Relax private DNSKEY and RRSIG constraints

DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within the expected use of these types as no key material is shared and the signatures are ineffective but these are private algorithms and they can be totally insecure.
2025-02-07 10:01:57 +11:00
parent 5604d3a44e
commit b048190e23
2 changed files with 8 additions and 19 deletions
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -604,13 +604,6 @@ check_private(isc_buffer_t *source, dns_secalg_t alg) {

 		RETERR(dns_name_fromwire(dns_fixedname_initname(&fixed), source,
 					 DNS_DECOMPRESS_DEFAULT, NULL));
-		/*
-		 * There should be a public key or signature after the key name.
-		 */
-		isc_buffer_activeregion(source, &sr);
-		if (sr.length == 0) {
-			return ISC_R_UNEXPECTEDEND;
-		}
 	} else if (alg == DNS_KEYALG_PRIVATEOID) {
 		/*
 		 * Check that we can extract the OID from the start of the
@@ -627,10 +620,6 @@ check_private(isc_buffer_t *source, dns_secalg_t alg) {
 			RETERR(DNS_R_FORMERR);
 		}
 		ASN1_OBJECT_free(obj);
-		/* There should be a public key or signature after the OID. */
-		if (in >= sr.base + sr.length) {
-			return ISC_R_UNEXPECTEDEND;
-		}
 	}
 	return ISC_R_SUCCESS;
 }
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@@ -2087,9 +2087,9 @@ ISC_RUN_TEST_IMPL(key) {
 		WIRE_INVALID(0xc0, 0x00, 0x00, 0x00, 0x00),
 		WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
 		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00),
-		/* PRIVATEDNS example. */
-		WIRE_INVALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm',
-			     'p', 'l', 'e', 0x00),
+		/* PRIVATEDNS example. without key data */
+		WIRE_VALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm', 'p',
+			   'l', 'e', 0x00),
 		/* PRIVATEDNS example. + keydata */
 		WIRE_VALID(0x00, 0x00, 0x00, 253, 0x07, 'e', 'x', 'a', 'm', 'p',
 			   'l', 'e', 0x00, 0x00),
@@ -2097,9 +2097,9 @@ ISC_RUN_TEST_IMPL(key) {
 		WIRE_INVALID(0x00, 0x00, 0x00, 253, 0xc0, 0x00, 0x00),
 		/* PRIVATEOID */
 		WIRE_INVALID(0x00, 0x00, 0x00, 254, 0x00),
-		/* PRIVATEOID 1.3.6.1.4.1.2495 */
-		WIRE_INVALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06,
-			     0x01, 0x04, 0x01, 0x93, 0x3f),
+		/* PRIVATEOID 1.3.6.1.4.1.2495 without key data */
+		WIRE_VALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06, 0x01,
+			   0x04, 0x01, 0x93, 0x3f),
 		/* PRIVATEOID 1.3.6.1.4.1.2495 + keydata */
 		WIRE_VALID(0x00, 0x00, 0x00, 254, 0x06, 0x07, 0x2b, 0x06, 0x01,
 			   0x04, 0x01, 0x93, 0x3f, 0x00),
@@ -2112,7 +2112,7 @@ ISC_RUN_TEST_IMPL(key) {
 		WIRE_SENTINEL()
 	};
 	text_ok_t text_ok[] = { /* PRIVATEDNS example. */
-				TEXT_INVALID("0 0 253 B2V4YW1wbGUA"),
+				TEXT_VALID("0 0 253 B2V4YW1wbGUA"),
 				/* PRIVATEDNS example. + keydata */
 				TEXT_VALID("0 0 253 B2V4YW1wbGUAAA=="),
 				/* PRIVATEDNS compression pointer. */
@@ -2120,7 +2120,7 @@ ISC_RUN_TEST_IMPL(key) {
 				/* PRIVATEOID */
 				TEXT_INVALID("0 0 254 AA=="),
 				/* PRIVATEOID 1.3.6.1.4.1.2495 */
-				TEXT_INVALID("0 0 254 BgcrBgEEAZM/"),
+				TEXT_VALID("0 0 254 BgcrBgEEAZM/"),
 				/* PRIVATEOID 1.3.6.1.4.1.2495 + keydata */
 				TEXT_VALID("0 0 254 BgcrBgEEAZM/AA=="),
 				/* PRIVATEOID malformed OID - high-bit set on