Remove DNS_KEYFLAG_EXTENDED

The DNS_KEYFLAG_EXTENDED flag was only legitimate for type KEY
and was eliminated by RFC 3445. Dropping the extended-flags
handling in pub_compare() also fixes a possible crash when
signing a zone whose journal contains a crafted DNSKEY: a
6-byte record with the EXTENDED bit set produced a memmove()
length that underflowed and ran off a stack buffer.

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index b8b673043b27ff9d4fe8eadec1458bac821abf9c..39913f6537faecc9907858a2cd687b1e53b34e4d 100644 (file)
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -652,14 +652,6 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
        isc_buffer_putuint8(target,
                            (uint8_t)dst_algorithm_tosecalg(key->key_alg));
 
-       if ((key->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
-               if (isc_buffer_availablelength(target) < 2) {
-                       return ISC_R_NOSPACE;
-               }
-               isc_buffer_putuint16(
-                       target, (uint16_t)((key->key_flags >> 16) & 0xffff));
-       }
-
        if (key->keydata.generic == NULL) { /*%< NULL KEY */
                return ISC_R_SUCCESS;
        }
@@ -671,7 +663,7 @@ isc_result_t
 dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
                isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
        uint8_t alg, proto;
-       uint32_t flags, extflags;
+       uint32_t flags;
        dst_key_t *key = NULL;
        dns_keytag_t id, rid;
        isc_region_t r;
@@ -688,14 +680,6 @@ dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
        id = dst_region_computeid(&r);
        rid = dst_region_computerid(&r);
 
-       if ((flags & DNS_KEYFLAG_EXTENDED) != 0) {
-               if (isc_buffer_remaininglength(source) < 2) {
-                       return DST_R_INVALIDPUBLICKEY;
-               }
-               extflags = isc_buffer_getuint16(source);
-               flags |= (extflags << 16);
-       }
-
        RETERR(frombuffer(name, alg, flags, proto, rdclass, source, mctx,
                          &key));
        key->key_id = id;
@@ -1190,9 +1174,6 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
        }
        /* Zero out flags. */
        buf1[0] = buf1[1] = 0;
-       if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
-               isc_buffer_subtract(&b1, 2);
-       }
 
        isc_buffer_init(&b2, buf2, sizeof(buf2));
        result = dst_key_todns(key2, &b2);
@@ -1201,23 +1182,9 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
        }
        /* Zero out flags. */
        buf2[0] = buf2[1] = 0;
-       if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
-               isc_buffer_subtract(&b2, 2);
-       }
 
        isc_buffer_usedregion(&b1, &r1);
-       /* Remove extended flags. */
-       if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
-               memmove(&buf1[4], &buf1[6], r1.length - 6);
-               r1.length -= 2;
-       }
-
        isc_buffer_usedregion(&b2, &r2);
-       /* Remove extended flags. */
-       if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
-               memmove(&buf2[4], &buf2[6], r2.length - 6);
-               r2.length -= 2;
-       }
        return isc_region_compare(&r1, &r2) == 0;
 }
 

diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index 08cd0c05dab0744df59522894b938e05b1d81e87..7f5e56f7690874bae7c660bf21fff05633fa1aeb 100644 (file)
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -26,14 +26,9 @@ enum {
        DNS_KEYTYPE_NOCONF = 1 << 14, /* cannot be used for confidentiality. */
 
        DNS_KEYFLAG_RESERVED2 = 1 << 13, /* reserved: must be zero. */
-
-       DNS_KEYFLAG_EXTENDED = 1 << 12, /* key has extended flags: if this is
-                                        * set, the first two octets of the
-                                        * key data are an additional flags
-                                        * field, at least one bit of which
-                                        * must be nonzero. (valid for KEY
-                                        * only.) */
-
+       DNS_KEYFLAG_DONOTUSE3 = 1 << 12, /* unused: must be zero.
+                                           formerly DNS_KEYFLAG_EXTENDED,
+                                           which was removed by RFC 3445 */
        DNS_KEYFLAG_RESERVED4 = 1 << 11, /* reserved: must be zero. */
        DNS_KEYFLAG_RESERVED5 = 1 << 10, /* reserved: must be zero. */