From a0dae15cd1d12a130896b6bfe0dd89fbb5b9a2d5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 7 Feb 2025 10:01:57 +1100 Subject: [PATCH] Relax private DNSKEY and RRSIG constraints DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within the expected use of these types as no key material is shared and the signatures are ineffective but these are private algorithms and they can be totally insecure. (cherry picked from commit b048190e237d6650cf32ac641b1ee4b96c90ac2e) --- lib/dns/rdata.c | 11 ----------- tests/dns/rdata_test.c | 16 ++++++++-------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index 976b3c6d9c..e88c289aed 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -606,13 +606,6 @@ check_private(isc_buffer_t *source, dns_secalg_t alg) { RETERR(dns_name_fromwire(dns_fixedname_initname(&fixed), source, DNS_DECOMPRESS_DEFAULT, NULL)); - /* - * There should be a public key or signature after the key name. - */ - isc_buffer_activeregion(source, &sr); - if (sr.length == 0) { - return ISC_R_UNEXPECTEDEND; - } } else if (alg == DNS_KEYALG_PRIVATEOID) { /* * Check that we can extract the OID from the start of the @@ -629,10 +622,6 @@ check_private(isc_buffer_t *source, dns_secalg_t alg) { RETERR(DNS_R_FORMERR); } ASN1_OBJECT_free(obj); - /* There should be a public key or signature after the OID. */ - if (in >= sr.base + sr.length) { - return ISC_R_UNEXPECTEDEND; - } } return ISC_R_SUCCESS; } diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c index 6ce3b10660..96b3140fc6 100644 --- a/tests/dns/rdata_test.c +++ b/tests/dns/rdata_test.c @@ -2043,9 +2043,9 @@ ISC_RUN_TEST_IMPL(key) { WIRE_INVALID(0xc0, 0x00, 0x00, 0x00, 0x00), WIRE_INVALID(0x00, 0x00, 0x00, 0x00), WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00), - /* PRIVATEDNS example. */ - WIRE_INVALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm', - 'p', 'l', 'e', 0x00), + /* PRIVATEDNS example. without key data */ + WIRE_VALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm', 'p', + 'l', 'e', 0x00), /* PRIVATEDNS example. + keydata */ WIRE_VALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm', 'p', 'l', 'e', 0x00, 0x00), @@ -2053,9 +2053,9 @@ ISC_RUN_TEST_IMPL(key) { WIRE_INVALID(0x00, 0x00, 0x00, 253, 0xc0, 0x00, 0x00), /* PRIVATEOID */ WIRE_INVALID(0x00, 0x00, 0x00, 254, 0x00), - /* PRIVATEOID 1.3.6.1.4.1.2495 */ - WIRE_INVALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06, - 0x01, 0x04, 0x01, 0x93, 0x3f), + /* PRIVATEOID 1.3.6.1.4.1.2495 without key data */ + WIRE_VALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06, 0x01, + 0x04, 0x01, 0x93, 0x3f), /* PRIVATEOID 1.3.6.1.4.1.2495 + keydata */ WIRE_VALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x93, 0x3f, 0x00), @@ -2068,7 +2068,7 @@ ISC_RUN_TEST_IMPL(key) { WIRE_SENTINEL() }; text_ok_t text_ok[] = { /* PRIVATEDNS example. */ - TEXT_INVALID("0 0 253 B2V4YW1wbGUA"), + TEXT_VALID("0 0 253 B2V4YW1wbGUA"), /* PRIVATEDNS example. + keydata */ TEXT_VALID("0 0 253 B2V4YW1wbGUAAA=="), /* PRIVATEDNS compression pointer. */ @@ -2076,7 +2076,7 @@ ISC_RUN_TEST_IMPL(key) { /* PRIVATEOID */ TEXT_INVALID("0 0 254 AA=="), /* PRIVATEOID 1.3.6.1.4.1.2495 */ - TEXT_INVALID("0 0 254 BgcrBgEEAZM/"), + TEXT_VALID("0 0 254 BgcrBgEEAZM/"), /* PRIVATEOID 1.3.6.1.4.1.2495 + keydata */ TEXT_VALID("0 0 254 BgcrBgEEAZM/AA=="), /* PRIVATEOID malformed OID - high-bit set on