upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 07:00:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Limit the number of keys for SIG(0) message verification

Browse source 
Check at most two KEY RRs agains a SIG(0) signature. This should
limit potential abuse and at the same time allow key rollover.
This commit is contained in:
Aram Sargsyan 2024-05-15 12:57:56 +00:00 committed by Nicki Křížek
parent 70ff4a3f85
commit 7ca9bd6014
No known key found for this signature in database
GPG key ID: 01623B9B652A20A7
1 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
lib/dns/message.c
View file

@ -3286,6 +3286,12 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
dns_rdata_sig_t sig;
dns_rdataset_t keyset;
isc_result_t result;
/*
* In order to protect from a possible DoS attack, we are
* going to check at most two KEY RRs.
*/
const size_t max_keys = 2;
size_t n;
result = dns_rdataset_first(msg->sig0);
INSIST(result == ISC_R_SUCCESS);
@ -3327,8 +3333,9 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
}
result = dns_rdataset_first(&keyset);
INSIST(result == ISC_R_SUCCESS);
for (; result == ISC_R_SUCCESS;
result = dns_rdataset_next(&keyset))
for (n = 0; result == ISC_R_SUCCESS && n < max_keys;
n++, result = dns_rdataset_next(&keyset))
{
dst_key_t *key = NULL;
@ -3356,7 +3363,7 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
break;
}
}
if (result == ISC_R_NOMORE) {
if (result == ISC_R_NOMORE || n == max_keys) {
result = DNS_R_KEYUNAUTHORIZED;
}