From 841b557df8482c180b4ecbcf8115406100396bcc Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 8 Jun 2021 20:28:31 -0700
Subject: [PATCH 1/2] allow multiple key algorithms in the same control
 listener

if a control channel listener was configured with more than one
key algorithm, message verification would be attempted with each
algorithm in turn. if the first key failed due to the wrong
signature length, the entire verification process was aborted,
rather than continuing on to try with another key.
---
 bin/named/controlconf.c        |  4 ----
 bin/tests/system/rndc/setup.sh |  9 +++++++++
 bin/tests/system/rndc/tests.sh | 10 ++++++++++
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 00897d1b53..3669cac1dc 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -445,10 +445,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
 		}
 		isc_mem_put(listener->mctx, conn->secret.rstart,
 			    REGION_SIZE(conn->secret));
-		if (result != ISCCC_R_BADAUTH) {
-			log_invalid(&conn->ccmsg, result);
-			goto cleanup;
-		}
 	}
 
 	if (key == NULL) {
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index 4c65acec8e..e4bd9ae134 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -45,3 +45,12 @@ make_key 3 ${EXTRAPORT3} hmac-sha224
 make_key 4 ${EXTRAPORT4} hmac-sha256
 make_key 5 ${EXTRAPORT5} hmac-sha384
 make_key 6 ${EXTRAPORT6} hmac-sha512
+
+cat >> ns4/named.conf <<- EOF
+
+controls {
+	inet 10.53.0.4 port ${EXTRAPORT7}
+		allow { any; } keys { "key1"; "key2"; "key3";
+                                      "key4"; "key5"; "key6"; };
+};
+EOF
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 6065ade8b8..f847b2ad0b 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -412,6 +412,16 @@ done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "testing single control channel with multiple algorithms ($n)"
+ret=0
+for i in 1 2 3 4 5 6
+do
+        $RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 n=$((n+1))
 echo_i "testing automatic zones are reported ($n)"
 ret=0

From a605a84b085ea57de95b7f6707a35afcfc70262c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 8 Jun 2021 20:38:53 -0700
Subject: [PATCH 2/2] CHANGES

---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index 04257bcc56..23d9d1dbb5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5672.	[bug]		Authentication of rndc messages could fail if a
+			"controls" statement was configured with multiple
+			key algorithms in the same listener. [GL #2756]
+
 5671.	[bug]		Fix a race condition where two threads are competing for
 			the same set of key file locks, that could lead to a
 			deadlock. This has been fixed. [GL #2786]