Commit 41a85186 authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge 'managed-key-assert' into security-master

parents 91550e21 3022633d
...@@ -159,7 +159,10 @@ ...@@ -159,7 +159,10 @@
   
5119. [placeholder] 5119. [placeholder]
   
5118. [placeholder] 5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
   
5117. [placeholder] 5117. [placeholder]
   
......
...@@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail. ...@@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail.
ns5 is a validator which is prevented from getting a response from the ns5 is a validator which is prevented from getting a response from the
root server, causing key refresh queries to fail. root server, causing key refresh queries to fail.
ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.
...@@ -16,9 +16,10 @@ rm -f */named.conf ...@@ -16,9 +16,10 @@ rm -f */named.conf
rm -f */named.memstats */named.run */named.run.prev rm -f */named.memstats */named.run */named.run.prev
rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f dsset-. ns1/dsset-. rm -f dsset-. ns1/dsset-.
rm -f ns1/zone.key
rm -f ns*/managed-keys.bind* rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock rm -f ns*/named.lock
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns5/named.args rm -f ns5/named.args
rm -f ns6/view1.mkeys ns6/view2.mkeys rm -f ns7/view1.mkeys ns7/view2.mkeys
rm -rf ns4/nope rm -rf ns4/nope
...@@ -8,16 +8,16 @@ ...@@ -8,16 +8,16 @@
; information regarding copyright ownership. ; information regarding copyright ownership.
$TTL 20 $TTL 20
. IN SOA gson.nominum.com. a.root.servers.nil. ( . IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial 2000042100 ; serial
600 ; refresh 600 ; refresh
600 ; retry 600 ; retry
1200 ; expire 1200 ; expire
2 ; minimum 2 ; minimum
) )
. NS a.root-servers.nil. . NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1 a.root-servers.nil. A 10.53.0.1
; no delegation ; no delegation
example. TXT "This is a test." example. TXT "This is a test."
...@@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf ...@@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf
cp managed.conf ../ns4/managed.conf cp managed.conf ../ns4/managed.conf
cp managed.conf ../ns5/managed.conf cp managed.conf ../ns5/managed.conf
# Configure a trusted key statement (used by delv) # Configure a trusted key statement (used by delv).
keyfile_to_trusted_keys $keyname > trusted.conf keyfile_to_trusted_keys $keyname > trusted.conf
# Prepare an unsupported algorithm key.
unsupportedkey=Kunknown.+255+00000
cp unsupported.key "${unsupportedkey}.key"
# #
# Save keyname and keyid for managed key id test. # Save keyname and keyid for managed key id test.
# #
echo "$keyname" > managed.key echo "$keyname" > managed.key
echo "$zskkeyname" > zone.key
keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'` keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
keyid=`expr $keyid + 0` keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id echo "$keyid" > managed.key.id
. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20
...@@ -22,8 +22,8 @@ options { ...@@ -22,8 +22,8 @@ options {
recursion yes; recursion yes;
notify no; notify no;
dnssec-enable yes; dnssec-enable yes;
dnssec-validation auto; dnssec-validation yes;
bindkeys-file "managed.conf"; trust-anchor-telemetry no;
}; };
key rndc_key { key rndc_key {
...@@ -35,16 +35,9 @@ controls { ...@@ -35,16 +35,9 @@ controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
}; };
view view1 { zone "." {
zone "." { type hint;
type hint; file "../../common/root.hint";
file "../../common/root.hint";
};
}; };
view view2 { include "managed.conf";
zone "." {
type hint;
file "../../common/root.hint";
};
};
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=.
zonefile=root.db
# an RSA key
rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
# a key with unsupported algorithm
unsupportedkey=Kunknown.+255+00000
cp unsupported-managed.key "${unsupportedkey}.key"
# root key
rootkey=`cat ../ns1/managed.key`
cp "../ns1/${rootkey}.key" .
# Configure the resolving server with a managed trusted key.
keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf
unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS7
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
view view1 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
view view2 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
...@@ -20,10 +20,12 @@ copy_setports ns3/named.conf.in ns3/named.conf ...@@ -20,10 +20,12 @@ copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
cp ns5/named1.args ns5/named.args cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh ) ( cd ns1 && $SHELL sign.sh )
( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf cp ns2/managed.conf ns2/managed1.conf
......
...@@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null ...@@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null
mkeys_reconfig_on 1 mkeys_reconfig_on 1
wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
mkeys_secroots_on 5 mkeys_secroots_on 5
grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be # ns1 should not longer REFUSE queries from ns5, so managed keys should be
# correctly refreshed and resolving should succeed # correctly refreshed and resolving should succeed
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
...@@ -755,17 +755,71 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 ...@@ -755,17 +755,71 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
ret=0
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
rm -f ns6/managed-keys.bind*
nextpart ns6/named.run > /dev/null
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
# log when an unsupported algorithm is encountered during startup
wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in managed-keys ($n)"
ret=0
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
n=`expr $n + 1`
echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
ret=0
cp ns1/root.db ns1/root.db.orig
ksk=`cat ns1/managed.key`
zsk=`cat ns1/zone.key`
cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
cp ns1/root.db.orig ns1/root.db
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in rollover ($n)"
ret=0
mkeys_reload_on 1
mkeys_refresh_on 6
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# log when an unsupported algorithm is encountered during rollover
wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo_i "check 'rndc managed-keys' and views ($n)" echo_i "check 'rndc managed-keys' and views ($n)"
ret=0 ret=0
$RNDCCMD 10.53.0.6 managed-keys refresh in view1 > rndc.out.ns6.view1.test$n || ret=1 $RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
grep "refreshing managed keys for 'view1'" rndc.out.ns6.view1.test$n > /dev/null || ret=1 grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
lines=`wc -l < rndc.out.ns6.view1.test$n` lines=`wc -l < rndc.out.ns7.view1.test$n`
[ $lines -eq 1 ] || ret=1 [ $lines -eq 1 ] || ret=1
$RNDCCMD 10.53.0.6 managed-keys refresh > rndc.out.ns6.view2.test$n || ret=1 $RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
lines=`wc -l < rndc.out.ns6.view2.test$n` lines=`wc -l < rndc.out.ns7.view2.test$n`
grep "refreshing managed keys for 'view1'" rndc.out.ns6.view2.test$n > /dev/null || ret=1 grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
grep "refreshing managed keys for 'view2'" rndc.out.ns6.view2.test$n > /dev/null || ret=1 grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
[ $lines -eq 2 ] || ret=1 [ $lines -eq 2 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
......
...@@ -140,6 +140,14 @@ ...@@ -140,6 +140,14 @@
for records in the zone. [GL #771] for records in the zone. [GL #771]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<command>named</command> could crash if it managed a DNSSEC
security root with <command>managed-keys</command> and the
authoritative zone rolled the key to an algorithm not supported
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
......
...@@ -70,8 +70,7 @@ typedef struct dst_context dst_context_t; ...@@ -70,8 +70,7 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_HMACSHA512 165 /* XXXMPA */ #define DST_ALG_HMACSHA512 165 /* XXXMPA */
#define DST_ALG_INDIRECT 252 #define DST_ALG_INDIRECT 252
#define DST_ALG_PRIVATE 254 #define DST_ALG_PRIVATE 254
#define DST_ALG_EXPAND 255 #define DST_MAX_ALGS 256
#define DST_MAX_ALGS 255
/*% A buffer of this size is large enough to hold any key */ /*% A buffer of this size is large enough to hold any key */
#define DST_KEY_MAXSIZE 1280 #define DST_KEY_MAXSIZE 1280
......
...@@ -3931,9 +3931,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, ...@@ -3931,9 +3931,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
dns_rdatatype_dnskey, dnskey, &buffer); dns_rdatatype_dnskey, dnskey, &buffer);
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
if (result == ISC_R_SUCCESS) if (result == ISC_R_SUCCESS) {
*tag = dst_key_id(dstkey); *tag = dst_key_id(dstkey);
dst_key_free(&dstkey); dst_key_free(&dstkey);
}
return (result); return (result);
} }
...@@ -9652,6 +9653,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { ...@@ -9652,6 +9653,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
dns_keydata_todnskey(&keydata, &dnskey, NULL); dns_keydata_todnskey(&keydata, &dnskey, NULL);
result = compute_tag(keyname, &dnskey, mctx, &keytag); result = compute_tag(keyname, &dnskey, mctx, &keytag);
if (result != ISC_R_SUCCESS) {
/*
* Skip if we cannot compute the key tag.
* This may happen if the algorithm is unsupported
*/
dns_zone_log(zone, ISC_LOG_ERROR,
"Cannot compute tag for key in zone %s: %s "
"(skipping)",
namebuf, dns_result_totext(result));
continue;
}
RUNTIME_CHECK(result == ISC_R_SUCCESS); RUNTIME_CHECK(result == ISC_R_SUCCESS);
/* /*
...@@ -9765,6 +9777,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { ...@@ -9765,6 +9777,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
} }
result = compute_tag(keyname, &dnskey, mctx, &keytag); result = compute_tag(keyname, &dnskey, mctx, &keytag);
if (result != ISC_R_SUCCESS) {
/*
* Skip if we cannot compute the key tag.
* This may happen if the algorithm is unsupported
*/
dns_zone_log(zone, ISC_LOG_ERROR,
"Cannot compute tag for key in zone %s: %s "
"(skipping)",
namebuf, dns_result_totext(result));
continue;
}
RUNTIME_CHECK(result == ISC_R_SUCCESS); RUNTIME_CHECK(result == ISC_R_SUCCESS);
revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0); revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment