- Fix that NSD warns for wrong length of the hash in SSHFP records.

NLnetLabs · Jul 17, 2019 · b4528a3 · b4528a3
1 parent c40cd90
commit b4528a3
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 1 deletion.
diff --git a/doc/ChangeLog b/doc/ChangeLog
@@ -1,3 +1,6 @@
+17 July 2019: Wouter
+	- Fix that NSD warns for wrong length of the hash in SSHFP records.
+
 15 July 2019: Wouter
 	- PR #23: Fix typo in nsd.conf man-page.
 

diff --git a/doc/RELNOTES b/doc/RELNOTES
@@ -11,6 +11,7 @@ BUG FIXES:
 	  array index.  Reported by Frederic Cambus.  The zone parser
 	  fails on type SIG because of mismatched definition with RRSIG.
 	- PR #23: Fix typo in nsd.conf man-page.
+	- Fix that NSD warns for wrong length of the hash in SSHFP records.
 
 
 4.2.1

diff --git a/zonec.c b/zonec.c
@@ -1742,3 +1742,27 @@ zonec_parse_string(region_type* region, domain_table_type* domains,
 	parser_flush();
 	return errors;
 }
+
+/** check SSHFP type for failures and emit warnings */
+void check_sshfp(void)
+{
+	uint8_t hash;
+	uint16_t size;
+	if(parser->current_rr.rdata_count < 3)
+		return; /* cannot check it, too few rdata elements */
+	if(rdata_atom_size(parser->current_rr.rdatas[1]) != 1)
+		return; /* wrong size of the hash type rdata element */
+	hash = rdata_atom_data(parser->current_rr.rdatas[1])[0];
+	size = rdata_atom_size(parser->current_rr.rdatas[2]);
+	if(hash == 1 && size != 20) {
+		zc_warning_prev_line("SSHFP %s of type SHA1 has hash of "
+			"wrong length, %d bytes, should be 20",
+			domain_to_string(parser->current_rr.owner),
+			(int)size);
+	} else if(hash == 2 && size != 32) {
+		zc_warning_prev_line("SSHFP %s of type SHA256 has hash of "
+			"wrong length, %d bytes, should be 32",
+			domain_to_string(parser->current_rr.owner),
+			(int)size);
+	}
+}
diff --git a/zonec.h b/zonec.h
@@ -142,5 +142,7 @@ unsigned int zonec_read(const char *name, const char *zonefile, zone_type* zone)
  * The string must end with a newline after the RR. */
 int zonec_parse_string(region_type* region, domain_table_type* domains,
 	zone_type* zone, char* str, domain_type** parsed, int* num_rrs);
+/** check SSHFP type for failures and emit warnings */
+void check_sshfp(void);
 
 #endif /* _ZONEC_H_ */
diff --git a/zparser.y b/zparser.y
@@ -633,7 +633,7 @@ type_and_rdata:
     |	T_DLV sp rdata_dlv { if (dlv_warn) { dlv_warn = 0; zc_warning_prev_line("DLV is experimental"); } }
     |	T_DLV sp rdata_unknown { if (dlv_warn) { dlv_warn = 0; zc_warning_prev_line("DLV is experimental"); } $$ = $1; parse_unknown_rdata($1, $3); }
     |	T_SSHFP sp rdata_sshfp
-    |	T_SSHFP sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
+    |	T_SSHFP sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); check_sshfp(); }
     |	T_RRSIG sp rdata_rrsig
     |	T_RRSIG sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
     |	T_NSEC sp rdata_nsec
@@ -906,6 +906,7 @@ rdata_sshfp:	STR sp STR sp str_sp_seq trail
 	    zadd_rdata_wireformat(zparser_conv_byte(parser->region, $1.str)); /* alg */
 	    zadd_rdata_wireformat(zparser_conv_byte(parser->region, $3.str)); /* fp type */
 	    zadd_rdata_wireformat(zparser_conv_hex(parser->region, $5.str, $5.len)); /* hash */
+	    check_sshfp();
     }
     ;