From 3664176a7310a412ae54814cb1435dc06f8ab0bc Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Fri, 21 Apr 2017 16:19:28 +0530
Subject: [PATCH] Ignore SHA-1 DS digest type when SHA-384 DS digest type is
 present (#45017)

(cherry picked from commit 5d01eab088e5ec135f74a796b3b15e5feb77ba84)
(cherry picked from commit 9540b42695c15fdd5f01b4c663e21936e6c38c82)
(cherry picked from commit 4ab28446c1b63e3a850a122f6f24648c5af03ccb)
---
 CHANGES             |  5 +++++
 lib/dns/validator.c | 30 ++++++++++++++++++------------
 2 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/CHANGES b/CHANGES
index de69e6422c..7fa55a93ef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4597.	[bug]		The validator now ignores SHA-1 DS digest type
+			when a DS record with SHA-384 digest type is
+			present and is a supported digest type.
+			[RT #45017]
+
 4596.	[bug]		Validate glue before adding it to the additional
 			section. This also fixes incorrect TTL capping
 			when the RRSIG expired earlier than the TTL.
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 1d0b709336..b2dab662e4 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1821,10 +1821,10 @@ dlv_validatezonekey(dns_validator_t *val) {
 	supported_algorithm = ISC_FALSE;
 
 	/*
-	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-	 * is present.
+	 * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+	 * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+	 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+	 * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
 	 */
 	memset(digest_types, 1, sizeof(digest_types));
 	for (result = dns_rdataset_first(&val->dlv);
@@ -1840,8 +1840,11 @@ dlv_validatezonekey(dns_validator_t *val) {
 						      dlv.algorithm))
 			continue;
 
-		if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
-		    dlv.length == ISC_SHA256_DIGESTLENGTH) {
+		if ((dlv.digest_type == DNS_DSDIGEST_SHA256 &&
+		     dlv.length == ISC_SHA256_DIGESTLENGTH) ||
+		    (dlv.digest_type == DNS_DSDIGEST_SHA384 &&
+		     dlv.length == ISC_SHA384_DIGESTLENGTH))
+		{
 			digest_types[DNS_DSDIGEST_SHA1] = 0;
 			break;
 		}
@@ -2172,10 +2175,10 @@ validatezonekey(dns_validator_t *val) {
 	supported_algorithm = ISC_FALSE;
 
 	/*
-	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-	 * is present.
+	 * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+	 * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+	 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+	 * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
 	 */
 	memset(digest_types, 1, sizeof(digest_types));
 	for (result = dns_rdataset_first(val->dsset);
@@ -2191,8 +2194,11 @@ validatezonekey(dns_validator_t *val) {
 						      ds.algorithm))
 			continue;
 
-		if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
-		    ds.length == ISC_SHA256_DIGESTLENGTH) {
+		if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
+		     ds.length == ISC_SHA256_DIGESTLENGTH) ||
+		    (ds.digest_type == DNS_DSDIGEST_SHA384 &&
+		     ds.length == ISC_SHA384_DIGESTLENGTH))
+		{
 			digest_types[DNS_DSDIGEST_SHA1] = 0;
 			break;
 		}