mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 08:05:21 +00:00
Code Issues Releases Wiki Activity

1819. [bug] The validator needed to check both the algorithm and

Browse Source 
digest types of the DS to determine if it could be
                        used to introduce a secure zone. [RT #13593]
This commit is contained in:
Mark Andrews
2005-03-04 03:53:22 +00:00
parent 39c7fc7e00
commit c941e32d22
6 changed files with 55 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,3 +1,7 @@
1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be
used to introduce a secure zone. [RT #13593]
1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
1817. [placeholder] rt13587 1817. [placeholder] rt13587

7
lib/dns/ds.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: ds.c,v 1.4 2004/03/05 05:09:19 marka Exp $ */ /* $Id: ds.c,v 1.5 2005/03/04 03:53:20 marka Exp $ */
#include <config.h> #include <config.h>
@@ -81,3 +81,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds, return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
&ds, &b)); &ds, &b));
} }
isc_boolean_t
dns_ds_digest_supported(unsigned int digest_type) {
return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1));
}

8
lib/dns/include/dns/ds.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: ds.h,v 1.3 2004/03/05 05:09:42 marka Exp $ */ /* $Id: ds.h,v 1.4 2005/03/04 03:53:21 marka Exp $ */
#ifndef DNS_DS_H #ifndef DNS_DS_H
#define DNS_DS_H 1 #define DNS_DS_H 1
@@ -51,6 +51,12 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
* to 'buffer'. * to 'buffer'.
*/ */
isc_boolean_t
dns_ds_digest_supported(unsigned int digest_type);
/*
* Is this digest algorithm supported by dns_ds_buildrdata()?
*/
ISC_LANG_ENDDECLS ISC_LANG_ENDDECLS
#endif /* DNS_DS_H */ #endif /* DNS_DS_H */

8
lib/dns/include/dns/resolver.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: resolver.h,v 1.41 2004/04/15 23:40:26 marka Exp $ */ /* $Id: resolver.h,v 1.42 2005/03/04 03:53:22 marka Exp $ */
#ifndef DNS_RESOLVER_H #ifndef DNS_RESOLVER_H
#define DNS_RESOLVER_H 1 #define DNS_RESOLVER_H 1
@@ -416,6 +416,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
* crypto libraries if not specifically disabled. * crypto libraries if not specifically disabled.
*/ */
isc_boolean_t
dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type);
/*
* Is this digest type supported.
*/
void void
dns_resolver_resetmustbesecure(dns_resolver_t *resolver); dns_resolver_resetmustbesecure(dns_resolver_t *resolver);

10
lib/dns/resolver.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: resolver.c,v 1.303 2005/02/08 23:51:31 marka Exp $ */ /* $Id: resolver.c,v 1.304 2005/03/04 03:53:21 marka Exp $ */
#include <config.h> #include <config.h>
@@ -30,6 +30,7 @@
#include <dns/cache.h> #include <dns/cache.h>
#include <dns/db.h> #include <dns/db.h>
#include <dns/dispatch.h> #include <dns/dispatch.h>
#include <dns/ds.h>
#include <dns/events.h> #include <dns/events.h>
#include <dns/forward.h> #include <dns/forward.h>
#include <dns/keytable.h> #include <dns/keytable.h>
@@ -6520,6 +6521,13 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
return (dst_algorithm_supported(alg)); return (dst_algorithm_supported(alg));
} }
isc_boolean_t
dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
UNUSED(resolver);
return (dns_ds_digest_supported(digest));
}
void void
dns_resolver_resetmustbesecure(dns_resolver_t *resolver) { dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {

34
lib/dns/validator.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: validator.c,v 1.126 2005/02/09 05:19:30 marka Exp $ */ /* $Id: validator.c,v 1.127 2005/03/04 03:53:21 marka Exp $ */
#include <config.h> #include <config.h>
@@ -1561,6 +1561,9 @@ dlv_validatezonekey(dns_validator_t *val) {
dns_rdataset_current(val->dlv, &dlvrdata); dns_rdataset_current(val->dlv, &dlvrdata);
(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL); (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
if (!dns_resolver_digest_supported(val->view->resolver,
dlv.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver, if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name, val->event->name,
dlv.algorithm)) dlv.algorithm))
@@ -1647,7 +1650,7 @@ dlv_validatezonekey(dns_validator_t *val) {
val->event->rdataset->trust = dns_trust_answer; val->event->rdataset->trust = dns_trust_answer;
val->event->sigrdataset->trust = dns_trust_answer; val->event->sigrdataset->trust = dns_trust_answer;
validator_log(val, ISC_LOG_DEBUG(3), validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (dlv)"); "no supported algorithm/digest (dlv)");
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} else } else
return (DNS_R_NOVALIDSIG); return (DNS_R_NOVALIDSIG);
@@ -1848,6 +1851,10 @@ validatezonekey(dns_validator_t *val) {
dns_rdataset_current(val->dsset, &dsrdata); dns_rdataset_current(val->dsset, &dsrdata);
(void)dns_rdata_tostruct(&dsrdata, &ds, NULL); (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
if (!dns_resolver_digest_supported(val->view->resolver,
ds.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver, if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name, val->event->name,
ds.algorithm)) ds.algorithm))
@@ -1940,7 +1947,7 @@ validatezonekey(dns_validator_t *val) {
val->event->rdataset->trust = dns_trust_answer; val->event->rdataset->trust = dns_trust_answer;
val->event->sigrdataset->trust = dns_trust_answer; val->event->sigrdataset->trust = dns_trust_answer;
validator_log(val, ISC_LOG_DEBUG(3), validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (ds)"); "no supported algorithm/digest (ds)");
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} else } else
return (DNS_R_NOVALIDSIG); return (DNS_R_NOVALIDSIG);
@@ -2193,7 +2200,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
} }
static isc_boolean_t static isc_boolean_t
check_ds_algorithm(dns_validator_t *val, dns_name_t *name, check_ds(dns_validator_t *val, dns_name_t *name,
dns_rdataset_t *rdataset) { dns_rdataset_t *rdataset) {
dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdata_ds_t ds; dns_rdata_ds_t ds;
@@ -2205,9 +2212,13 @@ check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
dns_rdataset_current(rdataset, &dsrdata); dns_rdataset_current(rdataset, &dsrdata);
(void)dns_rdata_tostruct(&dsrdata, &ds, NULL); (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
if (dns_resolver_algorithm_supported(val->view->resolver, if (dns_resolver_digest_supported(val->view->resolver,
name, ds.algorithm)) ds.digest_type) &&
dns_resolver_algorithm_supported(val->view->resolver,
name, ds.algorithm)) {
dns_rdata_reset(&dsrdata);
return (ISC_TRUE); return (ISC_TRUE);
}
dns_rdata_reset(&dsrdata); dns_rdata_reset(&dsrdata);
} }
return (ISC_FALSE); return (ISC_FALSE);
@@ -2385,8 +2396,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
} else { } else {
validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure"); validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
if (val->frdataset.trust >= dns_trust_secure && if (val->frdataset.trust >= dns_trust_secure &&
!check_ds_algorithm(val, dns_fixedname_name(&val->fname), !check_ds(val, dns_fixedname_name(&val->fname),
&val->frdataset)) { &val->frdataset)) {
if (val->mustbesecure) { if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING, validator_log(val, ISC_LOG_WARNING,
"must be secure failure"); "must be secure failure");
@@ -2394,7 +2405,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
goto out; goto out;
} }
validator_log(val, ISC_LOG_DEBUG(3), validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (ds)"); "no supported algorithm/digest (ds)");
val->event->rdataset->trust = dns_trust_answer; val->event->rdataset->trust = dns_trust_answer;
result = ISC_R_SUCCESS; result = ISC_R_SUCCESS;
goto out; goto out;
@@ -2453,10 +2464,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
* continue. * continue.
*/ */
if (val->frdataset.trust >= dns_trust_secure) { if (val->frdataset.trust >= dns_trust_secure) {
if (!check_ds_algorithm(val, tname, if (!check_ds(val, tname, &val->frdataset)) {
&val->frdataset)) {
validator_log(val, ISC_LOG_DEBUG(3), validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (ds)"); "no supported algorithm/digest (ds)");
if (val->mustbesecure) { if (val->mustbesecure) {
validator_log(val, validator_log(val,
ISC_LOG_WARNING, ISC_LOG_WARNING,