git.ipfire.org Git - thirdparty/bind9.git/commit

author	Ondřej Surý <ondrej@isc.org>
	Wed, 29 Apr 2026 14:23:10 +0000 (16:23 +0200)
committer	Ondřej Surý <ondrej@isc.org>
	Wed, 29 Apr 2026 17:21:20 +0000 (19:21 +0200)
commit	46f6bb6364db1dcbbfb2a2add72cff45fd1bda22
tree	4c27b71e66d17f0dd51e413d99cac6fe16450460	tree \| snapshot
parent	ce77138b5cf8b7d5e08a6260e4428f61a4d6673a	commit \| diff

Size HMAC key generation buffers to the maximum block size

hmac_generate() declared its on-stack nonce buffer as
unsigned char data[ISC_MAX_MD_SIZE], i.e. 64 bytes. That is the maximum
digest size, but the buffer is filled up to the algorithm's HMAC block
size, which is 128 bytes for SHA-384 and SHA-512. Asking rndc-confgen
for an HMAC-SHA-384 or HMAC-SHA-512 key with -b > 512 (the documented
range allows up to 1024) wrote past the end of the stack buffer; on
hardened builds this aborted with a stack-smash detector firing
instead of producing a key.

Use the existing ISC_MAX_BLOCK_SIZE (128) for the buffer so the full
1..1024 range advertised by -A hmac-sha{384,512} works as documented.
The matching key_rawsecret[64] in confgen's generate_key() is enlarged
the same way so the generated key fits when dumped to the buffer.

Add a system test that exercises rndc-confgen across the previously
overflowing keysizes; with -Db_sanitize=address it caught the abort
before the fix.

Assisted-by: Claude:claude-opus-4-7

bin/confgen/keygen.c		diff \| blob \| blame \| history
bin/tests/system/rndc_confgen/tests_rndc_confgen.py		diff \| blob \| blame \| history
lib/dns/hmac_link.c		diff \| blob \| blame \| history