diff --git a/CHANGES b/CHANGES index 249f09e654..da88366e32 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033] + 3629. [func] Allow the printing of cryptographic fields in DNSSEC records by dig to be suppressed (dig +nocrypto). [RT #34534] diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c index ccccc52991..6ae8dfbbdb 100644 --- a/lib/dns/rdata/generic/dnskey_48.c +++ b/lib/dns/rdata/generic/dnskey_48.c @@ -193,6 +193,15 @@ fromwire_dnskey(ARGS_FROMWIRE) { dns_name_init(&name, NULL); RETERR(dns_name_fromwire(&name, source, dctx, options, target)); } + + /* + * RSAMD5 computes key ID differently from other + * algorithms: we need to ensure there's enough data + * present for the computation + */ + if (algorithm == DST_ALG_RSAMD5 && sr.length < 3) + return (ISC_R_UNEXPECTEDEND); + isc_buffer_activeregion(source, &sr); isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c index 1d0ba83a9b..b5bc207511 100644 --- a/lib/dns/rdata/generic/key_25.c +++ b/lib/dns/rdata/generic/key_25.c @@ -176,6 +176,15 @@ fromwire_key(ARGS_FROMWIRE) { dns_name_init(&name, NULL); RETERR(dns_name_fromwire(&name, source, dctx, options, target)); } + + /* + * RSAMD5 computes key ID differently from other + * algorithms: we need to ensure there's enough data + * present for the computation + */ + if (algorithm == DST_ALG_RSAMD5 && sr.length < 3) + return (ISC_R_UNEXPECTEDEND); + isc_buffer_activeregion(source, &sr); isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); diff --git a/lib/dns/rdata/generic/keydata_65533.c b/lib/dns/rdata/generic/keydata_65533.c index f1fe45e4b9..a3ed8603fe 100644 --- a/lib/dns/rdata/generic/keydata_65533.c +++ b/lib/dns/rdata/generic/keydata_65533.c @@ -185,6 +185,7 @@ totext_keydata(ARGS_TOTEXT) { static inline isc_result_t fromwire_keydata(ARGS_FROMWIRE) { isc_region_t sr; + unsigned char algorithm; REQUIRE(type == 65533); @@ -197,6 +198,15 @@ fromwire_keydata(ARGS_FROMWIRE) { if (sr.length < 16) return (ISC_R_UNEXPECTEDEND); + /* + * RSAMD5 computes key ID differently from other + * algorithms: we need to ensure there's enough data + * present for the computation + */ + algorithm = sr.base[15]; + if (algorithm == DST_ALG_RSAMD5 && sr.length < 19) + return (ISC_R_UNEXPECTEDEND); + isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); }