mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 10:01:15 -04:00
Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017)
(cherry picked from commit5d01eab088) (cherry picked from commit9540b42695) (cherry picked from commit4ab28446c1)
This commit is contained in:
Mukund Sivaraman
parent
e315a20bd4
commit
3664176a73
2 changed files with 23 additions and 12 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,3 +1,8 @@
|
|||
4597. [bug] The validator now ignores SHA-1 DS digest type
|
||||
when a DS record with SHA-384 digest type is
|
||||
present and is a supported digest type.
|
||||
[RT #45017]
|
||||
|
||||
4596. [bug] Validate glue before adding it to the additional
|
||||
section. This also fixes incorrect TTL capping
|
||||
when the RRSIG expired earlier than the TTL.
|
||||
|
|
|
|||
|
|
@ -1821,10 +1821,10 @@ dlv_validatezonekey(dns_validator_t *val) {
|
|||
supported_algorithm = ISC_FALSE;
|
||||
|
||||
/*
|
||||
* If DNS_DSDIGEST_SHA256 is present we are required to prefer
|
||||
* it over DNS_DSDIGEST_SHA1. This in practice means that we
|
||||
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
|
||||
* is present.
|
||||
* If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
|
||||
* are required to prefer it over DNS_DSDIGEST_SHA1. This in
|
||||
* practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
|
||||
* DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
|
||||
*/
|
||||
memset(digest_types, 1, sizeof(digest_types));
|
||||
for (result = dns_rdataset_first(&val->dlv);
|
||||
|
|
@ -1840,8 +1840,11 @@ dlv_validatezonekey(dns_validator_t *val) {
|
|||
dlv.algorithm))
|
||||
continue;
|
||||
|
||||
if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
|
||||
dlv.length == ISC_SHA256_DIGESTLENGTH) {
|
||||
if ((dlv.digest_type == DNS_DSDIGEST_SHA256 &&
|
||||
dlv.length == ISC_SHA256_DIGESTLENGTH) ||
|
||||
(dlv.digest_type == DNS_DSDIGEST_SHA384 &&
|
||||
dlv.length == ISC_SHA384_DIGESTLENGTH))
|
||||
{
|
||||
digest_types[DNS_DSDIGEST_SHA1] = 0;
|
||||
break;
|
||||
}
|
||||
|
|
@ -2172,10 +2175,10 @@ validatezonekey(dns_validator_t *val) {
|
|||
supported_algorithm = ISC_FALSE;
|
||||
|
||||
/*
|
||||
* If DNS_DSDIGEST_SHA256 is present we are required to prefer
|
||||
* it over DNS_DSDIGEST_SHA1. This in practice means that we
|
||||
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
|
||||
* is present.
|
||||
* If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
|
||||
* are required to prefer it over DNS_DSDIGEST_SHA1. This in
|
||||
* practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
|
||||
* DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
|
||||
*/
|
||||
memset(digest_types, 1, sizeof(digest_types));
|
||||
for (result = dns_rdataset_first(val->dsset);
|
||||
|
|
@ -2191,8 +2194,11 @@ validatezonekey(dns_validator_t *val) {
|
|||
ds.algorithm))
|
||||
continue;
|
||||
|
||||
if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
|
||||
ds.length == ISC_SHA256_DIGESTLENGTH) {
|
||||
if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
|
||||
ds.length == ISC_SHA256_DIGESTLENGTH) ||
|
||||
(ds.digest_type == DNS_DSDIGEST_SHA384 &&
|
||||
ds.length == ISC_SHA384_DIGESTLENGTH))
|
||||
{
|
||||
digest_types[DNS_DSDIGEST_SHA1] = 0;
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue