From: Mark Andrews Date: Fri, 16 May 2025 04:46:22 +0000 (+1000) Subject: Extend the trust anchor supported algorithm checks X-Git-Tag: v9.21.10~47^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62f3c0b5012098d5a0690b05148f6ea862e05426;p=thirdparty%2Fbind9.git Extend the trust anchor supported algorithm checks When a DNSKEY based trust anchor is used extract the algorithm from the key's data to determine if the private algorithm is supported. --- diff --git a/bin/named/server.c b/bin/named/server.c index 397a89df898..ddfd7a38556 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -154,11 +154,11 @@ #endif /* HAVE_LMDB */ #ifndef SIZE_MAX -#define SIZE_MAX ((size_t)-1) +#define SIZE_MAX ((size_t)(-1)) #endif /* ifndef SIZE_MAX */ #ifndef SIZE_AS_PERCENT -#define SIZE_AS_PERCENT ((size_t)-2) +#define SIZE_AS_PERCENT ((size_t)(-2)) #endif /* ifndef SIZE_AS_PERCENT */ /* RFC7828 defines timeout as 16-bit value specified in units of 100 @@ -699,6 +699,7 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp, STATIC_DS, TRUSTED } anchortype; + dst_algorithm_t algorithm; REQUIRE(namestrp != NULL && *namestrp == NULL); REQUIRE(ds != NULL); @@ -787,17 +788,19 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp, keystruct.flags = (uint16_t)rdata1; keystruct.protocol = (uint8_t)rdata2; keystruct.algorithm = (uint8_t)rdata3; - - if (!dst_algorithm_supported(keystruct.algorithm)) { - CHECK(DST_R_UNSUPPORTEDALG); - } - datastr = cfg_obj_asstring(cfg_tuple_get(key, "data")); CHECK(isc_base64_decodestring(datastr, &databuf)); isc_buffer_usedregion(&databuf, &r); keystruct.datalen = r.length; keystruct.data = r.base; + algorithm = dst_algorithm_fromdata( + keystruct.algorithm, keystruct.data, keystruct.datalen); + + if (!dst_algorithm_supported(algorithm)) { + CHECK(DST_R_UNSUPPORTEDALG); + } + CHECK(dns_rdata_fromstruct(&rdata, keystruct.common.rdclass, keystruct.common.rdtype, &keystruct, &rrdatabuf));