Merge from vendor/bind9/dist as of the 9.4.3-P2 import
This commit is contained in:
commit
212b42b0a3
@ -1,3 +1,8 @@
|
||||
--- 9.4.3-P2 released ---
|
||||
|
||||
2579. [bug] DNSSEC lookaside validation failed to handle unknown
|
||||
algorithms. [RT #19479]
|
||||
|
||||
--- 9.4.3-P1 released ---
|
||||
|
||||
2522. [security] Handle -1 from DSA_do_verify().
|
||||
|
@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: validator.c,v 1.119.18.41 2008/08/21 04:59:42 marka Exp $ */
|
||||
/* $Id: validator.c,v 1.119.18.41.2.1 2009/03/17 02:23:49 marka Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@ -211,6 +211,37 @@ exit_check(dns_validator_t *val) {
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that we have atleast one supported algorithm in the DLV RRset.
|
||||
*/
|
||||
static inline isc_boolean_t
|
||||
dlv_algorithm_supported(dns_validator_t *val) {
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
dns_rdata_dlv_t dlv;
|
||||
isc_result_t result;
|
||||
|
||||
for (result = dns_rdataset_first(&val->dlv);
|
||||
result == ISC_R_SUCCESS;
|
||||
result = dns_rdataset_next(&val->dlv)) {
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdataset_current(&val->dlv, &rdata);
|
||||
result = dns_rdata_tostruct(&rdata, &dlv, NULL);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
|
||||
if (!dns_resolver_algorithm_supported(val->view->resolver,
|
||||
val->event->name,
|
||||
dlv.algorithm))
|
||||
continue;
|
||||
|
||||
if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
|
||||
dlv.digest_type != DNS_DSDIGEST_SHA1)
|
||||
continue;
|
||||
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
/*%
|
||||
* Look in the NSEC record returned from a DS query to see if there is
|
||||
* a NS RRset at this name. If it is found we are at a delegation point.
|
||||
@ -2297,19 +2328,36 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
|
||||
sizeof(namebuf));
|
||||
dns_rdataset_clone(&val->frdataset, &val->dlv);
|
||||
val->havedlvsep = ISC_TRUE;
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
|
||||
if (dlv_algorithm_supported(val)) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
|
||||
namebuf);
|
||||
dlv_validator_start(val);
|
||||
} else {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"DLV %s found with no supported algorithms",
|
||||
namebuf);
|
||||
markanswer(val);
|
||||
validator_done(val, ISC_R_SUCCESS);
|
||||
}
|
||||
} else if (eresult == DNS_R_NXRRSET ||
|
||||
eresult == DNS_R_NXDOMAIN ||
|
||||
eresult == DNS_R_NCACHENXRRSET ||
|
||||
eresult == DNS_R_NCACHENXDOMAIN) {
|
||||
result = finddlvsep(val, ISC_TRUE);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
if (dlv_algorithm_supported(val)) {
|
||||
dns_name_format(dns_fixedname_name(&val->dlvsep),
|
||||
namebuf, sizeof(namebuf));
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
|
||||
namebuf);
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"DLV %s found", namebuf);
|
||||
dlv_validator_start(val);
|
||||
} else {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"DLV %s found with no supported "
|
||||
"algorithms", namebuf);
|
||||
markanswer(val);
|
||||
validator_done(val, ISC_R_SUCCESS);
|
||||
}
|
||||
} else if (result == ISC_R_NOTFOUND) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
|
||||
markanswer(val);
|
||||
@ -2372,10 +2420,17 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
|
||||
}
|
||||
dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
|
||||
sizeof(namebuf));
|
||||
if (dlv_algorithm_supported(val)) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
|
||||
dlv_validator_start(val);
|
||||
return (DNS_R_WAIT);
|
||||
}
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
|
||||
"algorithms", namebuf);
|
||||
markanswer(val);
|
||||
validator_done(val, ISC_R_SUCCESS);
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
/*%
|
||||
* Continue the DLV lookup process.
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: version,v 1.29.134.23.2.1 2008/12/24 00:21:22 marka Exp $
|
||||
# $Id: version,v 1.29.134.23.2.2 2009/03/17 02:23:49 marka Exp $
|
||||
#
|
||||
# This file must follow /bin/sh rules. It is imported directly via
|
||||
# configure.
|
||||
@ -7,4 +7,4 @@ MAJORVER=9
|
||||
MINORVER=4
|
||||
PATCHVER=3
|
||||
RELEASETYPE=-P
|
||||
RELEASEVER=1
|
||||
RELEASEVER=2
|
||||
|
Loading…
Reference in New Issue
Block a user