2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00

allow multiple key algorithms in the same control listener

if a control channel listener was configured with more than one
key algorithm, message verification would be attempted with each
algorithm in turn. if the first key failed due to the wrong
signature length, the entire verification process was aborted,
rather than continuing on to try with another key.
This commit is contained in:
Evan Hunt 2021-06-08 20:28:31 -07:00
parent f663701b1d
commit 841b557df8
3 changed files with 19 additions and 4 deletions

View File

@ -445,10 +445,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
}
isc_mem_put(listener->mctx, conn->secret.rstart,
REGION_SIZE(conn->secret));
if (result != ISCCC_R_BADAUTH) {
log_invalid(&conn->ccmsg, result);
goto cleanup;
}
}
if (key == NULL) {

View File

@ -45,3 +45,12 @@ make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
make_key 5 ${EXTRAPORT5} hmac-sha384
make_key 6 ${EXTRAPORT6} hmac-sha512
cat >> ns4/named.conf <<- EOF
controls {
inet 10.53.0.4 port ${EXTRAPORT7}
allow { any; } keys { "key1"; "key2"; "key3";
"key4"; "key5"; "key6"; };
};
EOF

View File

@ -412,6 +412,16 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "testing single control channel with multiple algorithms ($n)"
ret=0
for i in 1 2 3 4 5 6
do
$RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "testing automatic zones are reported ($n)"
ret=0