upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- harden algo downgrade also makes unbound more lenient about digest

Browse source 
algorithms in DS records.


git-svn-id: file:///svn/unbound/trunk@4104 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2017-04-10 13:38:50 +00:00
parent e3058de235
commit 4d7d32c846
6 changed files with 309 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
10 April 2017: Wouter
- harden algo downgrade also makes unbound more lenient about digest
algorithms in DS records.
10 April 2017: Ralph 10 April 2017: Ralph
- Remove ECS option after REFUSED answer. - Remove ECS option after REFUSED answer.
- Fix small memory leak in edns_opt_copy_alloc. - Fix small memory leak in edns_opt_copy_alloc.

1
testdata/val_ds_gost_downgrade.crpl vendored
View file

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226" val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0" target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes fake-sha1: yes
harden-algo-downgrade: yes
stub-zone: stub-zone:
name: "." name: "."

1
testdata/val_ds_sha2_downgrade.crpl vendored
View file

@ -6,6 +6,7 @@ server:
target-fetch-policy: "0 0 0 0 0" target-fetch-policy: "0 0 0 0 0"
fake-dsa: yes fake-dsa: yes
fake-sha1: yes fake-sha1: yes
harden-algo-downgrade: yes
stub-zone: stub-zone:
name: "." name: "."

227
testdata/val_ds_sha2_lenient.crpl vendored Normal file
View file

@ -0,0 +1,227 @@
; config options
; The island of trust is at example.com
server:
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-dsa: yes
fake-sha1: yes
harden-algo-downgrade: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test validator with SHA256 DS downgrade to SHA1 lenience
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.sub.example.com. IN A
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION ANSWER
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.sub.example.com. IN A
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END
; ns.example.com.
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com. IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
; response to DNSKEY priming query
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN DNSKEY
SECTION ANSWER
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
SECTION AUTHORITY
example.com. IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
; response for delegation to sub.example.com.
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
sub.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
sub.example.com. IN NS ns.sub.example.com.
; Downgrade attack: false SHA2, correct SHA1
; SHA256 DS for sub.example.com.
;sub.example.com. 3600 IN DS 30899 5 2 51be8e847cc663f2775d0f2b6d15e41553c97ecb99b8dd667f18244e2f652033
; BAD SHA256 DS
sub.example.com. 3600 IN DS 30899 5 2 51be8e847cc663f2775d0f2b6d15e41553c97ecb99b8dd667f18244e2f652000
; SHA1 DS for sub.example.com.
sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3
sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. ACqqpk1ow07XJvN1orEpiWOeqMLdDKQtTgWB8Mp6CF/9VTfHuWWmsu8= ;{id = 2854}
SECTION ADDITIONAL
ns.sub.example.com. IN A 1.2.3.6
ENTRY_END
RANGE_END
; ns.sub.example.com.
RANGE_BEGIN 0 100
ADDRESS 1.2.3.6
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
sub.example.com. IN NS
SECTION ANSWER
sub.example.com. IN NS ns.sub.example.com.
sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899}
SECTION ADDITIONAL
ns.sub.example.com. IN A 1.2.3.6
ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899}
ENTRY_END
; response to DNSKEY priming query
; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
sub.example.com. IN DNSKEY
SECTION ANSWER
sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899}
SECTION AUTHORITY
sub.example.com. IN NS ns.sub.example.com.
sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899}
SECTION ADDITIONAL
ns.sub.example.com. IN A 1.2.3.6
ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899}
ENTRY_END
; response to query of interest
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
www.sub.example.com. IN A 11.11.11.11
www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899}
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA REFUSED
SECTION QUESTION
ns.sub.example.com. IN A
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA REFUSED
SECTION QUESTION
ns.sub.example.com. IN AAAA
ENTRY_END
RANGE_END
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
; recursion happens here.
; must servfail, BOGUS
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AD DO NOERROR
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
www.sub.example.com. 3600 IN A 11.11.11.11
www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899}
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
SCENARIO_END

121
util/configlexer.c
View file

@ -10,7 +10,7 @@
#define FLEX_SCANNER #define FLEX_SCANNER
#define YY_FLEX_MAJOR_VERSION 2 #define YY_FLEX_MAJOR_VERSION 2
#define YY_FLEX_MINOR_VERSION 6 #define YY_FLEX_MINOR_VERSION 6
#define YY_FLEX_SUBMINOR_VERSION 1 #define YY_FLEX_SUBMINOR_VERSION 0
#if YY_FLEX_SUBMINOR_VERSION > 0 #if YY_FLEX_SUBMINOR_VERSION > 0
#define FLEX_BETA #define FLEX_BETA
#endif #endif
@ -89,13 +89,25 @@ typedef unsigned int flex_uint32_t;
#endif /* ! FLEXINT_H */ #endif /* ! FLEXINT_H */
/* TODO: this is always defined, so inline it */ #ifdef __cplusplus
#define yyconst const
#if defined(__GNUC__) && __GNUC__ >= 3 /* The "const" storage-class-modifier is valid. */
#define yynoreturn __attribute__((__noreturn__)) #define YY_USE_CONST
#else /* ! __cplusplus */
/* C99 requires __STDC__ to be defined as 1. */
#if defined (__STDC__)
#define YY_USE_CONST
#endif /* defined (__STDC__) */
#endif /* ! __cplusplus */
#ifdef YY_USE_CONST
#define yyconst const
#else #else
#define yynoreturn #define yyconst
#endif #endif
/* Returned upon end-of-file. */ /* Returned upon end-of-file. */
@ -156,7 +168,7 @@ typedef struct yy_buffer_state *YY_BUFFER_STATE;
typedef size_t yy_size_t; typedef size_t yy_size_t;
#endif #endif
extern int yyleng; extern yy_size_t yyleng;
extern FILE *yyin, *yyout; extern FILE *yyin, *yyout;
@ -172,7 +184,7 @@ extern FILE *yyin, *yyout;
do \ do \
{ \ { \
/* Undo effects of setting up yytext. */ \ /* Undo effects of setting up yytext. */ \
int yyless_macro_arg = (n); \ yy_size_t yyless_macro_arg = (n); \
YY_LESS_LINENO(yyless_macro_arg);\ YY_LESS_LINENO(yyless_macro_arg);\
*yy_cp = (yy_hold_char); \ *yy_cp = (yy_hold_char); \
YY_RESTORE_YY_MORE_OFFSET \ YY_RESTORE_YY_MORE_OFFSET \
@ -195,12 +207,12 @@ struct yy_buffer_state
/* Size of input buffer in bytes, not including room for EOB /* Size of input buffer in bytes, not including room for EOB
* characters. * characters.
*/ */
int yy_buf_size; yy_size_t yy_buf_size;
/* Number of characters read into yy_ch_buf, not including EOB /* Number of characters read into yy_ch_buf, not including EOB
* characters. * characters.
*/ */
int yy_n_chars; yy_size_t yy_n_chars;
/* Whether we "own" the buffer - i.e., we know we created it, /* Whether we "own" the buffer - i.e., we know we created it,
* and can realloc() it to grow it, and should free() it to * and can realloc() it to grow it, and should free() it to
@ -223,7 +235,7 @@ struct yy_buffer_state
int yy_bs_lineno; /**< The line count. */ int yy_bs_lineno; /**< The line count. */
int yy_bs_column; /**< The column count. */ int yy_bs_column; /**< The column count. */
/* Whether to try to fill the input buffer when we reach the /* Whether to try to fill the input buffer when we reach the
* end of it. * end of it.
*/ */
@ -251,7 +263,7 @@ struct yy_buffer_state
/* Stack of input buffers. */ /* Stack of input buffers. */
static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */ static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */ static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
static YY_BUFFER_STATE * yy_buffer_stack = NULL; /**< Stack as an array. */ static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
/* We provide macros for accessing buffer states in case in the /* We provide macros for accessing buffer states in case in the
* future we want to put the buffer states in a more general * future we want to put the buffer states in a more general
@ -270,11 +282,11 @@ static YY_BUFFER_STATE * yy_buffer_stack = NULL; /**< Stack as an array. */
/* yy_hold_char holds the character lost when yytext is formed. */ /* yy_hold_char holds the character lost when yytext is formed. */
static char yy_hold_char; static char yy_hold_char;
static int yy_n_chars; /* number of characters read into yy_ch_buf */ static yy_size_t yy_n_chars; /* number of characters read into yy_ch_buf */
int yyleng; yy_size_t yyleng;
/* Points to current character in buffer. */ /* Points to current character in buffer. */
static char *yy_c_buf_p = NULL; static char *yy_c_buf_p = (char *) 0;
static int yy_init = 0; /* whether we need to initialize */ static int yy_init = 0; /* whether we need to initialize */
static int yy_start = 0; /* start state number */ static int yy_start = 0; /* start state number */
@ -299,7 +311,7 @@ static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file );
YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size ); YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size );
YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str ); YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str );
YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len ); YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,yy_size_t len );
void *yyalloc (yy_size_t ); void *yyalloc (yy_size_t );
void *yyrealloc (void *,yy_size_t ); void *yyrealloc (void *,yy_size_t );
@ -333,7 +345,7 @@ void yyfree (void * );
typedef unsigned char YY_CHAR; typedef unsigned char YY_CHAR;
FILE *yyin = NULL, *yyout = NULL; FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
typedef int yy_state_type; typedef int yy_state_type;
@ -350,7 +362,10 @@ extern char *yytext;
static yy_state_type yy_get_previous_state (void ); static yy_state_type yy_get_previous_state (void );
static yy_state_type yy_try_NUL_trans (yy_state_type current_state ); static yy_state_type yy_try_NUL_trans (yy_state_type current_state );
static int yy_get_next_buffer (void ); static int yy_get_next_buffer (void );
static void yynoreturn yy_fatal_error (yyconst char* msg ); #if defined(__GNUC__) && __GNUC__ >= 3
__attribute__((__noreturn__))
#endif
static void yy_fatal_error (yyconst char msg[] );
/* Done after the current pattern has been matched and before the /* Done after the current pattern has been matched and before the
* corresponding action - sets up yytext. * corresponding action - sets up yytext.
@ -358,7 +373,7 @@ static void yynoreturn yy_fatal_error (yyconst char* msg );
#define YY_DO_BEFORE_ACTION \ #define YY_DO_BEFORE_ACTION \
(yytext_ptr) = yy_bp; \ (yytext_ptr) = yy_bp; \
(yytext_ptr) -= (yy_more_len); \ (yytext_ptr) -= (yy_more_len); \
yyleng = (int) (yy_cp - (yytext_ptr)); \ yyleng = (size_t) (yy_cp - (yytext_ptr)); \
(yy_hold_char) = *yy_cp; \ (yy_hold_char) = *yy_cp; \
*yy_cp = '\0'; \ *yy_cp = '\0'; \
(yy_c_buf_p) = yy_cp; (yy_c_buf_p) = yy_cp;
@ -2304,7 +2319,7 @@ static void config_end_include(void)
#define YY_NO_INPUT 1 #define YY_NO_INPUT 1
#endif #endif
#line 2306 "<stdout>" #line 2321 "<stdout>"
#define INITIAL 0 #define INITIAL 0
#define quotedstring 1 #define quotedstring 1
@ -2348,7 +2363,7 @@ FILE *yyget_out (void );
void yyset_out (FILE * _out_str ); void yyset_out (FILE * _out_str );
int yyget_leng (void ); yy_size_t yyget_leng (void );
char *yyget_text (void ); char *yyget_text (void );
@ -2405,7 +2420,7 @@ static int input (void );
/* This used to be an fputs(), but since the string might contain NUL's, /* This used to be an fputs(), but since the string might contain NUL's,
* we now use fwrite(). * we now use fwrite().
*/ */
#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0) #define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
#endif #endif
/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL, /* Gets input and stuffs it into "buf". number of characters read, or YY_NULL,
@ -2429,7 +2444,7 @@ static int input (void );
else \ else \
{ \ { \
errno=0; \ errno=0; \
while ( (result = (int) fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \ while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
{ \ { \
if( errno != EINTR) \ if( errno != EINTR) \
{ \ { \
@ -2527,7 +2542,7 @@ YY_DECL
{ {
#line 207 "./util/configlexer.lex" #line 207 "./util/configlexer.lex"
#line 2529 "<stdout>" #line 2544 "<stdout>"
while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */
{ {
@ -2563,7 +2578,7 @@ yy_match:
if ( yy_current_state >= 2165 ) if ( yy_current_state >= 2165 )
yy_c = yy_meta[(unsigned int) yy_c]; yy_c = yy_meta[(unsigned int) yy_c];
} }
yy_current_state = yy_nxt[yy_base[yy_current_state] + (flex_int16_t) yy_c]; yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
++yy_cp; ++yy_cp;
} }
while ( yy_base[yy_current_state] != 4265 ); while ( yy_base[yy_current_state] != 4265 );
@ -3794,7 +3809,7 @@ YY_RULE_SETUP
#line 513 "./util/configlexer.lex" #line 513 "./util/configlexer.lex"
ECHO; ECHO;
YY_BREAK YY_BREAK
#line 3796 "<stdout>" #line 3811 "<stdout>"
case YY_END_OF_BUFFER: case YY_END_OF_BUFFER:
{ {
@ -3993,7 +4008,7 @@ static int yy_get_next_buffer (void)
if ( b->yy_is_our_buffer ) if ( b->yy_is_our_buffer )
{ {
int new_size = b->yy_buf_size * 2; yy_size_t new_size = b->yy_buf_size * 2;
if ( new_size <= 0 ) if ( new_size <= 0 )
b->yy_buf_size += b->yy_buf_size / 8; b->yy_buf_size += b->yy_buf_size / 8;
@ -4006,7 +4021,7 @@ static int yy_get_next_buffer (void)
} }
else else
/* Can't grow it, we don't own it. */ /* Can't grow it, we don't own it. */
b->yy_ch_buf = NULL; b->yy_ch_buf = 0;
if ( ! b->yy_ch_buf ) if ( ! b->yy_ch_buf )
YY_FATAL_ERROR( YY_FATAL_ERROR(
@ -4048,9 +4063,9 @@ static int yy_get_next_buffer (void)
else else
ret_val = EOB_ACT_CONTINUE_SCAN; ret_val = EOB_ACT_CONTINUE_SCAN;
if ((int) ((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) { if ((yy_size_t) ((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
/* Extend the array by 50%, plus the number we really need. */ /* Extend the array by 50%, plus the number we really need. */
int new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1); yy_size_t new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1);
YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size ); YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size );
if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf ) if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" ); YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
@ -4088,7 +4103,7 @@ static int yy_get_next_buffer (void)
if ( yy_current_state >= 2165 ) if ( yy_current_state >= 2165 )
yy_c = yy_meta[(unsigned int) yy_c]; yy_c = yy_meta[(unsigned int) yy_c];
} }
yy_current_state = yy_nxt[yy_base[yy_current_state] + (flex_int16_t) yy_c]; yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
} }
return yy_current_state; return yy_current_state;
@ -4116,7 +4131,7 @@ static int yy_get_next_buffer (void)
if ( yy_current_state >= 2165 ) if ( yy_current_state >= 2165 )
yy_c = yy_meta[(unsigned int) yy_c]; yy_c = yy_meta[(unsigned int) yy_c];
} }
yy_current_state = yy_nxt[yy_base[yy_current_state] + (flex_int16_t) yy_c]; yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
yy_is_jam = (yy_current_state == 2164); yy_is_jam = (yy_current_state == 2164);
return yy_is_jam ? 0 : yy_current_state; return yy_is_jam ? 0 : yy_current_state;
@ -4150,7 +4165,7 @@ static int yy_get_next_buffer (void)
else else
{ /* need more input */ { /* need more input */
int offset = (yy_c_buf_p) - (yytext_ptr); yy_size_t offset = (yy_c_buf_p) - (yytext_ptr);
++(yy_c_buf_p); ++(yy_c_buf_p);
switch ( yy_get_next_buffer( ) ) switch ( yy_get_next_buffer( ) )
@ -4174,7 +4189,7 @@ static int yy_get_next_buffer (void)
case EOB_ACT_END_OF_FILE: case EOB_ACT_END_OF_FILE:
{ {
if ( yywrap( ) ) if ( yywrap( ) )
return 0; return EOF;
if ( ! (yy_did_buffer_switch_on_eof) ) if ( ! (yy_did_buffer_switch_on_eof) )
YY_NEW_FILE; YY_NEW_FILE;
@ -4422,7 +4437,7 @@ void yypop_buffer_state (void)
*/ */
static void yyensure_buffer_stack (void) static void yyensure_buffer_stack (void)
{ {
int num_to_alloc; yy_size_t num_to_alloc;
if (!(yy_buffer_stack)) { if (!(yy_buffer_stack)) {
@ -4436,9 +4451,9 @@ static void yyensure_buffer_stack (void)
); );
if ( ! (yy_buffer_stack) ) if ( ! (yy_buffer_stack) )
YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" ); YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*)); memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
(yy_buffer_stack_max) = num_to_alloc; (yy_buffer_stack_max) = num_to_alloc;
(yy_buffer_stack_top) = 0; (yy_buffer_stack_top) = 0;
return; return;
@ -4467,7 +4482,7 @@ static void yyensure_buffer_stack (void)
* @param base the character buffer * @param base the character buffer
* @param size the size in bytes of the character buffer * @param size the size in bytes of the character buffer
* *
* @return the newly allocated buffer state object. * @return the newly allocated buffer state object.
*/ */
YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size ) YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
{ {
@ -4477,7 +4492,7 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
base[size-2] != YY_END_OF_BUFFER_CHAR || base[size-2] != YY_END_OF_BUFFER_CHAR ||
base[size-1] != YY_END_OF_BUFFER_CHAR ) base[size-1] != YY_END_OF_BUFFER_CHAR )
/* They forgot to leave room for the EOB's. */ /* They forgot to leave room for the EOB's. */
return NULL; return 0;
b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state ) ); b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state ) );
if ( ! b ) if ( ! b )
@ -4486,7 +4501,7 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */ b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */
b->yy_buf_pos = b->yy_ch_buf = base; b->yy_buf_pos = b->yy_ch_buf = base;
b->yy_is_our_buffer = 0; b->yy_is_our_buffer = 0;
b->yy_input_file = NULL; b->yy_input_file = 0;
b->yy_n_chars = b->yy_buf_size; b->yy_n_chars = b->yy_buf_size;
b->yy_is_interactive = 0; b->yy_is_interactive = 0;
b->yy_at_bol = 1; b->yy_at_bol = 1;
@ -4509,7 +4524,7 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
YY_BUFFER_STATE yy_scan_string (yyconst char * yystr ) YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
{ {
return yy_scan_bytes(yystr,(int) strlen(yystr) ); return yy_scan_bytes(yystr,strlen(yystr) );
} }
/** Setup the input buffer state to scan the given bytes. The next call to yylex() will /** Setup the input buffer state to scan the given bytes. The next call to yylex() will
@ -4519,7 +4534,7 @@ YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
* *
* @return the newly allocated buffer state object. * @return the newly allocated buffer state object.
*/ */
YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, int _yybytes_len ) YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, yy_size_t _yybytes_len )
{ {
YY_BUFFER_STATE b; YY_BUFFER_STATE b;
char *buf; char *buf;
@ -4527,7 +4542,7 @@ YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, int _yybytes_len )
yy_size_t i; yy_size_t i;
/* Get memory for full buffer, including space for trailing EOB's. */ /* Get memory for full buffer, including space for trailing EOB's. */
n = (yy_size_t) _yybytes_len + 2; n = _yybytes_len + 2;
buf = (char *) yyalloc(n ); buf = (char *) yyalloc(n );
if ( ! buf ) if ( ! buf )
YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" ); YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
@ -4553,7 +4568,7 @@ YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, int _yybytes_len )
#define YY_EXIT_FAILURE 2 #define YY_EXIT_FAILURE 2
#endif #endif
static void yynoreturn yy_fatal_error (yyconst char* msg ) static void yy_fatal_error (yyconst char* msg )
{ {
(void) fprintf( stderr, "%s\n", msg ); (void) fprintf( stderr, "%s\n", msg );
exit( YY_EXIT_FAILURE ); exit( YY_EXIT_FAILURE );
@ -4566,7 +4581,7 @@ static void yynoreturn yy_fatal_error (yyconst char* msg )
do \ do \
{ \ { \
/* Undo effects of setting up yytext. */ \ /* Undo effects of setting up yytext. */ \
int yyless_macro_arg = (n); \ yy_size_t yyless_macro_arg = (n); \
YY_LESS_LINENO(yyless_macro_arg);\ YY_LESS_LINENO(yyless_macro_arg);\
yytext[yyleng] = (yy_hold_char); \ yytext[yyleng] = (yy_hold_char); \
(yy_c_buf_p) = yytext + yyless_macro_arg; \ (yy_c_buf_p) = yytext + yyless_macro_arg; \
@ -4583,7 +4598,7 @@ static void yynoreturn yy_fatal_error (yyconst char* msg )
*/ */
int yyget_lineno (void) int yyget_lineno (void)
{ {
return yylineno; return yylineno;
} }
@ -4606,7 +4621,7 @@ FILE *yyget_out (void)
/** Get the length of the current token. /** Get the length of the current token.
* *
*/ */
int yyget_leng (void) yy_size_t yyget_leng (void)
{ {
return yyleng; return yyleng;
} }
@ -4662,10 +4677,10 @@ static int yy_init_globals (void)
* This function is called from yylex_destroy(), so don't allocate here. * This function is called from yylex_destroy(), so don't allocate here.
*/ */
(yy_buffer_stack) = NULL; (yy_buffer_stack) = 0;
(yy_buffer_stack_top) = 0; (yy_buffer_stack_top) = 0;
(yy_buffer_stack_max) = 0; (yy_buffer_stack_max) = 0;
(yy_c_buf_p) = NULL; (yy_c_buf_p) = (char *) 0;
(yy_init) = 0; (yy_init) = 0;
(yy_start) = 0; (yy_start) = 0;
@ -4674,8 +4689,8 @@ static int yy_init_globals (void)
yyin = stdin; yyin = stdin;
yyout = stdout; yyout = stdout;
#else #else
yyin = NULL; yyin = (FILE *) 0;
yyout = NULL; yyout = (FILE *) 0;
#endif #endif
/* For future reference: Set errno on error, since we are called by /* For future reference: Set errno on error, since we are called by
@ -4733,7 +4748,7 @@ static int yy_flex_strlen (yyconst char * s )
void *yyalloc (yy_size_t size ) void *yyalloc (yy_size_t size )
{ {
return malloc(size); return (void *) malloc( size );
} }
void *yyrealloc (void * ptr, yy_size_t size ) void *yyrealloc (void * ptr, yy_size_t size )
@ -4746,7 +4761,7 @@ void *yyrealloc (void * ptr, yy_size_t size )
* any pointer type to void*, and deal with argument conversions * any pointer type to void*, and deal with argument conversions
* as though doing an assignment. * as though doing an assignment.
*/ */
return realloc(ptr, size); return (void *) realloc( (char *) ptr, size );
} }
void yyfree (void * ptr ) void yyfree (void * ptr )

11
validator/val_utils.c
View file

@ -495,16 +495,21 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
return sec_status_bogus; return sec_status_bogus;
} }
digest_algo = val_favorite_ds_algo(ds_rrset); if(sigalg) {
if(sigalg) /* harden against algo downgrade is enabled */
digest_algo = val_favorite_ds_algo(ds_rrset);
algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg); algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
} else {
/* accept any key algo, any digest algo */
digest_algo = -1;
}
num = rrset_get_count(ds_rrset); num = rrset_get_count(ds_rrset);
for(i=0; i<num; i++) { for(i=0; i<num; i++) {
/* Check to see if we can understand this DS. /* Check to see if we can understand this DS.
* And check it is the strongest digest */ * And check it is the strongest digest */
if(!ds_digest_algo_is_supported(ds_rrset, i) || if(!ds_digest_algo_is_supported(ds_rrset, i) ||
!ds_key_algo_is_supported(ds_rrset, i) || !ds_key_algo_is_supported(ds_rrset, i) ||
ds_get_digest_algo(ds_rrset, i) != digest_algo) { (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) {
continue; continue;
} }