Relax private DNSKEY and RRSIG constraints

DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow
empty key and signature material after the algorithm identifier for
PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within
the expected use of these types as no key material is shared and
the signatures are ineffective but these are private algorithms and
they can be totally insecure.

diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 748ae8ca0d0d7658e4abd52076e9ef7ad0bfe3c5..d4cfc6c4e7b98c2438fb79c78be5e2283f8077b5 100644 (file)
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -604,13 +604,6 @@ check_private(isc_buffer_t *source, dns_secalg_t alg) {
 
                RETERR(dns_name_fromwire(dns_fixedname_initname(&fixed), source,
                                         DNS_DECOMPRESS_DEFAULT, NULL));
-               /*
-                * There should be a public key or signature after the key name.
-                */
-               isc_buffer_activeregion(source, &sr);
-               if (sr.length == 0) {
-                       return ISC_R_UNEXPECTEDEND;
-               }
        } else if (alg == DNS_KEYALG_PRIVATEOID) {
                /*
                 * Check that we can extract the OID from the start of the
@@ -627,10 +620,6 @@ check_private(isc_buffer_t *source, dns_secalg_t alg) {
                        RETERR(DNS_R_FORMERR);
                }
                ASN1_OBJECT_free(obj);
-               /* There should be a public key or signature after the OID. */
-               if (in >= sr.base + sr.length) {
-                       return ISC_R_UNEXPECTEDEND;
-               }
        }
        return ISC_R_SUCCESS;
 }

diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c
index 53b4e7f1cbf96d7240fc8d7234d7e78f5dd0bf11..9dacc0d61328b796219f7289b42c6baf4ff86e19 100644 (file)
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@@ -2087,9 +2087,9 @@ ISC_RUN_TEST_IMPL(key) {
                WIRE_INVALID(0xc0, 0x00, 0x00, 0x00, 0x00),
                WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
                WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00),
-               /* PRIVATEDNS example. */
-               WIRE_INVALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm',
-                            'p', 'l', 'e', 0x00),
+               /* PRIVATEDNS example. without key data */
+               WIRE_VALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm', 'p',
+                          'l', 'e', 0x00),
                /* PRIVATEDNS example. + keydata */
                WIRE_VALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm', 'p',
                           'l', 'e', 0x00, 0x00),
@@ -2097,9 +2097,9 @@ ISC_RUN_TEST_IMPL(key) {
                WIRE_INVALID(0x00, 0x00, 0x00, 253, 0xc0, 0x00, 0x00),
                /* PRIVATEOID */
                WIRE_INVALID(0x00, 0x00, 0x00, 254, 0x00),
-               /* PRIVATEOID 1.3.6.1.4.1.2495 */
-               WIRE_INVALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06,
-                            0x01, 0x04, 0x01, 0x93, 0x3f),
+               /* PRIVATEOID 1.3.6.1.4.1.2495 without key data */
+               WIRE_VALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06, 0x01,
+                          0x04, 0x01, 0x93, 0x3f),
                /* PRIVATEOID 1.3.6.1.4.1.2495 + keydata */
                WIRE_VALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06, 0x01,
                           0x04, 0x01, 0x93, 0x3f, 0x00),
@@ -2112,7 +2112,7 @@ ISC_RUN_TEST_IMPL(key) {
                WIRE_SENTINEL()
        };
        text_ok_t text_ok[] = { /* PRIVATEDNS example. */
-                               TEXT_INVALID("0 0 253 B2V4YW1wbGUA"),
+                               TEXT_VALID("0 0 253 B2V4YW1wbGUA"),
                                /* PRIVATEDNS example. + keydata */
                                TEXT_VALID("0 0 253 B2V4YW1wbGUAAA=="),
                                /* PRIVATEDNS compression pointer. */
@@ -2120,7 +2120,7 @@ ISC_RUN_TEST_IMPL(key) {
                                /* PRIVATEOID */
                                TEXT_INVALID("0 0 254 AA=="),
                                /* PRIVATEOID 1.3.6.1.4.1.2495 */
-                               TEXT_INVALID("0 0 254 BgcrBgEEAZM/"),
+                               TEXT_VALID("0 0 254 BgcrBgEEAZM/"),
                                /* PRIVATEOID 1.3.6.1.4.1.2495 + keydata */
                                TEXT_VALID("0 0 254 BgcrBgEEAZM/AA=="),
                                /* PRIVATEOID malformed OID - high-bit set on