig/tests.sh
lib/dns/dnssec.c

diff --git a/CHANGES b/CHANGES
index 7344adf3603f0feb142231d8c2129ecb039ad424..c02c038da4001766d3ab3a3f3dcbcda614ccef9d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4360.  [bug]           Silence spurious 'bad key type' message when there is
+                       a existing TSIG key. [RT #42195]
+
 4359.  [bug]           Inherited 'also-notify' lists were not being checked
                        by named-checkconf. [RT #42174]
 
index 0e25e6733b1f4aa39343611a2fc1d1b451563f77..d3ff2e3a63bfcb0c3110830af008de7d513a46af 100644 (file)
@@ -30,6 +30,7 @@
 #include <isc/commandline.h>
 #include <isc/dir.h>
 #include <isc/entropy.h>
+#include <isc/file.h>
 #include <isc/heap.h>
 #include <isc/list.h>
 #include <isc/mem.h>
@@ -473,6 +474,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
        isc_uint16_t id, oldid;
        isc_uint32_t rid, roldid;
        dns_secalg_t alg;
+       char filename[ISC_DIR_NAMEMAX];
+       isc_buffer_t fileb;
 
        if (exact != NULL)
                *exact = ISC_FALSE;
@@ -481,6 +484,28 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
        rid = dst_key_rid(dstkey);
        alg = dst_key_alg(dstkey);
 
+       /*
+        * For HMAC and Diffie Hellman just check if there is a
+        * direct collision as they can't be revoked.  Additionally
+        * dns_dnssec_findmatchingkeys only handles DNSKEY which is
+        * not used for HMAC.
+        */
+       switch (alg) {
+       case DST_ALG_HMACMD5:
+       case DST_ALG_HMACSHA1:
+       case DST_ALG_HMACSHA224:
+       case DST_ALG_HMACSHA256:
+       case DST_ALG_HMACSHA384:
+       case DST_ALG_HMACSHA512:
+       case DST_ALG_DH:
+               isc_buffer_init(&fileb, filename, sizeof(filename));
+               result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE,
+                                              dir, &fileb);
+               if (result != ISC_R_SUCCESS)
+                       return (ISC_TRUE);
+               return (isc_file_exists(filename));
+       }
+
        ISC_LIST_INIT(matchkeys);
        result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
        if (result == ISC_R_NOTFOUND)
index 991e70f191f9ae2f7aed1026416ad16057c28677..18d8fc9eb542ae8352c7165cdbe9bfe21d7c250b 100644 (file)
@@ -24,3 +24,5 @@ rm -f dig.out.*
 rm -f */named.memstats
 rm -f */named.run
 rm -f ns*/named.lock
+rm -f Kexample.net.+163+*
+rm -f keygen.out?
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
new file mode 100644 (file)
index 0000000..637ef3e
--- /dev/null
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+sh clean.sh
index 50ac8d23e6b63d35457c0d01cdb03e4b00a68225..db38c7e30a7b8fedb3367f0dc285fa0ceae71f8b 100644 (file)
@@ -233,6 +233,15 @@ grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
        echo "I: failed"; status=1
 fi
-exit $status
 
+echo "I:check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning"
+ret=0
+$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out1 2>&1 || ret=1
+grep dns_dnssec_findmatchingkeys keygen.out1 > /dev/null && ret=1
+$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out2 2>&1 || ret=1
+grep dns_dnssec_findmatchingkeys keygen.out2 > /dev/null && ret=1
+if [ $ret -eq 1 ] ; then
+       echo "I: failed"; status=1
+fi
 
+exit $status
index db28510cd111b7b3c184d1233aed92fc2944aa7f..6131f1b3a1ee96cd1f86156c9493698c9e820d31 100644 (file)
@@ -1411,6 +1411,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
                             isc_stdtime_t now, isc_mem_t *mctx,
                             dns_dnsseckeylist_t *keylist)
 {
+       const char *digits = "0123456789";
        isc_result_t result = ISC_R_SUCCESS;
        isc_boolean_t dir_open = ISC_FALSE;
        dns_dnsseckeylist_t list;
@@ -1419,7 +1420,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
        dst_key_t *dstkey = NULL;
        char namebuf[DNS_NAME_FORMATSIZE];
        isc_buffer_t b;
-       unsigned int len, i;
+       unsigned int len, i, alg;
 
        REQUIRE(keylist != NULL);
        ISC_LIST_INIT(list);
@@ -1442,11 +1443,20 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
                    strncasecmp(dir.entry.name + 1, namebuf, len) != 0)
                        continue;
 
-               for (i = len + 1 + 1; i < dir.entry.length ; i++)
+               alg = 0;
+               for (i = len + 1 + 1; i < dir.entry.length ; i++) {
                        if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
                                break;
+                       alg *= 10;
+                       alg += strchr(digits, dir.entry.name[i]) - digits;
+               }
 
-               if (i == len + 1 + 1 || i >= dir.entry.length ||
+               /*
+                * Did we not read exactly 3 digits?
+                * Did we overflow?
+                * Did we correctly terminate?
+                */
+               if (i != len + 1 + 1 + 3 || i >= dir.entry.length ||
                    dir.entry.name[i] != '+')
                        continue;
 
@@ -1454,7 +1464,13 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
                        if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
                                break;
 
-               if (strcmp(dir.entry.name + i, ".private") != 0)
+               /*
+                * Did we not read exactly 5 more digits?
+                * Did we overflow?
+                * Did we correctly terminate?
+                */
+               if (i != len + 1 + 1 + 3 + 1 + 5 || i >= dir.entry.length ||
+                   strcmp(dir.entry.name + i, ".private") != 0)
                                continue;
 
                dstkey = NULL;
@@ -1464,6 +1480,17 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
                                               DST_TYPE_PRIVATE,
                                               mctx, &dstkey);
 
+               switch (alg) {
+               case DST_ALG_HMACMD5:
+               case DST_ALG_HMACSHA1:
+               case DST_ALG_HMACSHA224:
+               case DST_ALG_HMACSHA256:
+               case DST_ALG_HMACSHA384:
+               case DST_ALG_HMACSHA512:
+                       if (result == DST_R_BADKEYTYPE)
+                               continue;
+               }
+
                if (result != ISC_R_SUCCESS) {
                        isc_log_write(dns_lctx,
                                      DNS_LOGCATEGORY_GENERAL,