Commit 9aac7f52 authored by Mark Andrews's avatar Mark Andrews

Merge branch '884-patches-to-review-6' into 'master'

Check all RSA algorithms for weak keys.

Closes #884

See merge request !1535
parents 56106437 30a50f9b
Pipeline #15591 passed with stages
in 1 minute
......@@ -3220,8 +3220,6 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
isc_result_t result;
bool logit, foundrsa = false;
const char *algorithm;
result = dns_db_findnode(db, &zone->origin, false, &node);
if (result != ISC_R_SUCCESS) {
......@@ -3260,20 +3258,42 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
* a more conservative choice would be 65537 (F4, the fourth
* fermat number).
*/
if (dnskey.algorithm == DST_ALG_RSASHA1 &&
dnskey.datalen > 1 && dnskey.data[0] == 1 &&
if (dnskey.datalen > 1 && dnskey.data[0] == 1 &&
dnskey.data[1] == 3)
{
if (dnskey.algorithm == DST_ALG_RSASHA1) {
logit = !foundrsa;
foundrsa = true;
const char *algorithm = "";
isc_region_t r;
bool logit = true;
dns_rdata_toregion(&rdata, &r);
switch (dnskey.algorithm) {
case DNS_KEYALG_RSAMD5:
algorithm = "RSAMD5";
break;
case DNS_KEYALG_RSASHA1:
algorithm = "RSASHA1";
break;
case DNS_KEYALG_NSEC3RSASHA1:
algorithm = "NSEC3RSASHA1";
break;
case DNS_KEYALG_RSASHA256:
algorithm = "RSASHA236";
break;
case DNS_KEYALG_RSASHA512:
algorithm = "RSASHA512";
break;
default:
logit = false;
break;
}
if (logit) {
dnssec_log(zone, ISC_LOG_WARNING,
"weak %s (%u) key found "
"(exponent=3)", algorithm,
dnskey.algorithm);
"(exponent=3, id=%u)", algorithm,
dnskey.algorithm,
dst_region_computeid(&r));
}
}
dns_rdata_reset(&rdata);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment