Blob Blame History Raw
From aea8a7bab922a8793f6c50af30bdfa424a7f706d Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 5 Sep 2019 20:24:25 +0200
Subject: [PATCH] Fix mkeys test changes backported
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Squashed commit of the following:

commit a6cbd45fcfe2b1dc5339da72eed0ffeb27afdf81
Author: Petr Mensik <pemensik@redhat.com>
Date:   Thu Sep 5 20:01:21 2019 +0200

    Backport fixes to mkeys test

    It relied on some features backported in more recent versions, but not
    present in our version. Make test pass with current features. Fixes some
    mistakes when backporting original upstream commits.

commit be97d4d9d9f9568aa497e618ffbe2aba0841d035
Author: Michał Kępień <michal@isc.org>
Date:   Tue Mar 26 10:51:16 2019 +0100

    Add "-r $RANDFILE" where it is missing

    If the path to the source of random data is not passed explicitly to
    dnssec-keygen or dnssec-signzone and the --with-randomdev compile-time
    switch is not used, the aforementioned utilities will hang if the
    default source of random data (/dev/random) runs out of entropy.  Use
    "-r $RANDFILE" to prevent that from happening in affected system tests.

    (cherry picked from commit 59e1329e9b3aff72d8e36db8d0ca980d540decb3)

commit fd651e87b9bddcae7ef894b165d209a9693dc204
Author: Matthijs Mekking <matthijs@isc.org>
Date:   Thu Dec 20 15:23:07 2018 +0100

    Remove dig_with_opts

    (cherry picked from commit bb2c242c396d3c6893eb6a27e59af5a3b53452bc)

commit 84264e082ffe0c5439a0c789ceb7f8308d1b9b7e
Author: Matthijs Mekking <github@pletterpet.nl>
Date:   Wed Dec 19 10:16:10 2018 +0100

    Replace DSA with Reserved algorithm

    (cherry picked from commit 17cdde1e56abae5c3bf5256ecbdacbd8cbef05b6)
    (cherry picked from commit 0e9a8da68c89cb99b1892e8b0705b71c92532844)

commit e335f239aca4bdbf8160fe9bc1ef3cfba15ae06f
Author: Matthijs Mekking <github@pletterpet.nl>
Date:   Tue Dec 18 12:14:04 2018 +0100

    Allow unsupported alg in zone /w dnssec-signzone

    dnssec-signzone should sign a zonefile that contains a DNSKEY record
    with an unsupported algorithm.  Current behavior is that it will
    fail, hitting a fatal error.  The fix detects unsupported algorithms
    and will not try to add it to the keylist.

    Also when determining the maximum iterations for NSEC3, don't take
    into account DNSKEY records in the zonefile with an unsupported
    algorithm.

    (cherry picked from commit 1dd11fc754baf396bb3040527087b14f0678dd83)
    (cherry picked from commit 040e132f1692ce8bb1ac83032ee761b3278f0272)

commit a1c345c8ab39201fe6e0cd7f19696d6a2f8b5522
Author: Matthijs Mekking <github@pletterpet.nl>
Date:   Tue Dec 18 12:10:05 2018 +0100

    Add dnssec-signzone tests with unsupported alg

    dnssec-signzone should sign a zonefile that contains a DNSKEY record
    with an unsupported algorithm.

    (cherry picked from commit 6d976b37c1b2b2c4bcede89252cf26b6f170c142)
    (cherry picked from commit 8619318a1e6207e487438a93bd7a620967091347)
    (cherry picked from commit 9f81119c0256378683c20e8e01a874378cabfcbc)
---
 bin/tests/system/dnssec/clean.sh              |  4 ++
 bin/tests/system/dnssec/ns2/example.db.in     |  5 ++-
 .../ns3/dnskey-unsupported-2.example.db.in    | 27 ++++++++++++
 .../ns3/dnskey-unsupported.example.db.in      | 27 ++++++++++++
 bin/tests/system/dnssec/ns3/named.conf.in     | 10 +++++
 bin/tests/system/dnssec/ns3/sign.sh           | 42 ++++++++++++++++++-
 .../dnssec/ns3/unsupported-algorithm.key      |  1 +
 bin/tests/system/dnssec/tests.sh              | 20 +++++++++
 bin/tests/system/dupsigs/ns1/reset_keys.sh    |  2 +
 bin/tests/system/mkeys/ns6/setup.sh           |  2 +-
 bin/tests/system/mkeys/setup.sh               |  2 +
 bin/tests/system/mkeys/tests.sh               |  6 +--
 lib/dns/dnssec.c                              |  8 ++++
 lib/dns/include/dns/dnssec.h                  |  2 +-
 lib/dns/nsec3.c                               | 11 ++++-
 15 files changed, 161 insertions(+), 8 deletions(-)
 create mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
 create mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
 create mode 100644 bin/tests/system/dnssec/ns3/unsupported-algorithm.key

diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 1873c4b586..0fcff23797 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -55,6 +55,10 @@ rm -f ns3/future.example.db ns3/trusted-future.key
 rm -f ns3/inline.example.db.signed
 rm -f ns3/kskonly.example.db
 rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
+rm -f ./ns3/dnskey-unsupported.example.db
+rm -f ./ns3/dnskey-unsupported.example.db.tmp
+rm -f ./ns3/dnskey-unsupported-2.example.db
+rm -f ./ns3/dnskey-unsupported-2.example.db.tmp
 rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
 rm -f ns3/nsec3.nsec3.example.db
 rm -f ns3/nsec3.optout.example.db
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 0b831ec94e..6afffe00f3 100644
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -97,6 +97,9 @@ ns.optout-unknown	A	10.53.0.3
 dnskey-unknown		NS	ns.dnskey-unknown
 ns.dnskey-unknown	A	10.53.0.3
 
+dnskey-unsupported	NS	ns.dnskey-unsupported
+ns.dnskey-unsupported	A	10.53.0.3
+
 dnskey-nsec3-unknown	NS	ns.dnskey-nsec3-unknown
 ns.dnskey-nsec3-unknown	A	10.53.0.3
 
@@ -111,7 +114,7 @@ ns.rsasha256		A	10.53.0.3
 rsasha512		NS	ns.rsasha512
 ns.rsasha512		A	10.53.0.3
 
-kskonly 		NS	ns.kskonly
+kskonly			NS	ns.kskonly
 ns.kskonly		A	10.53.0.3
 
 update-nsec3		NS	ns.update-nsec3
diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
new file mode 100644
index 0000000000..c9e7c2b3da
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
new file mode 100644
index 0000000000..c9e7c2b3da
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
index 14ebbc8ea8..6aa5d5350d 100644
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -150,6 +150,16 @@ zone "dnskey-unknown.example" {
 	file "dnskey-unknown.example.db.signed";
 };
 
+zone "dnskey-unsupported.example" {
+	type master;
+	file "dnskey-unsupported.example.db.signed";
+};
+
+zone "dnskey-unsupported-2.example" {
+	type master;
+	file "dnskey-unsupported-2.example.db.signed";
+};
+
 zone "dnskey-nsec3-unknown.example" {
 	type master;
 	nsec3-test-zone yes;
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index f95a6b7ea8..99e9b4958f 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -12,6 +12,12 @@
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
+# Default algorithm for testing
+# In more recent versions set in conf.sh, include here for backward copatibility
+DEFAULT_ALGORITHM=RSASHA256
+DEFAULT_ALGORITHM_NUMBER=8
+DEFAULT_BITS=1280
+
 zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
@@ -193,7 +199,7 @@ cat $infile $keyname.key >$zonefile
 $SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 
 #
-# A zone with a unknown DNSKEY algorithm.
+# A zone that is signed with an unknown DNSKEY algorithm.
 # Algorithm 7 is replaced by 100 in the zone and dsset.
 #
 zone=dnskey-unknown.example.
@@ -211,6 +217,40 @@ awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { prin
 DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP
 $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE
 
+#
+# A zone that is signed with an unsupported DNSKEY algorithm (3).
+# Algorithm 7 is replaced by 255 in the zone and dsset.
+#
+zone=dnskey-unsupported.example.
+infile=dnskey-unsupported.example.db.in
+zonefile=dnskey-unsupported.example.db
+
+keyname=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
+
+awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+
+DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+
+#
+# A zone with a published unsupported DNSKEY algorithm (Reserved).
+# Different from above because this key is not intended for signing.
+#
+zone=dnskey-unsupported-2.example.
+infile=dnskey-unsupported-2.example.db.in
+zonefile=dnskey-unsupported-2.example.db
+
+ksk=$("$KEYGEN" -f KSK -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
+
+"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
+
 #
 # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
 # Algorithm 7 is replaced by 100 in the zone and dsset.
diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
new file mode 100644
index 0000000000..cc8bb9a51d
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
@@ -0,0 +1 @@
+dnskey-unsupported-2.example.	IN	DNSKEY	257 3 255 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index b1907c73a5..fdbfbdb779 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3347,6 +3347,26 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n
+$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)"
+ret=0
+$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
 ret=0
 (
diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh
index f03503f762..42ce8ac20b 100644
--- a/bin/tests/system/dupsigs/ns1/reset_keys.sh
+++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh
@@ -22,6 +22,8 @@ timetodnssec() {
 }
 
 KEYDIR=keys/signing.test
+KEYGEN="$KEYGEN -r $RANDFILE"
+
 KSK=`$KEYGEN -a RSASHA256 -b 1024 -K $KEYDIR -q -f KSK $zone`
 
 ZSK0=`$KEYGEN -a RSASHA256 -b 1024 -K $KEYDIR -q $zone`
diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh
index 5ba1647da5..6f196c20db 100644
--- a/bin/tests/system/mkeys/ns6/setup.sh
+++ b/bin/tests/system/mkeys/ns6/setup.sh
@@ -16,7 +16,7 @@ zone=.
 zonefile=root.db
 
 # an RSA key
-rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
+rsakey=`$KEYGEN -a rsasha256 -b 2048 -r $RANDFILE -qfk rsasha256.`
 
 # a key with unsupported algorithm
 unsupportedkey=Kunknown.+255+00000
diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
index 100a86959b..79c877f85d 100644
--- a/bin/tests/system/mkeys/setup.sh
+++ b/bin/tests/system/mkeys/setup.sh
@@ -21,6 +21,8 @@ copy_setports ns1/named1.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
 
 cp ns5/named1.args ns5/named.args
 
diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
index b8410902d7..3533dbadbb 100644
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -297,7 +297,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 echo_i "reinitialize trust anchors"
-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns2
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} . ns2
 rm -f ns2/managed-keys.bind*
 nextpart ns2/named.run > /dev/null
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns2
@@ -714,10 +714,10 @@ status=`expr $status + $ret`
 
 echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
 ret=0
-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
+$PERL $SYSTEMTESTTOP/stop.pl --port ${CONTROLPORT} . ns6
 rm -f ns6/managed-keys.bind*
 nextpart ns6/named.run > /dev/null
-$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns6
 # log when an unsupported algorithm is encountered during startup
 wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
 if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 1045f8ff21..984f28be26 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1681,6 +1681,14 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 	     result = dns_rdataset_next(&keys)) {
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
+
+		/* Skip unsupported algorithms */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			goto skip;
+
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
 		dst_key_setttl(pubkey, keys.ttl);
 
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 75e32202a9..9a638852d7 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -299,7 +299,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
 /*%<
  * Search 'directory' for K* key files matching the name in 'origin'.
  * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
  *
  *	Requires:
  *\li		'keylist' is not NULL
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 37b6a8a7fe..0729886c9f 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1801,8 +1801,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
-
 		dns_rdataset_current(&rdataset, &rdata);
+
+		/* Skip unsupported algorithms when
+		 * calculating the maximum iterations.
+		 */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			continue;
+
 		isc_buffer_init(&buffer, rdata.data, rdata.length);
 		isc_buffer_add(&buffer, rdata.length);
 		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
-- 
2.20.1