* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.339.2.37 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: server.c,v 1.339.2.38 2006/12/07 05:25:03 marka Exp $ */
#include <config.h>
keystruct.datalen = r.length;
keystruct.data = r.base;
+ if (keystruct.algorithm == DST_ALG_RSAMD5 &&
+ r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
+ cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
+ "trusted key '%s' has a weak exponent",
+ keynamestr);
+
CHECK(dns_rdata_fromstruct(NULL,
keystruct.common.rdclass,
keystruct.common.rdtype,
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.c,v 1.333.2.44 2006/05/18 02:30:20 marka Exp $ */
+/* $Id: zone.c,v 1.333.2.45 2006/12/07 05:25:03 marka Exp $ */
#include <config.h>
return (result);
}
+/*
+ * OpenSSL verification of RSA keys with exponent 3 is known to be
+ * broken prior OpenSSL 0.9.8c/0.9.7k. Look for such keys and warn
+ * if they are in use.
+ */
+static void
+zone_check_keys(dns_zone_t *zone, dns_db_t *db) {
+ dns_dbnode_t *node = NULL;
+ dns_dbversion_t *version = NULL;
+ dns_rdata_key_t key;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdataset_t rdataset;
+ isc_result_t result;
+
+ result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ dns_db_currentversion(db, &version);
+ dns_rdataset_init(&rdataset);
+ result = dns_db_findrdataset(db, node, version, dns_rdatatype_key,
+ dns_rdatatype_none, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ for (result = dns_rdataset_first(&rdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&rdataset))
+ {
+ dns_rdataset_current(&rdataset, &rdata);
+ result = dns_rdata_tostruct(&rdata, &key, NULL);
+ INSIST(result == ISC_R_SUCCESS);
+
+ if (key.algorithm == DST_ALG_RSAMD5 && key.datalen > 1 &&
+ key.data[0] == 1 && key.data[1] == 3)
+ {
+ dns_zone_log(zone, ISC_LOG_WARNING,
+ "weak RSAMD5 (%u) key found "
+ "(exponent=3)", key.algorithm);
+ break;
+ }
+ dns_rdata_reset(&rdata);
+ }
+ dns_rdataset_disassociate(&rdataset);
+
+ cleanup:
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+ if (version != NULL)
+ dns_db_closeversion(db, &version, ISC_FALSE);
+
+}
+
static isc_result_t
zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
isc_result_t result)
}
+ /*
+ * Check for weak KEY's.
+ */
+ if (zone->type == dns_zone_master)
+ zone_check_keys(zone, db);
+
#if 0
/* destroy notification example. */
{
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(keyname, namebuf, sizeof(namebuf));
dns_zone_log(zone, ISC_LOG_ERROR,
- "unable to find key: %s", namebuf);
+ "unable to find key: %s", namebuf);
}
}
if (key == NULL)
if (message != NULL)
dns_message_destroy(&message);
unlock:
- if (key != NULL)
+ if (key != NULL)
dns_tsigkey_detach(&key);
UNLOCK_ZONE(zone);
return;
projects / thirdparty / bind9.git / commitdiff
