BIND 10 trac2387, updated. 09ed404f9b47807c74e0c6e59077e95a7b28b953 [2387] Add DNSKEY wire test for short keydata for RSA/MD5

BIND 10 source code commits bind10-changes at lists.isc.org
Thu Mar 14 02:40:36 UTC 2013 

The branch, trac2387 has been updated
       via  09ed404f9b47807c74e0c6e59077e95a7b28b953 (commit)
       via  46cfb5cccadfaaea4568d8478c3ba349c9b877dd (commit)
       via  b6bd57985bbd40a4cd76e0b37c3e5ae7d3563051 (commit)
       via  8ee676bcecbdc959c24fce66ae32ddf94fe999af (commit)
       via  0318fc199d2d653198294eed8bbfd4ee69b340de (commit)
      from  d124a5b6f1fb3fb55918e3b75343c6bb70023980 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 09ed404f9b47807c74e0c6e59077e95a7b28b953
Author: Mukund Sivaraman <muks at isc.org>
Date:   Thu Mar 14 08:09:46 2013 +0530

    [2387] Add DNSKEY wire test for short keydata for RSA/MD5

commit 46cfb5cccadfaaea4568d8478c3ba349c9b877dd
Author: Mukund Sivaraman <muks at isc.org>
Date:   Thu Mar 14 08:00:14 2013 +0530

    [2387] Make DNSKEY wire constructor throw on empty keydata

commit b6bd57985bbd40a4cd76e0b37c3e5ae7d3563051
Author: Mukund Sivaraman <muks at isc.org>
Date:   Thu Mar 14 07:41:58 2013 +0530

    [2387] Add key data size check in InputBuffer constructor too

commit 8ee676bcecbdc959c24fce66ae32ddf94fe999af
Author: Mukund Sivaraman <muks at isc.org>
Date:   Thu Mar 14 07:41:35 2013 +0530

    [2387] Point to the RFC about why key data has to be at least 3 bytes long

commit 0318fc199d2d653198294eed8bbfd4ee69b340de
Author: Mukund Sivaraman <muks at isc.org>
Date:   Thu Mar 14 07:20:18 2013 +0530

    [2387] Update exception description in API doc

-----------------------------------------------------------------------

Summary of changes:
 .../dns/rdata/generic/detail/nsec3param_common.h   |    4 ++--
 src/lib/dns/rdata/generic/dnskey_48.cc             |   14 ++++++++++++++
 src/lib/dns/tests/rdata_dnskey_unittest.cc         |    8 ++++++++
 src/lib/dns/tests/testdata/Makefile.am             |    4 +++-
 .../testdata/rdata_dnskey_empty_keydata_fromWire   |    7 +++++++
 .../testdata/rdata_dnskey_short_keydata1_fromWire  |    8 ++++++++
 6 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 src/lib/dns/tests/testdata/rdata_dnskey_empty_keydata_fromWire
 create mode 100644 src/lib/dns/tests/testdata/rdata_dnskey_short_keydata1_fromWire

-----------------------------------------------------------------------
diff --git a/src/lib/dns/rdata/generic/detail/nsec3param_common.h b/src/lib/dns/rdata/generic/detail/nsec3param_common.h
index 17e17f4..a8b848d 100644
--- a/src/lib/dns/rdata/generic/detail/nsec3param_common.h
+++ b/src/lib/dns/rdata/generic/detail/nsec3param_common.h
@@ -72,8 +72,8 @@ struct ParseNSEC3ParamResult {
 /// \exception isc::BadValue The salt is not a valid hex string.
 /// \exception InvalidRdataText The given RDATA is otherwise invalid for
 /// NSEC3 or NSEC3PARAM fields.
-/// \exception MasterLexer::LexerError There was a failure reading a
-/// field from the MasterLexer.
+/// \exception MasterLexer::LexerError There was a syntax error reading
+/// a field from the MasterLexer.
 ///
 /// \param rrtype_name Either "NSEC3" or "NSEC3PARAM"; used as part of
 /// exception messages.
diff --git a/src/lib/dns/rdata/generic/dnskey_48.cc b/src/lib/dns/rdata/generic/dnskey_48.cc
index 31952ca..2cba1be 100644
--- a/src/lib/dns/rdata/generic/dnskey_48.cc
+++ b/src/lib/dns/rdata/generic/dnskey_48.cc
@@ -98,9 +98,21 @@ DNSKEY::DNSKEY(InputBuffer& buffer, size_t rdata_len) {
     const uint16_t algorithm = buffer.readUint8();
 
     rdata_len -= 4;
+    // Though the size of the public key is algorithm-dependent, we
+    // assume that it should not be empty.
+    if (rdata_len < 1) {
+        isc_throw(InvalidRdataLength, "DNSKEY keydata too short");
+    }
+
     vector<uint8_t> keydata(rdata_len);
     buffer.readData(&keydata[0], rdata_len);
 
+    // See RFC 4034 appendix B.1 for why the key data has to be at least
+    // 3 bytes long with RSA/MD5.
+    if (algorithm == 1 && keydata.size() < 3) {
+        isc_throw(InvalidRdataLength, "DNSKEY keydata too short");
+    }
+
     impl_ = new DNSKEYImpl(flags, protocol, algorithm, keydata);
 }
 
@@ -168,6 +180,8 @@ DNSKEY::constructFromLexer(MasterLexer& lexer) {
     vector<uint8_t> keydata;
     decodeBase64(keydatastr, keydata);
 
+    // See RFC 4034 appendix B.1 for why the key data has to be at least
+    // 3 bytes long with RSA/MD5.
     if (algorithm == 1 && keydata.size() < 3) {
         isc_throw(InvalidRdataLength, "DNSKEY keydata too short");
     }
diff --git a/src/lib/dns/tests/rdata_dnskey_unittest.cc b/src/lib/dns/tests/rdata_dnskey_unittest.cc
index f175c87..820a885 100644
--- a/src/lib/dns/tests/rdata_dnskey_unittest.cc
+++ b/src/lib/dns/tests/rdata_dnskey_unittest.cc
@@ -134,6 +134,14 @@ TEST_F(Rdata_DNSKEY_Test, createFromWire) {
     EXPECT_EQ(0, rdata_dnskey.compare(
                   *rdataFactoryFromFile(RRType("DNSKEY"), RRClass("IN"),
                                         "rdata_dnskey_fromWire")));
+    // Empty keydata should throw
+    EXPECT_THROW(rdataFactoryFromFile(RRType("DNSKEY"), RRClass("IN"),
+                                      "rdata_dnskey_empty_keydata_fromWire"),
+                 InvalidRdataLength);
+    // Short keydata for RSA/MD5 should throw
+    EXPECT_THROW(rdataFactoryFromFile(RRType("DNSKEY"), RRClass("IN"),
+                                      "rdata_dnskey_short_keydata1_fromWire"),
+                 InvalidRdataLength);
 }
 
 TEST_F(Rdata_DNSKEY_Test, getTag) {
diff --git a/src/lib/dns/tests/testdata/Makefile.am b/src/lib/dns/tests/testdata/Makefile.am
index 52acb7c..944dadb 100644
--- a/src/lib/dns/tests/testdata/Makefile.am
+++ b/src/lib/dns/tests/testdata/Makefile.am
@@ -101,7 +101,9 @@ EXTRA_DIST += name_toWire7 name_toWire8 name_toWire9
 EXTRA_DIST += question_fromWire question_toWire1 question_toWire2
 EXTRA_DIST += rdatafields1.spec rdatafields2.spec rdatafields3.spec
 EXTRA_DIST += rdatafields4.spec rdatafields5.spec rdatafields6.spec
-EXTRA_DIST += rdata_cname_fromWire rdata_dname_fromWire rdata_dnskey_fromWire
+EXTRA_DIST += rdata_cname_fromWire rdata_dname_fromWire
+EXTRA_DIST += rdata_dnskey_fromWire rdata_dnskey_empty_keydata_fromWire
+EXTRA_DIST += rdata_dnskey_short_keydata1_fromWire
 EXTRA_DIST += rdata_dhcid_fromWire rdata_dhcid_toWire
 EXTRA_DIST += rdata_ds_fromWire rdata_in_a_fromWire rdata_in_aaaa_fromWire
 EXTRA_DIST += rdata_mx_fromWire rdata_mx_toWire1 rdata_mx_toWire2
diff --git a/src/lib/dns/tests/testdata/rdata_dnskey_empty_keydata_fromWire b/src/lib/dns/tests/testdata/rdata_dnskey_empty_keydata_fromWire
new file mode 100644
index 0000000..cd07bae
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_dnskey_empty_keydata_fromWire
@@ -0,0 +1,7 @@
+# RDLENGTH = 4 bytes
+ 00 04
+# DNSKEY, flags 257
+ 01 01
+# protocol 3, algorithm 5
+ 03 05
+# no keydata
diff --git a/src/lib/dns/tests/testdata/rdata_dnskey_short_keydata1_fromWire b/src/lib/dns/tests/testdata/rdata_dnskey_short_keydata1_fromWire
new file mode 100644
index 0000000..34b2477
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_dnskey_short_keydata1_fromWire
@@ -0,0 +1,8 @@
+# RDLENGTH = 6 bytes
+ 00 06
+# DNSKEY, flags 257
+ 01 01
+# protocol 3, algorithm 1
+ 03 01
+# keydata (only 2 bytes long for algorithm 1):
+ 04 40

More information about the bind10-changes mailing list