svn commit: r190228 - in stable/7/contrib/bind9: . lib/dns

Doug Barton dougb at FreeBSD.org
Sat Mar 21 16:03:58 PDT 2009 

Author: dougb
Date: Sat Mar 21 23:03:56 2009
New Revision: 190228
URL: http://svn.freebsd.org/changeset/base/190228

Log:
  MFC the 9.4.3-P2 update

Modified:
  stable/7/contrib/bind9/   (props changed)
  stable/7/contrib/bind9/CHANGES   (contents, props changed)
  stable/7/contrib/bind9/lib/dns/validator.c   (contents, props changed)
  stable/7/contrib/bind9/version   (contents, props changed)

Modified: stable/7/contrib/bind9/CHANGES
==============================================================================
--- stable/7/contrib/bind9/CHANGES	Sat Mar 21 23:00:40 2009	(r190227)
+++ stable/7/contrib/bind9/CHANGES	Sat Mar 21 23:03:56 2009	(r190228)
@@ -1,3 +1,8 @@
+	--- 9.4.3-P2 released ---
+
+2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
+			algorithms. [RT #19479]
+
 	--- 9.4.3-P1 released ---
 
 2522.	[security]	Handle -1 from DSA_do_verify().

Modified: stable/7/contrib/bind9/lib/dns/validator.c
==============================================================================
--- stable/7/contrib/bind9/lib/dns/validator.c	Sat Mar 21 23:00:40 2009	(r190227)
+++ stable/7/contrib/bind9/lib/dns/validator.c	Sat Mar 21 23:03:56 2009	(r190228)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.119.18.41 2008/08/21 04:59:42 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.41.2.1 2009/03/17 02:23:49 marka Exp $ */
 
 /*! \file */
 
@@ -211,6 +211,37 @@ exit_check(dns_validator_t *val) {
 	return (ISC_TRUE);
 }
 
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline isc_boolean_t
+dlv_algorithm_supported(dns_validator_t *val) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dlv_t dlv;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(&val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&val->dlv)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&val->dlv, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+		    dlv.digest_type != DNS_DSDIGEST_SHA1)
+			continue;
+
+		return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
 /*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
@@ -2297,19 +2328,36 @@ dlvfetched(isc_task_t *task, isc_event_t
 				sizeof(namebuf));
 		dns_rdataset_clone(&val->frdataset, &val->dlv);
 		val->havedlvsep = ISC_TRUE;
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-		dlv_validator_start(val);
+		if (dlv_algorithm_supported(val)) {
+			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+				      namebuf);
+			dlv_validator_start(val);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "DLV %s found with no supported algorithms",
+				      namebuf);
+			markanswer(val);
+			validator_done(val, ISC_R_SUCCESS);
+		}
 	} else if (eresult == DNS_R_NXRRSET ||
 		   eresult == DNS_R_NXDOMAIN ||
 		   eresult == DNS_R_NCACHENXRRSET ||
 		   eresult == DNS_R_NCACHENXDOMAIN) {
-		   result = finddlvsep(val, ISC_TRUE);
+		result = finddlvsep(val, ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {
-			dns_name_format(dns_fixedname_name(&val->dlvsep),
-					namebuf, sizeof(namebuf));
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
-				      namebuf);
-			dlv_validator_start(val);
+			if (dlv_algorithm_supported(val)) {
+				dns_name_format(dns_fixedname_name(&val->dlvsep),
+						namebuf, sizeof(namebuf));
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found", namebuf);
+				dlv_validator_start(val);
+			} else {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found with no supported "
+					      "algorithms", namebuf);
+				markanswer(val);
+				validator_done(val, ISC_R_SUCCESS);
+			}
 		} else if (result == ISC_R_NOTFOUND) {
 			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
 			markanswer(val);
@@ -2372,9 +2420,16 @@ startfinddlvsep(dns_validator_t *val, dn
 	}
 	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
 			sizeof(namebuf));
-	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-	dlv_validator_start(val);
-	return (DNS_R_WAIT);
+	if (dlv_algorithm_supported(val)) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+		dlv_validator_start(val);
+		return (DNS_R_WAIT);
+	} 
+	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+		      "algorithms", namebuf);
+	markanswer(val);
+	validator_done(val, ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*%

Modified: stable/7/contrib/bind9/version
==============================================================================
--- stable/7/contrib/bind9/version	Sat Mar 21 23:00:40 2009	(r190227)
+++ stable/7/contrib/bind9/version	Sat Mar 21 23:03:56 2009	(r190228)
@@ -1,4 +1,4 @@
-# $Id: version,v 1.29.134.23.2.1 2008/12/24 00:21:22 marka Exp $
+# $Id: version,v 1.29.134.23.2.2 2009/03/17 02:23:49 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=4
 PATCHVER=3
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2

More information about the svn-src-stable mailing list