Date: Sat, 21 Mar 2009 23:00:40 +0000 (UTC) From: Doug Barton <dougb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r190227 - in head/contrib/bind9: . lib/dns Message-ID: <200903212300.n2LN0eIO049748@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dougb Date: Sat Mar 21 23:00:40 2009 New Revision: 190227 URL: http://svn.freebsd.org/changeset/base/190227 Log: Merge from vendor/bind9/dist as of the 9.4.3-P2 import Modified: head/contrib/bind9/ (props changed) head/contrib/bind9/CHANGES head/contrib/bind9/lib/dns/validator.c head/contrib/bind9/version Modified: head/contrib/bind9/CHANGES ============================================================================== --- head/contrib/bind9/CHANGES Sat Mar 21 22:59:02 2009 (r190226) +++ head/contrib/bind9/CHANGES Sat Mar 21 23:00:40 2009 (r190227) @@ -1,3 +1,8 @@ + --- 9.4.3-P2 released --- + +2579. [bug] DNSSEC lookaside validation failed to handle unknown + algorithms. [RT #19479] + --- 9.4.3-P1 released --- 2522. [security] Handle -1 from DSA_do_verify(). Modified: head/contrib/bind9/lib/dns/validator.c ============================================================================== --- head/contrib/bind9/lib/dns/validator.c Sat Mar 21 22:59:02 2009 (r190226) +++ head/contrib/bind9/lib/dns/validator.c Sat Mar 21 23:00:40 2009 (r190227) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.119.18.41 2008/08/21 04:59:42 marka Exp $ */ +/* $Id: validator.c,v 1.119.18.41.2.1 2009/03/17 02:23:49 marka Exp $ */ /*! \file */ @@ -211,6 +211,37 @@ exit_check(dns_validator_t *val) { return (ISC_TRUE); } +/* + * Check that we have atleast one supported algorithm in the DLV RRset. + */ +static inline isc_boolean_t +dlv_algorithm_supported(dns_validator_t *val) { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_dlv_t dlv; + isc_result_t result; + + for (result = dns_rdataset_first(&val->dlv); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&val->dlv)) { + dns_rdata_reset(&rdata); + dns_rdataset_current(&val->dlv, &rdata); + result = dns_rdata_tostruct(&rdata, &dlv, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + if (!dns_resolver_algorithm_supported(val->view->resolver, + val->event->name, + dlv.algorithm)) + continue; + + if (dlv.digest_type != DNS_DSDIGEST_SHA256 && + dlv.digest_type != DNS_DSDIGEST_SHA1) + continue; + + return (ISC_TRUE); + } + return (ISC_FALSE); +} + /*% * Look in the NSEC record returned from a DS query to see if there is * a NS RRset at this name. If it is found we are at a delegation point. @@ -2297,19 +2328,36 @@ dlvfetched(isc_task_t *task, isc_event_t sizeof(namebuf)); dns_rdataset_clone(&val->frdataset, &val->dlv); val->havedlvsep = ISC_TRUE; - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); - dlv_validator_start(val); + if (dlv_algorithm_supported(val)) { + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", + namebuf); + dlv_validator_start(val); + } else { + validator_log(val, ISC_LOG_DEBUG(3), + "DLV %s found with no supported algorithms", + namebuf); + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + } } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NXDOMAIN || eresult == DNS_R_NCACHENXRRSET || eresult == DNS_R_NCACHENXDOMAIN) { - result = finddlvsep(val, ISC_TRUE); + result = finddlvsep(val, ISC_TRUE); if (result == ISC_R_SUCCESS) { - dns_name_format(dns_fixedname_name(&val->dlvsep), - namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", - namebuf); - dlv_validator_start(val); + if (dlv_algorithm_supported(val)) { + dns_name_format(dns_fixedname_name(&val->dlvsep), + namebuf, sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(3), + "DLV %s found", namebuf); + dlv_validator_start(val); + } else { + validator_log(val, ISC_LOG_DEBUG(3), + "DLV %s found with no supported " + "algorithms", namebuf); + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + } } else if (result == ISC_R_NOTFOUND) { validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); markanswer(val); @@ -2372,9 +2420,16 @@ startfinddlvsep(dns_validator_t *val, dn } dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); - dlv_validator_start(val); - return (DNS_R_WAIT); + if (dlv_algorithm_supported(val)) { + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); + dlv_validator_start(val); + return (DNS_R_WAIT); + } + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported " + "algorithms", namebuf); + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } /*% Modified: head/contrib/bind9/version ============================================================================== --- head/contrib/bind9/version Sat Mar 21 22:59:02 2009 (r190226) +++ head/contrib/bind9/version Sat Mar 21 23:00:40 2009 (r190227) @@ -1,4 +1,4 @@ -# $Id: version,v 1.29.134.23.2.1 2008/12/24 00:21:22 marka Exp $ +# $Id: version,v 1.29.134.23.2.2 2009/03/17 02:23:49 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=4 PATCHVER=3 RELEASETYPE=-P -RELEASEVER=1 +RELEASEVER=2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903212300.n2LN0eIO049748>