[v9_8] fix md5 key id computation

3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
(cherry picked from commit 5d4343a9988cd5bd057aa385bb8c5e72d41202d1)
(cherry picked from commit 70858bf9740f8f6a9cf23e0c174026a1d38dd238)

diff --git a/CHANGES b/CHANGES
index 26731ed6e651915eab842767da1f352d2f2f4174..243ff0bc861609216d20558785dffe37c93231e1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3630.  [bug]           Ensure correct ID computation for MD5 keys. [RT #33033]
+
 3627.  [bug]           RPZ changes were not effective on slaves. [RT #34450]
 
 3625.  [bug]           Don't send notify messages to machines outside of the

diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c
index b7eeb34f2b0296cb4caa5ddfdfce523dcd305f3f..1588b109a3e04a39c55129a6c7561433d048244d 100644 (file)
--- a/lib/dns/rdata/generic/dnskey_48.c
+++ b/lib/dns/rdata/generic/dnskey_48.c
@@ -173,6 +173,15 @@ fromwire_dnskey(ARGS_FROMWIRE) {
                dns_name_init(&name, NULL);
                RETERR(dns_name_fromwire(&name, source, dctx, options, target));
        }
+
+       /*
+        * RSAMD5 computes key ID differently from other
+        * algorithms: we need to ensure there's enough data
+        * present for the computation
+        */
+       if (algorithm == DST_ALG_RSAMD5 && sr.length < 3)
+               return (ISC_R_UNEXPECTEDEND);
+
        isc_buffer_activeregion(source, &sr);
        isc_buffer_forward(source, sr.length);
        return (mem_tobuffer(target, sr.base, sr.length));

diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
index 26ca9a9b82da52fb0355fc8ed42459667dc88473..eb986592e9bb4a723f5496ed2c22f399b18d9d55 100644 (file)
--- a/lib/dns/rdata/generic/key_25.c
+++ b/lib/dns/rdata/generic/key_25.c
@@ -173,6 +173,15 @@ fromwire_key(ARGS_FROMWIRE) {
                dns_name_init(&name, NULL);
                RETERR(dns_name_fromwire(&name, source, dctx, options, target));
        }
+
+       /*
+        * RSAMD5 computes key ID differently from other
+        * algorithms: we need to ensure there's enough data
+        * present for the computation
+        */
+       if (algorithm == DST_ALG_RSAMD5 && sr.length < 3)
+               return (ISC_R_UNEXPECTEDEND);
+
        isc_buffer_activeregion(source, &sr);
        isc_buffer_forward(source, sr.length);
        return (mem_tobuffer(target, sr.base, sr.length));

diff --git a/lib/dns/rdata/generic/keydata_65533.c b/lib/dns/rdata/generic/keydata_65533.c
index a92f5786410da3d006b89d827e2d773782a88f69..f4147a1d3721ee74d85beb530b44c8133238bc34 100644 (file)
--- a/lib/dns/rdata/generic/keydata_65533.c
+++ b/lib/dns/rdata/generic/keydata_65533.c
@@ -167,6 +167,7 @@ totext_keydata(ARGS_TOTEXT) {
 static inline isc_result_t
 fromwire_keydata(ARGS_FROMWIRE) {
        isc_region_t sr;
+       unsigned char algorithm;
 
        REQUIRE(type == 65533);
 
@@ -179,6 +180,15 @@ fromwire_keydata(ARGS_FROMWIRE) {
        if (sr.length < 16)
                return (ISC_R_UNEXPECTEDEND);
 
+       /*
+        * RSAMD5 computes key ID differently from other
+        * algorithms: we need to ensure there's enough data
+        * present for the computation
+        */
+       algorithm = sr.base[15];
+       if (algorithm == DST_ALG_RSAMD5 && sr.length < 19)
+               return (ISC_R_UNEXPECTEDEND);
+
        isc_buffer_forward(source, sr.length);
        return (mem_tobuffer(target, sr.base, sr.length));
 }