Report information
The Basics
Id:
45388
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Tony Finch <dot@dotat.at>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.12.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Utilities
Area:
bug
Dates
Created:Thu, 15 Jun 2017 09:55:34 -0400
Updated:Mon, 26 Jun 2017 20:06:01 -0400
Closed:Sat, 17 Jun 2017 02:17:27 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Thu, 15 Jun 2017 09:55:34 -0400 Tony Finch <dot@dotat.at> - Ticket created
Subject: [PATCH] nsec3hash: compatibility with salt "-"
Date: Thu, 15 Jun 2017 14:55:26 +0100
To: bind9-bugs@isc.org
From: "Tony Finch" <dot@dotat.at>

The introduction of isc_commandline_parse() has caused a compatibility problem with nsec3hash. Previously you were able to type (for example) $ dig +multiline +dnssec com txt | grep 'IN NSEC3' CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 864 IN NSEC3 1 1 0 - ( $ /opt/bind-9.12.0-dev+9+889cc53/bin/nsec3hash - 1 0 com CK0POJMG874LJREF7EFN8430QVIT8BSM (salt=-, hash=1, iterations=0) However the current version says: $ /opt/bind-9.12.0-dev+11+bc78a97/bin/nsec3hash - 1 0 com /opt/bind-9.12.0-dev+11+bc78a97/bin/nsec3hash: illegal option -- - Usage: nsec3hash salt algorithm iterations domain nsec3hash -r algorithm flags iterations salt domain The patch below restores the old behaviour for compatibility with existing scripts. It also now canonicalizes empty salts from '' to '-' to properly match presentation format. I've also revamped the test script to check various empty salt command line parsing edge cases. --- bin/tests/system/tools/tests.sh | 103 ++++++++++++++++++++++++++-------------- bin/tools/nsec3hash.c | 9 +++- 2 files changed, 75 insertions(+), 37 deletions(-) diff --git a/bin/tests/system/tools/tests.sh b/bin/tests/system/tools/tests.sh index de7222b..7e8fe14 100644 --- a/bin/tests/system/tools/tests.sh +++ b/bin/tests/system/tools/tests.sh @@ -11,16 +11,12 @@ SYSTEMTESTTOP=.. status=0 -checkhash() { - name=$1 - hash=$2 - echo "I:checking nsec3hash $name" - out=`$NSEC3HASH $salt $algo $iters $1` +checkout() { case $? in 0) : ok ;; - *) echo "I:failed $cmd" + *) echo "I:failed" status=`expr $status + 1` - continue ;; + return 1 ;; esac case $out in *$hash*) : ok ;; @@ -29,41 +25,76 @@ checkhash() { echo "I:failed" status=`expr $status + 1` ;; esac +} - echo "I:checking nsec3hash -r $name" +# test cases taken from RFC 5155 appendix A +algo=1 flags=0 iters=12 salt="aabbccdd" +while read name hash +do + echo "I:checking $NSEC3HASH $name" + out=`$NSEC3HASH $salt $algo $iters $name` + checkout + + echo "I:checking $NSEC3HASH -r $name" out=`$NSEC3HASH -r $algo $flags $iters $salt $name` + checkout + +done <<EOF +*.w.example R53BQ7CC2UVMUBFU5OCMM6PERS9TK9EN +2t7b4g4vsa5smi47k61mv5bv1a22bojr.example KOHAR7MBB8DC2CE8A9QVL8HON4K53UHI +a.example 35MTHGPGCU1QG68FAB165KLNSNK3DPVL +ai.example GJEQE526PLBF1G8MKLP59ENFD789NJGI +example 0P9MHAVEQVM6T7VBL5LOP2U3T2RP3TOM +ns1.example 2T7B4G4VSA5SMI47K61MV5BV1A22BOJR +ns2.example Q04JKCEVQVMU85R014C7DKBA38O0JI5R +w.example K8UDEMVP1J2F7EG6JEBPS17VP3N8I58H +x.w.example B4UM86EGHHDS6NEA196SMVMLO4ORS995 +x.y.w.example 2VPTU5TIMAMQTTGL4LUU9KG21E0AOR3S +xx.example T644EBQK9BIBCNA874GIVR6JOJ62MLHV +y.w.example JI6NEOAEPV8B5O6K4EV33ABHA8HT9FGC +EOF + +# test empty salt +checkempty() { + hash=CK0POJMG874LJREF7EFN8430QVIT8BSM checkout && + hash=- checkout +} +name=com algo=1 flags=1 iters=0 +echo "I:checking $NSEC3HASH '' $name" +out=`$NSEC3HASH '' $algo $iters $name` +checkempty +echo "I:checking $NSEC3HASH - $name" +out=`$NSEC3HASH - $algo $iters $name` +checkempty +echo "I:checking $NSEC3HASH -- '' $name" +out=`$NSEC3HASH -- '' $algo $iters $name` +checkempty +echo "I:checking $NSEC3HASH -- - $name" +out=`$NSEC3HASH -- - $algo $iters $name` +checkempty +echo "I:checking $NSEC3HASH -r '' $name" +out=`$NSEC3HASH -r $algo $flags $iters '' $name` +checkempty +echo "I:checking $NSEC3HASH -r - $name" +out=`$NSEC3HASH -r $algo $flags $iters - $name` +checkempty + +checkfail() { case $? in - 0) : ok ;; - *) echo "I:failed $cmd" + 0) echo "I:failed to fail" status=`expr $status + 1` - continue ;; - esac - case $out in - *$hash*) : ok ;; - *) echo "I:expect $hash" - echo "I:output $out" - echo "I:failed" - status=`expr $status + 1` ;; + return 1 ;; esac } - -# test cases taken from RFC 5155 appendix A -algo=1 flags=0 iters=12 salt="aabbccdd" -for testcase in \ - "*.w.example R53BQ7CC2UVMUBFU5OCMM6PERS9TK9EN" \ - "2t7b4g4vsa5smi47k61mv5bv1a22bojr.example KOHAR7MBB8DC2CE8A9QVL8HON4K53UHI" \ - "a.example 35MTHGPGCU1QG68FAB165KLNSNK3DPVL" \ - "ai.example GJEQE526PLBF1G8MKLP59ENFD789NJGI" \ - "example 0P9MHAVEQVM6T7VBL5LOP2U3T2RP3TOM" \ - "ns1.example 2T7B4G4VSA5SMI47K61MV5BV1A22BOJR" \ - "ns2.example Q04JKCEVQVMU85R014C7DKBA38O0JI5R" \ - "w.example K8UDEMVP1J2F7EG6JEBPS17VP3N8I58H" \ - "x.w.example B4UM86EGHHDS6NEA196SMVMLO4ORS995" \ - "x.y.w.example 2VPTU5TIMAMQTTGL4LUU9KG21E0AOR3S" \ - "xx.example T644EBQK9BIBCNA874GIVR6JOJ62MLHV" \ - "y.w.example JI6NEOAEPV8B5O6K4EV33ABHA8HT9FGC"; do - checkhash $testcase -done +echo "I:checking $NSEC3HASH missing args" +out=`$NSEC3HASH 00 1 0 2>&1` +checkfail +echo "I:checking $NSEC3HASH extra args" +out=`$NSEC3HASH 00 1 0 two names 2>&1` +checkfail +echo "I:checking $NSEC3HASH bad option" +out=`$NSEC3HASH -? 2>&1` +checkfail echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c index 3103c20..8928ed2 100644 --- a/bin/tools/nsec3hash.c +++ b/bin/tools/nsec3hash.c @@ -85,6 +85,7 @@ nsec3hash(nsec3printer *nsec3print, char *algostr, char *flagstr, unsigned int length; unsigned int iterations; unsigned int salt_length; + char dash[] = "-"; if (strcmp(saltstr, "-") == 0) { salt_length = 0; @@ -96,6 +97,8 @@ nsec3hash(nsec3printer *nsec3print, char *algostr, char *flagstr, salt_length = isc_buffer_usedlength(&buffer); if (salt_length > DNS_NSEC3_SALTSIZE) fatal("salt too long"); + if (salt_length == 0) + saltstr = dash; } hash_alg = atoi(algostr); if (hash_alg > 255U) @@ -157,17 +160,21 @@ main(int argc, char *argv[]) { rdata_format = ISC_TRUE; } - while ((ch = isc_commandline_parse(argc, argv, "r")) != -1) { + while ((ch = isc_commandline_parse(argc, argv, "-r")) != -1) { switch (ch) { case 'r': rdata_format = ISC_TRUE; break; + case '-': + isc_commandline_index -= 1; + goto skip; default: usage(); break; } } +skip: argc -= isc_commandline_index; argv += isc_commandline_index;
Thu, 15 Jun 2017 22:47:18 -0400 Mark Andrews <marka@isc.org> - Priority P2 Normal added
Thu, 15 Jun 2017 22:47:19 -0400 Mark Andrews <marka@isc.org> - Severity S2 Normal added
Thu, 15 Jun 2017 22:47:19 -0400 Mark Andrews <marka@isc.org> - Area bug added
Thu, 15 Jun 2017 22:47:19 -0400 Mark Andrews <marka@isc.org> - Component BIND Utilities added
Thu, 15 Jun 2017 22:47:20 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.12.0 added
  Thu, 15 Jun 2017 22:47:20 -0400 Mark Andrews <marka@isc.org> - Correspondence added

4637 broke old style command line with a salt of '-' [RT #45388]
Thu, 15 Jun 2017 22:47:21 -0400 The RT System itself - Status changed from 'new' to 'open'
Thu, 15 Jun 2017 22:47:21 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'resolved'
Thu, 15 Jun 2017 22:47:21 -0400 Mark Andrews <marka@isc.org> - Queue changed from #6 to #30
  Fri, 16 Jun 2017 12:52:03 -0400 Tony Finch <dot@dotat.at> - Correspondence added
CC: "Tony Finch" <dot@dotat.at>
Subject: Re: [ISC-Bugs #45388] [PATCH] nsec3hash: compatibility with salt "-"
Date: Fri, 16 Jun 2017 17:51:55 +0100
To: "Mark Andrews via RT" <bind9-bugs@isc.org>
From: "Tony Finch" <dot@dotat.at>

Thanks! And nice const-correctness :-) There are a couple of missing const qualifiers - see below. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover: West 4 or 5, becoming variable 3 or 4 later. Slight, occasionally moderate at first in Humber. Fair. Good, occasionally moderate later. diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c index 93bfbab..a1c40f5 100644 --- a/bin/tools/nsec3hash.c +++ b/bin/tools/nsec3hash.c @@ -70,7 +70,7 @@ typedef void nsec3printer(unsigned algo, unsigned flags, unsigned iters, const char *digest); static void -nsec3hash(nsec3printer *nsec3print, char *algostr, char *flagstr, +nsec3hash(nsec3printer *nsec3print, const char *algostr, const char *flagstr, const char *iterstr, const char *saltstr, const char *domain) { dns_fixedname_t fixed;
Fri, 16 Jun 2017 12:52:04 -0400 The RT System itself - Status changed from 'resolved' to 'open'
  Sat, 17 Jun 2017 02:17:26 -0400 Mark Andrews <marka@isc.org> - Correspondence added

On Fri Jun 16 06:52:03 2017, dot@dotat.at wrote: > Thanks! And nice const-correctness :-) There are a couple of missing const > qualifiers - see below. > > Tony. Thanks, merged
Sat, 17 Jun 2017 02:17:27 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'resolved'
Wed, 21 Jun 2017 14:37:19 -0400 Brian Conry <bconry@isc.org> - Queue changed from #30 to #6
Mon, 26 Jun 2017 20:06:01 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public