From 3f93d3f757ce3e5ea92c3e899e262aa2318b32fc Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 19 Jun 2023 14:17:14 +1000
Subject: [PATCH] Restore the ability to read legacy K*+157+* files

The ability to read legacy HMAC-MD5 K* keyfile pairs using algorithm
number 157 was accidentally lost when the algorithm numbers were
consolidated into a single block, in commit
09f7e0607a34d90eae53f862954e98c31b5ae532.

The assumption was that these algorithm numbers were only known
internally, but they were also used in key files. But since HMAC-MD5
got renumbered from 157 to 160, legacy HMAC-MD5 key files no longer
work.

Move HMAC-MD5 back to 157 and GSSAPI back to 160.  Add exception for
GSSAPI to list_hmac_algorithms.
---
 CHANGES                          |  3 +++
 bin/named/main.c                 |  3 +++
 bin/tests/system/dnssec/tests.sh |  2 +-
 lib/dns/include/dst/dst.h        | 11 +++++++++--
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9fe7a01389..108a5044a4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6205.	[bug]		Restore support to read legacy HMAC-MD5 K file pairs.
+			[GL #4154]
+
 6204.	[bug]		Use NS records for relaxed QNAME-minimization mode.
 			This reduces the number of queries named makes when
 			resolving, as it allows the non-existence of NS RRsets
diff --git a/bin/named/main.c b/bin/named/main.c
index 00c4db48d3..af87594080 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -484,6 +484,9 @@ list_hmac_algorithms(isc_buffer_t *b) {
 	for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST;
 	     i++)
 	{
+		if (i == DST_ALG_GSSAPI) {
+			continue;
+		}
 		if (dst_algorithm_supported(i)) {
 			isc_buffer_putstr(b, " ");
 			isc_buffer_putstr(b, dst_hmac_algorithm_totext(i));
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 8f5f68a019..d9f25db852 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3539,7 +3539,7 @@ do
 	2) # Diffie Helman
 	    alg=$((alg+1))
 	    continue;;
-	159|160|161|162|163|164|165) # private - non standard
+	157|160|161|162|163|164|165) # private - non standard
 	    alg=$((alg+1))
 	    continue;;
 	1|5|7|8|10) # RSA algorithms
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 4f5cf76286..3cca998bcb 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -95,15 +95,22 @@ typedef enum dst_algorithm {
 	DST_ALG_ECDSA384 = 14,
 	DST_ALG_ED25519 = 15,
 	DST_ALG_ED448 = 16,
-	DST_ALG_GSSAPI = 159,
-	DST_ALG_HMACMD5 = 160,
+
+	/*
+	 * Do not renumber HMAC algorithms as they are used externally to named
+	 * in legacy K* key pair files.
+	 * Do not add non HMAC between DST_ALG_HMACMD5 and DST_ALG_HMACSHA512.
+	 */
+	DST_ALG_HMACMD5 = 157,
 	DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5,
+	DST_ALG_GSSAPI = 160,	  /* Internal use only. Exception. */
 	DST_ALG_HMACSHA1 = 161,	  /* XXXMPA */
 	DST_ALG_HMACSHA224 = 162, /* XXXMPA */
 	DST_ALG_HMACSHA256 = 163, /* XXXMPA */
 	DST_ALG_HMACSHA384 = 164, /* XXXMPA */
 	DST_ALG_HMACSHA512 = 165, /* XXXMPA */
 	DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512,
+
 	DST_ALG_INDIRECT = 252,
 	DST_ALG_PRIVATE = 254,
 	DST_MAX_ALGS = 256,