From e195feb45683bc2f8016dbc65bbae9432b52c41b Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 29 Jun 2017 15:54:54 -0700
Subject: [PATCH] [v9_10] fix RSA parsing when md5 disabled

4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
			[RT #45300]

(cherry picked from commit b05b3fab3c37c9c07321f01b745719307c84aa2f)
---
 CHANGES                          |  3 +++
 bin/tests/system/pkcs11/clean.sh |  2 +-
 bin/tests/system/pkcs11/tests.sh | 13 +++++++++----
 lib/dns/dst_parse.c              |  5 +++++
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 96b29b95ad..a5e628f373 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
+			[RT #45300]
+
 	--- 9.10.6b1 released ---
 
 4643.	[security]	An error in TSIG handling could permit unauthorized
diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh
index 24915e8559..8e73809c14 100644
--- a/bin/tests/system/pkcs11/clean.sh
+++ b/bin/tests/system/pkcs11/clean.sh
@@ -15,6 +15,6 @@
 # PERFORMANCE OF THIS SOFTWARE.
 
 rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
-rm -f dig.out pin
+rm -f dig.out* pin upd.log*
 rm -f ns1/*.key ns1/named.memstats
 rm -f supported
diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh
index 9438dfbc07..a67af6abe2 100644
--- a/bin/tests/system/pkcs11/tests.sh
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -45,7 +45,12 @@ for alg in $algs; do
 
     echo "I:testing inline signing with PKCS#11 keys ($alg)"
 
-    $NSUPDATE > /dev/null <<END || status=1
+    $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg.0 || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+    count0=`grep RRSIG dig.out.$alg.0 | wc -l`
+
+    $NSUPDATE -v > upd.log.$alg <<END || status=1
 server 10.53.0.1 5300
 ttl 300
 zone $alg.example.
@@ -56,11 +61,11 @@ END
     echo "I:waiting 20 seconds for key changes to take effect"
     sleep 20
 
-    $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out || ret=1
+    $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg || ret=1
     if [ $ret != 0 ]; then echo "I:failed"; fi
     status=`expr $status + $ret`
-    count=`grep RRSIG dig.out | wc -l`
-    if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+    count=`grep RRSIG dig.out.$alg | wc -l`
+    if [ $count -le $count0 ]; then echo "I:failed"; status=1; fi
 
     echo "I:testing PKCS#11 key destroy ($alg)"
     ret=0
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 212e822916..d5a91f4e51 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -612,7 +612,12 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		goto fail;
 	}
 
+#ifdef PK11_MD5_DISABLE
+	check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
+			   ISC_TRUE, external);
+#else
 	check = check_data(priv, alg, ISC_TRUE, external);
+#endif
 	if (check < 0) {
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;