mirror of
https://github.com/isc-projects/bind9.git
synced 2026-07-15 19:00:56 -04:00
Size RRSIG rdata buffers by the maximum rdata length
The buffers receiving the RRSIG rdata built by dns_dnssec_sign() were fixed-size arrays (1024 or 2048 octets), which is too small for post-quantum signatures. Use DNS_RDATA_MAXLENGTH sized buffers instead, which no RRSIG rdata can exceed by construction. Assisted-by: Claude:claude-fable-5
This commit is contained in:
parent
7e22ba9ff4
commit
a7716fa763
4 changed files with 6 additions and 6 deletions
|
|
@ -656,7 +656,7 @@ sign_rrset(ksr_ctx_t *ksr, isc_stdtime_t inception, isc_stdtime_t expiration,
|
|||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
dns_rdata_t *rrsig = NULL;
|
||||
isc_region_t rs;
|
||||
unsigned char rdatabuf[SIG_FORMATSIZE];
|
||||
unsigned char rdatabuf[DNS_RDATA_MAXLENGTH];
|
||||
isc_stdtime_t clockskew = inception - 3600;
|
||||
|
||||
isc_stdtime_t pub = 0, act = 0, inact = 0, del = 0;
|
||||
|
|
|
|||
|
|
@ -106,7 +106,6 @@ static int nsec_datatype = dns_rdatatype_nsec;
|
|||
|
||||
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
|
||||
|
||||
#define BUFSIZE 2048
|
||||
#define MAXDSKEYS 8
|
||||
|
||||
#define SIGNER_EVENTCLASS ISC_EVENTCLASS(0x4453)
|
||||
|
|
@ -270,7 +269,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
|
|||
isc_stdtime_t jendtime, expiry;
|
||||
char keystr[DST_KEY_FORMATSIZE];
|
||||
dns_rdata_t trdata = DNS_RDATA_INIT;
|
||||
unsigned char array[BUFSIZE];
|
||||
unsigned char array[DNS_RDATA_MAXLENGTH];
|
||||
isc_buffer_t b;
|
||||
dns_difftuple_t *tuple;
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@
|
|||
#include <dns/nsec.h>
|
||||
#include <dns/nsec3.h>
|
||||
#include <dns/private.h>
|
||||
#include <dns/rdata.h>
|
||||
#include <dns/rdataclass.h>
|
||||
#include <dns/rdataset.h>
|
||||
#include <dns/rdatasetiter.h>
|
||||
|
|
@ -970,7 +971,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
|||
dns_rdata_t sig_rdata = DNS_RDATA_INIT;
|
||||
dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone);
|
||||
isc_buffer_t buffer;
|
||||
unsigned char data[1024]; /* XXX */
|
||||
unsigned char data[DNS_RDATA_MAXLENGTH];
|
||||
unsigned int i;
|
||||
bool added_sig = false;
|
||||
bool use_kasp = false;
|
||||
|
|
|
|||
|
|
@ -5728,7 +5728,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
|
|||
dns_stats_t *dnssecsignstats;
|
||||
dns_rdataset_t rdataset;
|
||||
dns_rdata_t sig_rdata = DNS_RDATA_INIT;
|
||||
unsigned char data[1024]; /* XXX */
|
||||
unsigned char data[DNS_RDATA_MAXLENGTH];
|
||||
isc_buffer_t buffer;
|
||||
unsigned int i;
|
||||
bool use_kasp = false;
|
||||
|
|
@ -6420,7 +6420,7 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
|
|||
dns_stats_t *dnssecsignstats;
|
||||
bool offlineksk = false;
|
||||
isc_buffer_t buffer;
|
||||
unsigned char data[1024];
|
||||
unsigned char data[DNS_RDATA_MAXLENGTH];
|
||||
seen_t seen;
|
||||
|
||||
if (zone->kasp != NULL) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue