- Fix validation in case a trust anchor enters into a zone with

unsupported algorithms.


git-svn-id: file:///svn/unbound/trunk@2205 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,7 @@
+4 August 2010: Wouter
+	- Fix validation in case a trust anchor enters into a zone with
+	  unsupported algorithms.
+
 3 August 2010: Wouter
 	- updated ldns tarball with bugfixes.
 	- release tag 1.4.6.

validator/val_sigcrypt.c

@@ -462,6 +462,8 @@ void algo_needs_init_dnskey(struct algo_needs* n,
 	memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
 	for(i=0; i<num; i++) {
 		algo = (uint8_t)dnskey_get_algo(dnskey, i);
+		if(!dnskey_algo_id_is_supported(algo))
+			continue;
 		if(n->needs[algo] == 0) {
 			n->needs[algo] = 1;
 			total++;
@@ -482,6 +484,8 @@ void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds,
 		if(ds_get_digest_algo(ds, i) != fav_ds_algo)
 			continue;
 		algo = (uint8_t)ds_get_key_algo(ds, i);
+		if(!dnskey_algo_id_is_supported(algo))
+			continue;
 		if(n->needs[algo] == 0) {
 			n->needs[algo] = 1;
 			total++;
@@ -546,6 +550,11 @@ dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
 	}
 
 	algo_needs_init_dnskey(&needs, dnskey);
+	if(algo_needs_num_missing(&needs) == 0) {
+		verbose(VERB_QUERY, "DNSKEY has no known algorithms");
+		*reason = "DNSKEY has no known algorithms";
+		return sec_status_insecure;
+	}
 	for(i=0; i<num; i++) {
 		sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, 
 			dnskey, i, &sortree, reason);
@@ -631,6 +640,10 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 	size_t numchecked = 0;
 	int buf_canon = 0;
 	verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
+	if(!dnskey_algo_id_is_supported(algo)) {
+		verbose(VERB_QUERY, "verify sig: unknown algorithm");
+		return sec_status_insecure;
+	}
 	
 	for(i=0; i<num; i++) {
 		/* see if key matches keytag and algo */