mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-22 23:01:43 -04:00
1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be
used to introduce a secure zone. [RT #13593]
This commit is contained in:
Mark Andrews
parent
39c7fc7e00
commit
c941e32d22
6 changed files with 55 additions and 16 deletions
4
CHANGES
4
CHANGES
|
|
@ -1,3 +1,7 @@
|
|||
1819. [bug] The validator needed to check both the algorithm and
|
||||
digest types of the DS to determine if it could be
|
||||
used to introduce a secure zone. [RT #13593]
|
||||
|
||||
1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
|
||||
|
||||
1817. [placeholder] rt13587
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: ds.c,v 1.4 2004/03/05 05:09:19 marka Exp $ */
|
||||
/* $Id: ds.c,v 1.5 2005/03/04 03:53:20 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
|
|
@ -81,3 +81,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
|
|||
return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
|
||||
&ds, &b));
|
||||
}
|
||||
|
||||
isc_boolean_t
|
||||
dns_ds_digest_supported(unsigned int digest_type) {
|
||||
return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: ds.h,v 1.3 2004/03/05 05:09:42 marka Exp $ */
|
||||
/* $Id: ds.h,v 1.4 2005/03/04 03:53:21 marka Exp $ */
|
||||
|
||||
#ifndef DNS_DS_H
|
||||
#define DNS_DS_H 1
|
||||
|
|
@ -51,6 +51,12 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
|
|||
* to 'buffer'.
|
||||
*/
|
||||
|
||||
isc_boolean_t
|
||||
dns_ds_digest_supported(unsigned int digest_type);
|
||||
/*
|
||||
* Is this digest algorithm supported by dns_ds_buildrdata()?
|
||||
*/
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
|
||||
#endif /* DNS_DS_H */
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: resolver.h,v 1.41 2004/04/15 23:40:26 marka Exp $ */
|
||||
/* $Id: resolver.h,v 1.42 2005/03/04 03:53:22 marka Exp $ */
|
||||
|
||||
#ifndef DNS_RESOLVER_H
|
||||
#define DNS_RESOLVER_H 1
|
||||
|
|
@ -416,6 +416,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
|
|||
* crypto libraries if not specifically disabled.
|
||||
*/
|
||||
|
||||
isc_boolean_t
|
||||
dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type);
|
||||
/*
|
||||
* Is this digest type supported.
|
||||
*/
|
||||
|
||||
void
|
||||
dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: resolver.c,v 1.303 2005/02/08 23:51:31 marka Exp $ */
|
||||
/* $Id: resolver.c,v 1.304 2005/03/04 03:53:21 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
|
|
@ -30,6 +30,7 @@
|
|||
#include <dns/cache.h>
|
||||
#include <dns/db.h>
|
||||
#include <dns/dispatch.h>
|
||||
#include <dns/ds.h>
|
||||
#include <dns/events.h>
|
||||
#include <dns/forward.h>
|
||||
#include <dns/keytable.h>
|
||||
|
|
@ -6520,6 +6521,13 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
|
|||
return (dst_algorithm_supported(alg));
|
||||
}
|
||||
|
||||
isc_boolean_t
|
||||
dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
|
||||
|
||||
UNUSED(resolver);
|
||||
return (dns_ds_digest_supported(digest));
|
||||
}
|
||||
|
||||
void
|
||||
dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: validator.c,v 1.126 2005/02/09 05:19:30 marka Exp $ */
|
||||
/* $Id: validator.c,v 1.127 2005/03/04 03:53:21 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
|
|
@ -1561,6 +1561,9 @@ dlv_validatezonekey(dns_validator_t *val) {
|
|||
dns_rdataset_current(val->dlv, &dlvrdata);
|
||||
(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
|
||||
|
||||
if (!dns_resolver_digest_supported(val->view->resolver,
|
||||
dlv.digest_type))
|
||||
continue;
|
||||
if (!dns_resolver_algorithm_supported(val->view->resolver,
|
||||
val->event->name,
|
||||
dlv.algorithm))
|
||||
|
|
@ -1647,7 +1650,7 @@ dlv_validatezonekey(dns_validator_t *val) {
|
|||
val->event->rdataset->trust = dns_trust_answer;
|
||||
val->event->sigrdataset->trust = dns_trust_answer;
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"no supported algorithm (dlv)");
|
||||
"no supported algorithm/digest (dlv)");
|
||||
return (ISC_R_SUCCESS);
|
||||
} else
|
||||
return (DNS_R_NOVALIDSIG);
|
||||
|
|
@ -1848,6 +1851,10 @@ validatezonekey(dns_validator_t *val) {
|
|||
dns_rdataset_current(val->dsset, &dsrdata);
|
||||
(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
|
||||
|
||||
if (!dns_resolver_digest_supported(val->view->resolver,
|
||||
ds.digest_type))
|
||||
continue;
|
||||
|
||||
if (!dns_resolver_algorithm_supported(val->view->resolver,
|
||||
val->event->name,
|
||||
ds.algorithm))
|
||||
|
|
@ -1940,7 +1947,7 @@ validatezonekey(dns_validator_t *val) {
|
|||
val->event->rdataset->trust = dns_trust_answer;
|
||||
val->event->sigrdataset->trust = dns_trust_answer;
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"no supported algorithm (ds)");
|
||||
"no supported algorithm/digest (ds)");
|
||||
return (ISC_R_SUCCESS);
|
||||
} else
|
||||
return (DNS_R_NOVALIDSIG);
|
||||
|
|
@ -2193,7 +2200,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
|
|||
}
|
||||
|
||||
static isc_boolean_t
|
||||
check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
|
||||
check_ds(dns_validator_t *val, dns_name_t *name,
|
||||
dns_rdataset_t *rdataset) {
|
||||
dns_rdata_t dsrdata = DNS_RDATA_INIT;
|
||||
dns_rdata_ds_t ds;
|
||||
|
|
@ -2205,9 +2212,13 @@ check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
|
|||
dns_rdataset_current(rdataset, &dsrdata);
|
||||
(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
|
||||
|
||||
if (dns_resolver_algorithm_supported(val->view->resolver,
|
||||
name, ds.algorithm))
|
||||
if (dns_resolver_digest_supported(val->view->resolver,
|
||||
ds.digest_type) &&
|
||||
dns_resolver_algorithm_supported(val->view->resolver,
|
||||
name, ds.algorithm)) {
|
||||
dns_rdata_reset(&dsrdata);
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
dns_rdata_reset(&dsrdata);
|
||||
}
|
||||
return (ISC_FALSE);
|
||||
|
|
@ -2385,8 +2396,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
|
|||
} else {
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
|
||||
if (val->frdataset.trust >= dns_trust_secure &&
|
||||
!check_ds_algorithm(val, dns_fixedname_name(&val->fname),
|
||||
&val->frdataset)) {
|
||||
!check_ds(val, dns_fixedname_name(&val->fname),
|
||||
&val->frdataset)) {
|
||||
if (val->mustbesecure) {
|
||||
validator_log(val, ISC_LOG_WARNING,
|
||||
"must be secure failure");
|
||||
|
|
@ -2394,7 +2405,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
|
|||
goto out;
|
||||
}
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"no supported algorithm (ds)");
|
||||
"no supported algorithm/digest (ds)");
|
||||
val->event->rdataset->trust = dns_trust_answer;
|
||||
result = ISC_R_SUCCESS;
|
||||
goto out;
|
||||
|
|
@ -2453,10 +2464,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
|
|||
* continue.
|
||||
*/
|
||||
if (val->frdataset.trust >= dns_trust_secure) {
|
||||
if (!check_ds_algorithm(val, tname,
|
||||
&val->frdataset)) {
|
||||
if (!check_ds(val, tname, &val->frdataset)) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"no supported algorithm (ds)");
|
||||
"no supported algorithm/digest (ds)");
|
||||
if (val->mustbesecure) {
|
||||
validator_log(val,
|
||||
ISC_LOG_WARNING,
|
||||
|
|
|
|||
Loading…
Reference in a new issue