diff --git a/CHANGES b/CHANGES index ed43e4fc60..dca637ab1e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3486. [bug] named could crash when using TKEY-negotiated keys + that had been deleted and then recreated. [RT #32506] + 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST. 3484. [bug] Some statistics were incorrectly rendered in XML. diff --git a/bin/tests/system/tkey/clean.sh b/bin/tests/system/tkey/clean.sh index 2ddd9c418c..a24513e239 100644 --- a/bin/tests/system/tkey/clean.sh +++ b/bin/tests/system/tkey/clean.sh @@ -17,7 +17,6 @@ # $Id: clean.sh,v 1.8 2011/11/03 23:46:26 tbox Exp $ -rm -f dig.out.* random.data ns1/named.conf +rm -f dig.out.* rndc.out.* random.data ns1/named.conf rm -f K* ns1/K* rm -f */named.memstats -rm -f rndc.out diff --git a/bin/tests/system/tkey/ns1/example.db b/bin/tests/system/tkey/ns1/example.db new file mode 100644 index 0000000000..430d7ec312 --- /dev/null +++ b/bin/tests/system/tkey/ns1/example.db @@ -0,0 +1,30 @@ +; Copyright (C) 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +mx MX 10 mail +a A 10.53.0.1 + A 10.53.0.2 +txt TXT "this is text" + diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in index 7f235200dc..592c42bba7 100644 --- a/bin/tests/system/tkey/ns1/named.conf.in +++ b/bin/tests/system/tkey/ns1/named.conf.in @@ -47,3 +47,9 @@ key "tkeytest." { algorithm hmac-md5; secret "0123456789ab"; }; + +zone example { + type master; + file "example.db"; + allow-query { key tkeytest.; none; }; +}; diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh index 4a9ac56f4d..15ec4df6b3 100644 --- a/bin/tests/system/tkey/setup.sh +++ b/bin/tests/system/tkey/setup.sh @@ -19,6 +19,8 @@ RANDFILE=random.data +sh clean.sh + ../../../tools/genrandom 100 $RANDFILE cd ns1 && sh setup.sh diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh index 1a51658e94..05eaa51280 100644 --- a/bin/tests/system/tkey/tests.sh +++ b/bin/tests/system/tkey/tests.sh @@ -91,8 +91,17 @@ status=`expr $status + $ret` echo "I:checking the key with 'rndc tsig-list'" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out -grep "key \"bar.example.server" rndc.out > /dev/null || ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.1 +grep "key \"bar.example.server" rndc.out.1 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo "I:failed" +fi +status=`expr $status + $ret` + +echo "I:using key in a request" +ret=0 +$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.3 || ret=1 +grep "status: NOERROR" dig.out.3 > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed" fi @@ -101,8 +110,38 @@ status=`expr $status + $ret` echo "I:deleting the key with 'rndc tsig-delete'" ret=0 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-delete bar.example.server > /dev/null || ret=1 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out -grep "key \"bar.example.server" rndc.out > /dev/null && ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.2 +grep "key \"bar.example.server" rndc.out.2 > /dev/null && ret=1 +$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.4 || ret=1 +grep "TSIG could not be validated" dig.out.4 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo "I:failed" +fi +status=`expr $status + $ret` + +echo "I:recreating the bar.example. key" +ret=0 +keyname=`./keycreate $dhkeyname bar.example.` || ret=1 +if [ $ret != 0 ]; then + echo "I:failed" + echo "I:exit status: $status" + exit $status +fi +status=`expr $status + $ret` + +echo "I:checking the new key with 'rndc tsig-list'" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.3 +grep "key \"bar.example.server" rndc.out.3 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo "I:failed" +fi +status=`expr $status + $ret` + +echo "I:using the new key in a request" +ret=0 +$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.5 || ret=1 +grep "status: NOERROR" dig.out.5 > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed" fi diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 217259b2f6..f08bdbbc44 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -1269,7 +1269,7 @@ dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) { REQUIRE(length != NULL && *length == 0); REQUIRE(VALID_KEY(key)); - if (key->func->isprivate == NULL) + if (key->func->dump == NULL) return (ISC_R_NOTIMPLEMENTED); return (key->func->dump(key, mctx, buffer, length)); } diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index cc781993fb..226603c912 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -239,7 +239,9 @@ adjust_lru(dns_tsigkey_t *tkey) { * We may have been removed from the LRU list between * removing the read lock and aquiring the write lock. */ - if (ISC_LINK_LINKED(tkey, link)) { + if (ISC_LINK_LINKED(tkey, link) && + (tkey->ring->lru).head != tkey) + { ISC_LIST_UNLINK(tkey->ring->lru, tkey, link); ISC_LIST_APPEND(tkey->ring->lru, tkey, link); } @@ -625,8 +627,7 @@ restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) { } static void -dump_key(dns_tsigkey_t *tkey, FILE *fp) -{ +dump_key(dns_tsigkey_t *tkey, FILE *fp) { char *buffer = NULL; int length = 0; char namestr[DNS_NAME_FORMATSIZE]; @@ -634,6 +635,9 @@ dump_key(dns_tsigkey_t *tkey, FILE *fp) char algorithmstr[DNS_NAME_FORMATSIZE]; isc_result_t result; + REQUIRE(tkey != NULL); + REQUIRE(fp != NULL); + dns_name_format(&tkey->name, namestr, sizeof(namestr)); dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr)); dns_name_format(tkey->algorithm, algorithmstr, sizeof(algorithmstr));