fixup insecure glue on referrals.

git-svn-id: file:///svn/unbound/trunk@688 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/worker.c

@@ -359,6 +359,7 @@ deleg_remove_nonsecure_additional(struct reply_info* rep)
 				(rep->rrset_count - i - 1));
 			rep->ar_numrrsets--; 
 			rep->rrset_count--;
+			i--;
 		}
 	}
 }

doc/Changelog

@@ -13,6 +13,8 @@
 	- removed some debug prints, only verb_algo (4) enables them.
 	- fixup test; new random generator took new paths; such as one 
 	  where no scripted answer was available.
+	- mark insecure RRs as insecure.
+	- fixup removal of nonsecure items from the additional.
 
 16 October 2007: Wouter
 	- no malloc in log_hex.

validator/val_utils.c

@@ -550,11 +550,8 @@ rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
 
 void 
 val_fill_reply(struct reply_info* chase, struct reply_info* orig, 
-	size_t skip, uint8_t* name, size_t len)
+	size_t skip, uint8_t* name, size_t len, uint8_t* signer)
 {
-	/* unsigned RRsets are never copied, but should not happen in 
-	 * secure answers anyway. Except for the synthesized CNAME after 
-	 * a DNAME. */
 	size_t i;
 	int seen_dname = 0;
 	chase->rrset_count = 0;
@@ -563,7 +560,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 	chase->ar_numrrsets = 0;
 	/* ANSWER section */
 	for(i=skip; i<orig->an_numrrsets; i++) {
-		if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 
+		if(!signer) {
+			if(query_dname_compare(name, 
+				orig->rrsets[i]->rk.dname) == 0)
+				chase->rrsets[chase->an_numrrsets++] = 
+					orig->rrsets[i];
+		} else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 
 			LDNS_RR_TYPE_CNAME) {
 			chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
 			seen_dname = 0;
@@ -579,7 +581,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 	for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
 		i<orig->an_numrrsets+orig->ns_numrrsets; 
 		i++) {
-		if(rrset_has_signer(orig->rrsets[i], name, len)) {
+		if(!signer) {
+			if(query_dname_compare(name, 
+				orig->rrsets[i]->rk.dname) == 0)
+				chase->rrsets[chase->an_numrrsets+
+				    chase->ns_numrrsets++] = orig->rrsets[i];
+		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 			chase->rrsets[chase->an_numrrsets+
 				chase->ns_numrrsets++] = orig->rrsets[i];
 		}
@@ -588,7 +595,13 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 	for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
 		skip:orig->an_numrrsets+orig->ns_numrrsets; 
 		i<orig->rrset_count; i++) {
-		if(rrset_has_signer(orig->rrsets[i], name, len)) {
+		if(!signer) {
+			if(query_dname_compare(name, 
+				orig->rrsets[i]->rk.dname) == 0)
+			    chase->rrsets[chase->an_numrrsets
+				+orig->ns_numrrsets+chase->ar_numrrsets++] 
+				= orig->rrsets[i];
+		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 			chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
 				chase->ar_numrrsets++] = orig->rrsets[i];
 		}
@@ -643,6 +656,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
 				(rep->rrset_count - i - 1));
 			rep->ar_numrrsets--;
 			rep->rrset_count--;
+			i--;
 		}
 	}
 }

validator/val_utils.h

@@ -206,9 +206,11 @@ int val_chase_cname(struct query_info* qchase, struct reply_info* rep,
  * 	The skipped part contains CNAME(and DNAME)s that have been chased.
  * @param name: the signer name to look for.
  * @param len: length of name.
+ * @param signer: signer name or NULL if an unsigned RRset is considered.
+ *	If NULL, rrsets with the lookup name are copied over.
  */
 void val_fill_reply(struct reply_info* chase, struct reply_info* orig, 
-	size_t cname_skip, uint8_t* name, size_t len);
+	size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer);
 
 /**
  * Remove all unsigned or non-secure status rrsets from NS and AR sections.

validator/validator.c

@@ -1164,7 +1164,8 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
 		/* extract this part of orig_msg into chase_reply for
 		 * the eventual VALIDATE stage */
 		val_fill_reply(vq->chase_reply, vq->orig_msg->rep, 
-			vq->rrset_skip, lookup_name, lookup_len);
+			vq->rrset_skip, lookup_name, lookup_len, 
+			vq->signer_name);
 		if(verbosity >= VERB_ALGO)
 			log_dns_msg("chased extract", &vq->qchase, 
 				vq->chase_reply);