Upgrade Unbound to 1.6.8. More to follow.
This commit is contained in:
commit
838e13ceea
8
contrib/unbound/aclocal.m4
vendored
8
contrib/unbound/aclocal.m4
vendored
@ -1,6 +1,6 @@
|
||||
# generated automatically by aclocal 1.15 -*- Autoconf -*-
|
||||
# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
|
||||
|
||||
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1996-2017 Free Software Foundation, Inc.
|
||||
|
||||
# This file is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
@ -9390,7 +9390,7 @@ AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
|
||||
|
||||
# AM_CONDITIONAL -*- Autoconf -*-
|
||||
|
||||
# Copyright (C) 1997-2014 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1997-2017 Free Software Foundation, Inc.
|
||||
#
|
||||
# This file is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
@ -9421,7 +9421,7 @@ AC_CONFIG_COMMANDS_PRE(
|
||||
Usually this means the macro was only invoked conditionally.]])
|
||||
fi])])
|
||||
|
||||
# Copyright (C) 2006-2014 Free Software Foundation, Inc.
|
||||
# Copyright (C) 2006-2017 Free Software Foundation, Inc.
|
||||
#
|
||||
# This file is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
|
@ -605,7 +605,7 @@
|
||||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.6.7"
|
||||
#define PACKAGE_STRING "unbound 1.6.8"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
@ -614,7 +614,7 @@
|
||||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.6.7"
|
||||
#define PACKAGE_VERSION "1.6.8"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
@ -633,7 +633,7 @@
|
||||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,6,7,0
|
||||
#define RSRC_PACKAGE_VERSION 1,6,8,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
|
25
contrib/unbound/configure
vendored
25
contrib/unbound/configure
vendored
@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.6.7.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.6.8.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
@ -590,8 +590,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.6.7'
|
||||
PACKAGE_STRING='unbound 1.6.7'
|
||||
PACKAGE_VERSION='1.6.8'
|
||||
PACKAGE_STRING='unbound 1.6.8'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@ -1437,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.6.7 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.6.8 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1502,7 +1502,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.6.7:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.6.8:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1714,7 +1714,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.6.7
|
||||
unbound configure 1.6.8
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
@ -2423,7 +2423,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.6.7, which was
|
||||
It was created by unbound $as_me 1.6.8, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -2775,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=6
|
||||
|
||||
UNBOUND_VERSION_MICRO=7
|
||||
UNBOUND_VERSION_MICRO=8
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=7
|
||||
LIBUNBOUND_REVISION=6
|
||||
LIBUNBOUND_REVISION=7
|
||||
LIBUNBOUND_AGE=5
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -2837,6 +2837,7 @@ LIBUNBOUND_AGE=5
|
||||
# 1.6.5 had 7:4:5
|
||||
# 1.6.6 had 7:5:5
|
||||
# 1.6.7 had 7:6:5
|
||||
# 1.6.8 had 7:7:5
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -20694,7 +20695,7 @@ _ACEOF
|
||||
|
||||
|
||||
|
||||
version=1.6.7
|
||||
version=1.6.8
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
@ -21213,7 +21214,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.6.7, which was
|
||||
This file was extended by unbound $as_me 1.6.8, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -21279,7 +21280,7 @@ _ACEOF
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.6.7
|
||||
unbound config.status 1.6.8
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[6])
|
||||
m4_define([VERSION_MICRO],[7])
|
||||
m4_define([VERSION_MICRO],[8])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=7
|
||||
LIBUNBOUND_REVISION=6
|
||||
LIBUNBOUND_REVISION=7
|
||||
LIBUNBOUND_AGE=5
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -76,6 +76,7 @@ LIBUNBOUND_AGE=5
|
||||
# 1.6.5 had 7:4:5
|
||||
# 1.6.6 had 7:5:5
|
||||
# 1.6.7 had 7:6:5
|
||||
# 1.6.8 had 7:7:5
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
|
@ -1,3 +1,7 @@
|
||||
19 January 2018: Wouter
|
||||
- patch for CVE-2017-15105: vulnerability in the processing of
|
||||
wildcard synthesized NSEC records.
|
||||
|
||||
10 October 2017: Wouter
|
||||
- tag 1.6.7
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
README for Unbound 1.6.7
|
||||
README for Unbound 1.6.8
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.6.7.
|
||||
# See unbound.conf(5) man page, version 1.6.8.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.6.7.
|
||||
# See unbound.conf(5) man page, version 1.6.8.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "libunbound" "3" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -43,7 +43,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.6.7 functions.
|
||||
\- Unbound DNS validating resolver 1.6.8 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "libunbound" "3" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -43,7 +43,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.6.7 functions.
|
||||
\- Unbound DNS validating resolver 1.6.8 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound-anchor" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound-anchor" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound-checkconf" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound-checkconf" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound-control" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound-control" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound\-host" "1" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound\-host" "1" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.6.7.
|
||||
\- Unbound DNS validating resolver 1.6.8.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.6.7.
|
||||
\- Unbound DNS validating resolver 1.6.8.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound.conf" "5" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
|
||||
.TH "unbound.conf" "5" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
|
@ -1227,17 +1227,20 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
|
||||
* @param ve: validator environment (with options) for verification.
|
||||
* @param tp: trust point to verify with
|
||||
* @param rrset: DNSKEY rrset to verify.
|
||||
* @param qstate: qstate with region.
|
||||
* @return false on failure, true if verification successful.
|
||||
*/
|
||||
static int
|
||||
verify_dnskey(struct module_env* env, struct val_env* ve,
|
||||
struct trust_anchor* tp, struct ub_packed_rrset_key* rrset)
|
||||
struct trust_anchor* tp, struct ub_packed_rrset_key* rrset,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
char* reason = NULL;
|
||||
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
||||
int downprot = env->cfg->harden_algo_downgrade;
|
||||
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
|
||||
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
|
||||
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason,
|
||||
qstate);
|
||||
/* sigalg is ignored, it returns algorithms signalled to exist, but
|
||||
* in 5011 there are no other rrsets to check. if downprot is
|
||||
* enabled, then it checks that the DNSKEY is signed with all
|
||||
@ -1276,7 +1279,8 @@ min_expiry(struct module_env* env, struct packed_rrset_data* dd)
|
||||
/** Is rr self-signed revoked key */
|
||||
static int
|
||||
rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* dnskey_rrset, size_t i)
|
||||
struct ub_packed_rrset_key* dnskey_rrset, size_t i,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
enum sec_status sec;
|
||||
char* reason = NULL;
|
||||
@ -1285,7 +1289,7 @@ rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve,
|
||||
/* no algorithm downgrade protection necessary, if it is selfsigned
|
||||
* revoked it can be removed. */
|
||||
sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i,
|
||||
&reason);
|
||||
&reason, LDNS_SECTION_ANSWER, qstate);
|
||||
return (sec == sec_status_secure);
|
||||
}
|
||||
|
||||
@ -1501,7 +1505,7 @@ init_events(struct trust_anchor* tp)
|
||||
static void
|
||||
check_contains_revoked(struct module_env* env, struct val_env* ve,
|
||||
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
|
||||
int* changed)
|
||||
int* changed, struct module_qstate* qstate)
|
||||
{
|
||||
struct packed_rrset_data* dd = (struct packed_rrset_data*)
|
||||
dnskey_rrset->entry.data;
|
||||
@ -1521,7 +1525,7 @@ check_contains_revoked(struct module_env* env, struct val_env* ve,
|
||||
}
|
||||
if(!ta)
|
||||
continue; /* key not found */
|
||||
if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i)) {
|
||||
if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i, qstate)) {
|
||||
/* checked if there is an rrsig signed by this key. */
|
||||
/* same keytag, but stored can be revoked already, so
|
||||
* compare keytags, with +0 or +128(REVOKE flag) */
|
||||
@ -2118,7 +2122,8 @@ autr_tp_remove(struct module_env* env, struct trust_anchor* tp,
|
||||
}
|
||||
|
||||
int autr_process_prime(struct module_env* env, struct val_env* ve,
|
||||
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset)
|
||||
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
int changed = 0;
|
||||
log_assert(tp && tp->autr);
|
||||
@ -2159,7 +2164,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
|
||||
return 1; /* trust point exists */
|
||||
}
|
||||
/* check for revoked keys to remove immediately */
|
||||
check_contains_revoked(env, ve, tp, dnskey_rrset, &changed);
|
||||
check_contains_revoked(env, ve, tp, dnskey_rrset, &changed, qstate);
|
||||
if(changed) {
|
||||
verbose(VERB_ALGO, "autotrust: revokedkeys, reassemble");
|
||||
if(!autr_assemble(tp)) {
|
||||
@ -2175,7 +2180,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
|
||||
}
|
||||
}
|
||||
/* verify the dnskey rrset and see if it is valid. */
|
||||
if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
|
||||
if(!verify_dnskey(env, ve, tp, dnskey_rrset, qstate)) {
|
||||
verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
|
||||
/* only increase failure count if this is not the first prime,
|
||||
* this means there was a previous successful probe */
|
||||
|
@ -47,6 +47,7 @@ struct val_anchors;
|
||||
struct trust_anchor;
|
||||
struct ub_packed_rrset_key;
|
||||
struct module_env;
|
||||
struct module_qstate;
|
||||
struct val_env;
|
||||
struct sldns_buffer;
|
||||
|
||||
@ -188,12 +189,14 @@ void autr_point_delete(struct trust_anchor* tp);
|
||||
* @param tp: trust anchor to process.
|
||||
* @param dnskey_rrset: DNSKEY rrset probed (can be NULL if bad prime result).
|
||||
* allocated in a region. Has not been validated yet.
|
||||
* @param qstate: qstate with region.
|
||||
* @return false if trust anchor was revoked completely.
|
||||
* Otherwise logs errors to log, does not change return value.
|
||||
* On errors, likely the trust point has been unchanged.
|
||||
*/
|
||||
int autr_process_prime(struct module_env* env, struct val_env* ve,
|
||||
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset);
|
||||
struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* Debug printout of rfc5011 tracked anchors
|
||||
|
@ -176,7 +176,7 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
|
||||
static int
|
||||
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
|
||||
char** reason)
|
||||
char** reason, struct module_qstate* qstate)
|
||||
{
|
||||
struct packed_rrset_data* d = (struct packed_rrset_data*)
|
||||
nsec->entry.data;
|
||||
@ -185,7 +185,8 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
|
||||
if(d->security == sec_status_secure)
|
||||
return 1;
|
||||
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
|
||||
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
|
||||
LDNS_SECTION_AUTHORITY, qstate);
|
||||
if(d->security == sec_status_secure) {
|
||||
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
|
||||
return 1;
|
||||
@ -196,7 +197,8 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
enum sec_status
|
||||
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
|
||||
struct query_info* qinfo, struct reply_info* rep,
|
||||
struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
|
||||
struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
|
||||
rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
|
||||
@ -213,7 +215,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
|
||||
* 1) this is a delegation point and there is no DS
|
||||
* 2) this is not a delegation point */
|
||||
if(nsec) {
|
||||
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
|
||||
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
|
||||
verbose(VERB_ALGO, "NSEC RRset for the "
|
||||
"referral did not verify.");
|
||||
return sec_status_bogus;
|
||||
@ -242,7 +244,8 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
|
||||
i++) {
|
||||
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
|
||||
continue;
|
||||
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
|
||||
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
|
||||
qstate)) {
|
||||
verbose(VERB_ALGO, "NSEC for empty non-terminal "
|
||||
"did not verify.");
|
||||
return sec_status_bogus;
|
||||
|
@ -46,6 +46,7 @@
|
||||
#include "util/data/packed_rrset.h"
|
||||
struct val_env;
|
||||
struct module_env;
|
||||
struct module_qstate;
|
||||
struct ub_packed_rrset_key;
|
||||
struct reply_info;
|
||||
struct query_info;
|
||||
@ -64,6 +65,7 @@ struct key_entry_key;
|
||||
* @param kkey: key entry to use for verification of signatures.
|
||||
* @param proof_ttl: if secure, the TTL of how long this proof lasts.
|
||||
* @param reason: string explaining why bogus.
|
||||
* @param qstate: qstate with region.
|
||||
* @return security status.
|
||||
* SECURE: proved absence of DS.
|
||||
* INSECURE: proved that this was not a delegation point.
|
||||
@ -73,7 +75,7 @@ struct key_entry_key;
|
||||
enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
|
||||
struct val_env* ve, struct query_info* qinfo,
|
||||
struct reply_info* rep, struct key_entry_key* kkey,
|
||||
time_t* proof_ttl, char** reason);
|
||||
time_t* proof_ttl, char** reason, struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
|
||||
|
@ -1285,7 +1285,7 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
|
||||
static int
|
||||
list_is_secure(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key** list, size_t num,
|
||||
struct key_entry_key* kkey, char** reason)
|
||||
struct key_entry_key* kkey, char** reason, struct module_qstate* qstate)
|
||||
{
|
||||
struct packed_rrset_data* d;
|
||||
size_t i;
|
||||
@ -1299,7 +1299,7 @@ list_is_secure(struct module_env* env, struct val_env* ve,
|
||||
if(d->security == sec_status_secure)
|
||||
continue;
|
||||
d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
|
||||
reason);
|
||||
reason, LDNS_SECTION_AUTHORITY, qstate);
|
||||
if(d->security != sec_status_secure) {
|
||||
verbose(VERB_ALGO, "NSEC3 did not verify");
|
||||
return 0;
|
||||
@ -1312,7 +1312,8 @@ list_is_secure(struct module_env* env, struct val_env* ve,
|
||||
enum sec_status
|
||||
nsec3_prove_nods(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key** list, size_t num,
|
||||
struct query_info* qinfo, struct key_entry_key* kkey, char** reason)
|
||||
struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
rbtree_type ct;
|
||||
struct nsec3_filter flt;
|
||||
@ -1325,7 +1326,7 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
|
||||
*reason = "no valid NSEC3s";
|
||||
return sec_status_bogus; /* no valid NSEC3s, bogus */
|
||||
}
|
||||
if(!list_is_secure(env, ve, list, num, kkey, reason))
|
||||
if(!list_is_secure(env, ve, list, num, kkey, reason, qstate))
|
||||
return sec_status_bogus; /* not all NSEC3 records secure */
|
||||
rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
|
||||
filter_init(&flt, list, num, qinfo); /* init RR iterator */
|
||||
|
@ -71,6 +71,7 @@
|
||||
struct val_env;
|
||||
struct regional;
|
||||
struct module_env;
|
||||
struct module_qstate;
|
||||
struct ub_packed_rrset_key;
|
||||
struct reply_info;
|
||||
struct query_info;
|
||||
@ -185,6 +186,7 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
|
||||
* @param qinfo: query that is verified for.
|
||||
* @param kkey: key entry that signed the NSEC3s.
|
||||
* @param reason: string for bogus result.
|
||||
* @param qstate: qstate with region.
|
||||
* @return:
|
||||
* sec_status SECURE of the proposition is proven by the NSEC3 RRs,
|
||||
* BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
|
||||
@ -194,7 +196,8 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
|
||||
enum sec_status
|
||||
nsec3_prove_nods(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key** list, size_t num,
|
||||
struct query_info* qinfo, struct key_entry_key* kkey, char** reason);
|
||||
struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* Prove NXDOMAIN or NODATA.
|
||||
|
@ -485,7 +485,8 @@ int algo_needs_missing(struct algo_needs* n)
|
||||
enum sec_status
|
||||
dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
|
||||
uint8_t* sigalg, char** reason)
|
||||
uint8_t* sigalg, char** reason, sldns_pkt_section section,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
enum sec_status sec;
|
||||
size_t i, num;
|
||||
@ -512,7 +513,7 @@ dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
}
|
||||
for(i=0; i<num; i++) {
|
||||
sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset,
|
||||
dnskey, i, &sortree, reason);
|
||||
dnskey, i, &sortree, reason, section, qstate);
|
||||
/* see which algorithm has been fixed up */
|
||||
if(sec == sec_status_secure) {
|
||||
if(!sigalg)
|
||||
@ -553,7 +554,8 @@ void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
|
||||
enum sec_status
|
||||
dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
|
||||
size_t dnskey_idx, char** reason)
|
||||
size_t dnskey_idx, char** reason, sldns_pkt_section section,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
enum sec_status sec;
|
||||
size_t i, num, numchecked = 0;
|
||||
@ -577,7 +579,8 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
buf_canon = 0;
|
||||
sec = dnskey_verify_rrset_sig(env->scratch,
|
||||
env->scratch_buffer, ve, *env->now, rrset,
|
||||
dnskey, dnskey_idx, i, &sortree, &buf_canon, reason);
|
||||
dnskey, dnskey_idx, i, &sortree, &buf_canon, reason,
|
||||
section, qstate);
|
||||
if(sec == sec_status_secure)
|
||||
return sec;
|
||||
numchecked ++;
|
||||
@ -591,7 +594,8 @@ enum sec_status
|
||||
dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
|
||||
time_t now, struct ub_packed_rrset_key* rrset,
|
||||
struct ub_packed_rrset_key* dnskey, size_t sig_idx,
|
||||
struct rbtree_type** sortree, char** reason)
|
||||
struct rbtree_type** sortree, char** reason, sldns_pkt_section section,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
/* find matching keys and check them */
|
||||
enum sec_status sec = sec_status_bogus;
|
||||
@ -616,7 +620,7 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
|
||||
/* see if key verifies */
|
||||
sec = dnskey_verify_rrset_sig(env->scratch,
|
||||
env->scratch_buffer, ve, now, rrset, dnskey, i,
|
||||
sig_idx, sortree, &buf_canon, reason);
|
||||
sig_idx, sortree, &buf_canon, reason, section, qstate);
|
||||
if(sec == sec_status_secure)
|
||||
return sec;
|
||||
}
|
||||
@ -1121,12 +1125,15 @@ int rrset_canonical_equal(struct regional* region,
|
||||
* signer name length.
|
||||
* @param sortree: if NULL is passed a new sorted rrset tree is built.
|
||||
* Otherwise it is reused.
|
||||
* @param section: section of packet where this rrset comes from.
|
||||
* @param qstate: qstate with region.
|
||||
* @return false on alloc error.
|
||||
*/
|
||||
static int
|
||||
rrset_canonical(struct regional* region, sldns_buffer* buf,
|
||||
struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen,
|
||||
struct rbtree_type** sortree)
|
||||
struct rbtree_type** sortree, sldns_pkt_section section,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
|
||||
uint8_t* can_owner = NULL;
|
||||
@ -1175,6 +1182,20 @@ rrset_canonical(struct regional* region, sldns_buffer* buf,
|
||||
canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
|
||||
}
|
||||
sldns_buffer_flip(buf);
|
||||
|
||||
/* Replace RR owner with canonical owner for NSEC records in authority
|
||||
* section, to prevent that a wildcard synthesized NSEC can be used in
|
||||
* the non-existence proves. */
|
||||
if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC &&
|
||||
section == LDNS_SECTION_AUTHORITY) {
|
||||
k->rk.dname = regional_alloc_init(qstate->region, can_owner,
|
||||
can_owner_len);
|
||||
if(!k->rk.dname)
|
||||
return 0;
|
||||
k->rk.dname_len = can_owner_len;
|
||||
}
|
||||
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -1318,7 +1339,8 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
|
||||
struct val_env* ve, time_t now,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
|
||||
size_t dnskey_idx, size_t sig_idx,
|
||||
struct rbtree_type** sortree, int* buf_canon, char** reason)
|
||||
struct rbtree_type** sortree, int* buf_canon, char** reason,
|
||||
sldns_pkt_section section, struct module_qstate* qstate)
|
||||
{
|
||||
enum sec_status sec;
|
||||
uint8_t* sig; /* RRSIG rdata */
|
||||
@ -1417,7 +1439,7 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
|
||||
/* create rrset canonical format in buffer, ready for
|
||||
* signature */
|
||||
if(!rrset_canonical(region, buf, rrset, sig+2,
|
||||
18 + signer_len, sortree)) {
|
||||
18 + signer_len, sortree, section, qstate)) {
|
||||
log_err("verify: failed due to alloc error");
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
|
@ -44,8 +44,10 @@
|
||||
#ifndef VALIDATOR_VAL_SIGCRYPT_H
|
||||
#define VALIDATOR_VAL_SIGCRYPT_H
|
||||
#include "util/data/packed_rrset.h"
|
||||
#include "sldns/pkthdr.h"
|
||||
struct val_env;
|
||||
struct module_env;
|
||||
struct module_qstate;
|
||||
struct ub_packed_rrset_key;
|
||||
struct rbtree_type;
|
||||
struct regional;
|
||||
@ -237,13 +239,16 @@ uint16_t dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx);
|
||||
* @param sigalg: if nonNULL provide downgrade protection otherwise one
|
||||
* algorithm is enough.
|
||||
* @param reason: if bogus, a string returned, fixed or alloced in scratch.
|
||||
* @param section: section of packet where this rrset comes from.
|
||||
* @param qstate: qstate with region.
|
||||
* @return SECURE if one key in the set verifies one rrsig.
|
||||
* UNCHECKED on allocation errors, unsupported algorithms, malformed data,
|
||||
* and BOGUS on verification failures (no keys match any signatures).
|
||||
*/
|
||||
enum sec_status dnskeyset_verify_rrset(struct module_env* env,
|
||||
struct val_env* ve, struct ub_packed_rrset_key* rrset,
|
||||
struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason);
|
||||
struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason,
|
||||
sldns_pkt_section section, struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* verify rrset against one specific dnskey (from rrset)
|
||||
@ -253,12 +258,15 @@ enum sec_status dnskeyset_verify_rrset(struct module_env* env,
|
||||
* @param dnskey: DNSKEY rrset, keyset.
|
||||
* @param dnskey_idx: which key from the rrset to try.
|
||||
* @param reason: if bogus, a string returned, fixed or alloced in scratch.
|
||||
* @param section: section of packet where this rrset comes from.
|
||||
* @param qstate: qstate with region.
|
||||
* @return secure if *this* key signs any of the signatures on rrset.
|
||||
* unchecked on error or and bogus on bad signature.
|
||||
*/
|
||||
enum sec_status dnskey_verify_rrset(struct module_env* env,
|
||||
struct val_env* ve, struct ub_packed_rrset_key* rrset,
|
||||
struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason);
|
||||
struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason,
|
||||
sldns_pkt_section section, struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* verify rrset, with dnskey rrset, for a specific rrsig in rrset
|
||||
@ -271,13 +279,16 @@ enum sec_status dnskey_verify_rrset(struct module_env* env,
|
||||
* @param sortree: reused sorted order. Stored in region. Pass NULL at start,
|
||||
* and for a new rrset.
|
||||
* @param reason: if bogus, a string returned, fixed or alloced in scratch.
|
||||
* @param section: section of packet where this rrset comes from.
|
||||
* @param qstate: qstate with region.
|
||||
* @return secure if any key signs *this* signature. bogus if no key signs it,
|
||||
* or unchecked on error.
|
||||
*/
|
||||
enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env,
|
||||
struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset,
|
||||
struct ub_packed_rrset_key* dnskey, size_t sig_idx,
|
||||
struct rbtree_type** sortree, char** reason);
|
||||
struct rbtree_type** sortree, char** reason, sldns_pkt_section section,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* verify rrset, with specific dnskey(from set), for a specific rrsig
|
||||
@ -295,6 +306,8 @@ enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env,
|
||||
* pass false at start. pass old value only for same rrset and same
|
||||
* signature (but perhaps different key) for reuse.
|
||||
* @param reason: if bogus, a string returned, fixed or alloced in scratch.
|
||||
* @param section: section of packet where this rrset comes from.
|
||||
* @param qstate: qstate with region.
|
||||
* @return secure if this key signs this signature. unchecked on error or
|
||||
* bogus if it did not validate.
|
||||
*/
|
||||
@ -302,7 +315,8 @@ enum sec_status dnskey_verify_rrset_sig(struct regional* region,
|
||||
struct sldns_buffer* buf, struct val_env* ve, time_t now,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
|
||||
size_t dnskey_idx, size_t sig_idx,
|
||||
struct rbtree_type** sortree, int* buf_canon, char** reason);
|
||||
struct rbtree_type** sortree, int* buf_canon, char** reason,
|
||||
sldns_pkt_section section, struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* canonical compare for two tree entries
|
||||
|
@ -335,7 +335,8 @@ rrset_get_ttl(struct ub_packed_rrset_key* rrset)
|
||||
enum sec_status
|
||||
val_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
|
||||
uint8_t* sigalg, char** reason)
|
||||
uint8_t* sigalg, char** reason, sldns_pkt_section section,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
enum sec_status sec;
|
||||
struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
|
||||
@ -357,7 +358,8 @@ val_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
}
|
||||
log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
|
||||
ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
|
||||
sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason);
|
||||
sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason,
|
||||
section, qstate);
|
||||
verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
|
||||
regional_free_all(env->scratch);
|
||||
|
||||
@ -390,7 +392,7 @@ val_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
enum sec_status
|
||||
val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
|
||||
char** reason)
|
||||
char** reason, sldns_pkt_section section, struct module_qstate* qstate)
|
||||
{
|
||||
/* temporary dnskey rrset-key */
|
||||
struct ub_packed_rrset_key dnskey;
|
||||
@ -403,7 +405,8 @@ val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
|
||||
dnskey.rk.dname_len = kkey->namelen;
|
||||
dnskey.entry.key = &dnskey;
|
||||
dnskey.entry.data = kd->rrset_data;
|
||||
sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason);
|
||||
sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason,
|
||||
section, qstate);
|
||||
return sec;
|
||||
}
|
||||
|
||||
@ -411,7 +414,8 @@ val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
|
||||
static enum sec_status
|
||||
verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason)
|
||||
struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
enum sec_status sec = sec_status_bogus;
|
||||
size_t i, num, numchecked = 0, numhashok = 0;
|
||||
@ -442,7 +446,7 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
||||
/* Otherwise, we have a match! Make sure that the DNSKEY
|
||||
* verifies *with this key* */
|
||||
sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
|
||||
dnskey_rrset, i, reason);
|
||||
dnskey_rrset, i, reason, LDNS_SECTION_ANSWER, qstate);
|
||||
if(sec == sec_status_secure) {
|
||||
return sec;
|
||||
}
|
||||
@ -478,7 +482,8 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
|
||||
enum sec_status
|
||||
val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason)
|
||||
struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
/* as long as this is false, we can consider this DS rrset to be
|
||||
* equivalent to no DS rrset. */
|
||||
@ -520,7 +525,7 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
|
||||
has_useful_ds = 1;
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ds_rrset, i, reason);
|
||||
ds_rrset, i, reason, qstate);
|
||||
if(sec == sec_status_secure) {
|
||||
if(!sigalg || algo_needs_set_secure(&needs,
|
||||
(uint8_t)ds_get_key_algo(ds_rrset, i))) {
|
||||
@ -553,11 +558,12 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
|
||||
struct key_entry_key*
|
||||
val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
|
||||
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason)
|
||||
struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
||||
enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
|
||||
dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason);
|
||||
dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, qstate);
|
||||
|
||||
if(sec == sec_status_secure) {
|
||||
return key_entry_create_rrset(region,
|
||||
@ -579,7 +585,8 @@ enum sec_status
|
||||
val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ta_ds,
|
||||
struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason)
|
||||
struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
/* as long as this is false, we can consider this anchor to be
|
||||
* equivalent to no anchor. */
|
||||
@ -630,7 +637,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
||||
has_useful_ta = 1;
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ta_ds, i, reason);
|
||||
ta_ds, i, reason, qstate);
|
||||
if(sec == sec_status_secure) {
|
||||
if(!sigalg || algo_needs_set_secure(&needs,
|
||||
(uint8_t)ds_get_key_algo(ta_ds, i))) {
|
||||
@ -656,7 +663,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
||||
has_useful_ta = 1;
|
||||
|
||||
sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
|
||||
ta_dnskey, i, reason);
|
||||
ta_dnskey, i, reason, LDNS_SECTION_ANSWER, qstate);
|
||||
if(sec == sec_status_secure) {
|
||||
if(!sigalg || algo_needs_set_secure(&needs,
|
||||
(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
|
||||
@ -690,12 +697,12 @@ val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
|
||||
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ta_ds_rrset,
|
||||
struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
|
||||
char** reason)
|
||||
char** reason, struct module_qstate* qstate)
|
||||
{
|
||||
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
||||
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
|
||||
dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
|
||||
downprot?sigalg:NULL, reason);
|
||||
downprot?sigalg:NULL, reason, qstate);
|
||||
|
||||
if(sec == sec_status_secure) {
|
||||
return key_entry_create_rrset(region,
|
||||
|
@ -42,10 +42,12 @@
|
||||
#ifndef VALIDATOR_VAL_UTILS_H
|
||||
#define VALIDATOR_VAL_UTILS_H
|
||||
#include "util/data/packed_rrset.h"
|
||||
#include "sldns/pkthdr.h"
|
||||
struct query_info;
|
||||
struct reply_info;
|
||||
struct val_env;
|
||||
struct module_env;
|
||||
struct module_qstate;
|
||||
struct ub_packed_rrset_key;
|
||||
struct key_entry_key;
|
||||
struct regional;
|
||||
@ -120,11 +122,14 @@ void val_find_signer(enum val_classification subtype,
|
||||
* @param sigalg: if nonNULL provide downgrade protection otherwise one
|
||||
* algorithm is enough. Algo list is constructed in here.
|
||||
* @param reason: reason of failure. Fixed string or alloced in scratch.
|
||||
* @param section: section of packet where this rrset comes from.
|
||||
* @param qstate: qstate with region.
|
||||
* @return security status of verification.
|
||||
*/
|
||||
enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
|
||||
uint8_t* sigalg, char** reason);
|
||||
uint8_t* sigalg, char** reason, sldns_pkt_section section,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* Verify RRset with keys from a keyset.
|
||||
@ -133,11 +138,14 @@ enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
* @param rrset: what to verify
|
||||
* @param kkey: key_entry to verify with.
|
||||
* @param reason: reason of failure. Fixed string or alloced in scratch.
|
||||
* @param section: section of packet where this rrset comes from.
|
||||
* @param qstate: qstate with region.
|
||||
* @return security status of verification.
|
||||
*/
|
||||
enum sec_status val_verify_rrset_entry(struct module_env* env,
|
||||
struct val_env* ve, struct ub_packed_rrset_key* rrset,
|
||||
struct key_entry_key* kkey, char** reason);
|
||||
struct key_entry_key* kkey, char** reason, sldns_pkt_section section,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but
|
||||
@ -150,13 +158,15 @@ enum sec_status val_verify_rrset_entry(struct module_env* env,
|
||||
* algorithm is enough. The list of signalled algorithms is returned,
|
||||
* must have enough space for ALGO_NEEDS_MAX+1.
|
||||
* @param reason: reason of failure. Fixed string or alloced in scratch.
|
||||
* @param qstate: qstate with region.
|
||||
* @return: sec_status_secure if a DS matches.
|
||||
* sec_status_insecure if end of trust (i.e., unknown algorithms).
|
||||
* sec_status_bogus if it fails.
|
||||
*/
|
||||
enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env,
|
||||
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason);
|
||||
struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* Verify DNSKEYs with DS and DNSKEY rrset. Like val_verify_DNSKEY_with_DS
|
||||
@ -170,6 +180,7 @@ enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env,
|
||||
* algorithm is enough. The list of signalled algorithms is returned,
|
||||
* must have enough space for ALGO_NEEDS_MAX+1.
|
||||
* @param reason: reason of failure. Fixed string or alloced in scratch.
|
||||
* @param qstate: qstate with region.
|
||||
* @return: sec_status_secure if a DS matches.
|
||||
* sec_status_insecure if end of trust (i.e., unknown algorithms).
|
||||
* sec_status_bogus if it fails.
|
||||
@ -177,7 +188,8 @@ enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env,
|
||||
enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env,
|
||||
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ta_ds,
|
||||
struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason);
|
||||
struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* Verify new DNSKEYs with DS rrset. The DS contains hash values that should
|
||||
@ -192,6 +204,7 @@ enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env,
|
||||
* @param downprot: if true provide downgrade protection otherwise one
|
||||
* algorithm is enough.
|
||||
* @param reason: reason of failure. Fixed string or alloced in scratch.
|
||||
* @param qstate: qstate with region.
|
||||
* @return a KeyEntry. This will either contain the now trusted
|
||||
* dnskey_rrset, a "null" key entry indicating that this DS
|
||||
* rrset/DNSKEY pair indicate an secure end to the island of trust
|
||||
@ -205,7 +218,8 @@ enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env,
|
||||
struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region,
|
||||
struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason);
|
||||
struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
|
||||
struct module_qstate* qstate);
|
||||
|
||||
|
||||
/**
|
||||
@ -220,6 +234,7 @@ struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region,
|
||||
* @param downprot: if true provide downgrade protection otherwise one
|
||||
* algorithm is enough.
|
||||
* @param reason: reason of failure. Fixed string or alloced in scratch.
|
||||
* @param qstate: qstate with region.
|
||||
* @return a KeyEntry. This will either contain the now trusted
|
||||
* dnskey_rrset, a "null" key entry indicating that this DS
|
||||
* rrset/DNSKEY pair indicate an secure end to the island of trust
|
||||
@ -235,7 +250,7 @@ struct key_entry_key* val_verify_new_DNSKEYs_with_ta(struct regional* region,
|
||||
struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ta_ds_rrset,
|
||||
struct ub_packed_rrset_key* ta_dnskey_rrset,
|
||||
int downprot, char** reason);
|
||||
int downprot, char** reason, struct module_qstate* qstate);
|
||||
|
||||
/**
|
||||
* Determine if DS rrset is usable for validator or not.
|
||||
@ -252,7 +267,7 @@ int val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset);
|
||||
* the result of a wildcard expansion. If so, return the name of the
|
||||
* generating wildcard.
|
||||
*
|
||||
* @param rrset The rrset to chedck.
|
||||
* @param rrset The rrset to check.
|
||||
* @param wc: the wildcard name, if the rrset was synthesized from a wildcard.
|
||||
* unchanged if not. The wildcard name, without "*." in front, is
|
||||
* returned. This is a pointer into the rrset owner name.
|
||||
|
@ -572,7 +572,8 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
|
||||
}
|
||||
|
||||
/* Verify the answer rrset */
|
||||
sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
|
||||
sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
|
||||
LDNS_SECTION_ANSWER, qstate);
|
||||
/* If the (answer) rrset failed to validate, then this
|
||||
* message is BAD. */
|
||||
if(sec != sec_status_secure) {
|
||||
@ -601,7 +602,8 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
|
||||
for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
|
||||
chase_reply->ns_numrrsets; i++) {
|
||||
s = chase_reply->rrsets[i];
|
||||
sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
|
||||
sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
|
||||
LDNS_SECTION_AUTHORITY, qstate);
|
||||
/* If anything in the authority section fails to be secure,
|
||||
* we have a bad message. */
|
||||
if(sec != sec_status_secure) {
|
||||
@ -629,7 +631,7 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
|
||||
val_find_rrset_signer(s, &sname, &slen);
|
||||
if(sname && query_dname_compare(sname, key_entry->name)==0)
|
||||
(void)val_verify_rrset_entry(env, ve, s, key_entry,
|
||||
&reason);
|
||||
&reason, LDNS_SECTION_ADDITIONAL, qstate);
|
||||
/* the additional section can fail to be secure,
|
||||
* it is optional, check signature in case we need
|
||||
* to clean the additional section later. */
|
||||
@ -2484,7 +2486,7 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
/* attempt to verify with trust anchor DS and DNSKEY */
|
||||
kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve,
|
||||
dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot,
|
||||
&reason);
|
||||
&reason, qstate);
|
||||
if(!kkey) {
|
||||
log_err("out of memory: verifying prime TA");
|
||||
return NULL;
|
||||
@ -2574,7 +2576,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
/* Verify only returns BOGUS or SECURE. If the rrset is
|
||||
* bogus, then we are done. */
|
||||
sec = val_verify_rrset_entry(qstate->env, ve, ds,
|
||||
vq->key_entry, &reason);
|
||||
vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
|
||||
if(sec != sec_status_secure) {
|
||||
verbose(VERB_DETAIL, "DS rrset in DS response did "
|
||||
"not verify");
|
||||
@ -2621,7 +2623,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
/* Try to prove absence of the DS with NSEC */
|
||||
sec = val_nsec_prove_nodata_dsreply(
|
||||
qstate->env, ve, qinfo, msg->rep, vq->key_entry,
|
||||
&proof_ttl, &reason);
|
||||
&proof_ttl, &reason, qstate);
|
||||
switch(sec) {
|
||||
case sec_status_secure:
|
||||
verbose(VERB_DETAIL, "NSEC RRset for the "
|
||||
@ -2649,7 +2651,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
|
||||
sec = nsec3_prove_nods(qstate->env, ve,
|
||||
msg->rep->rrsets + msg->rep->an_numrrsets,
|
||||
msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason);
|
||||
msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason,
|
||||
qstate);
|
||||
switch(sec) {
|
||||
case sec_status_insecure:
|
||||
/* case insecure also continues to unsigned
|
||||
@ -2710,7 +2713,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
goto return_bogus;
|
||||
}
|
||||
sec = val_verify_rrset_entry(qstate->env, ve, cname,
|
||||
vq->key_entry, &reason);
|
||||
vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
|
||||
if(sec == sec_status_secure) {
|
||||
verbose(VERB_ALGO, "CNAME validated, "
|
||||
"proof that DS does not exist");
|
||||
@ -2876,7 +2879,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
}
|
||||
downprot = qstate->env->cfg->harden_algo_downgrade;
|
||||
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
|
||||
ve, dnskey, vq->ds_rrset, downprot, &reason);
|
||||
ve, dnskey, vq->ds_rrset, downprot, &reason, qstate);
|
||||
|
||||
if(!vq->key_entry) {
|
||||
log_err("out of memory in verify new DNSKEYs");
|
||||
@ -2952,7 +2955,8 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
}
|
||||
|
||||
if(ta->autr) {
|
||||
if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) {
|
||||
if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset,
|
||||
qstate)) {
|
||||
/* trust anchor revoked, restart with less anchors */
|
||||
vq->state = VAL_INIT_STATE;
|
||||
vq->trust_anchor_name = NULL;
|
||||
|
Loading…
Reference in New Issue
Block a user