Codebase list unbound / upstream/1.6.8
New upstream version 1.6.8 Robert Edmonds 6 years ago
25 changed file(s) with 184 addition(s) and 97 deletion(s). Raw diff Collapse all Expand all
+5
-5
aclocal.m4 less more
0 # generated automatically by aclocal 1.15 -*- Autoconf -*-
1
2 # Copyright (C) 1996-2014 Free Software Foundation, Inc.
0 # generated automatically by aclocal 1.15.1 -*- Autoconf -*-
1
2 # Copyright (C) 1996-2017 Free Software Foundation, Inc.
33
44 # This file is free software; the Free Software Foundation
55 # gives unlimited permission to copy and/or distribute it,
93899389
93909390 # AM_CONDITIONAL -*- Autoconf -*-
93919391
9392 # Copyright (C) 1997-2014 Free Software Foundation, Inc.
9392 # Copyright (C) 1997-2017 Free Software Foundation, Inc.
93939393 #
93949394 # This file is free software; the Free Software Foundation
93959395 # gives unlimited permission to copy and/or distribute it,
94209420 Usually this means the macro was only invoked conditionally.]])
94219421 fi])])
94229422
9423 # Copyright (C) 2006-2014 Free Software Foundation, Inc.
9423 # Copyright (C) 2006-2017 Free Software Foundation, Inc.
94249424 #
94259425 # This file is free software; the Free Software Foundation
94269426 # gives unlimited permission to copy and/or distribute it,
+13
-12
configure less more
00 #! /bin/sh
11 # Guess values for system-dependent variables and create Makefiles.
2 # Generated by GNU Autoconf 2.69 for unbound 1.6.7.
2 # Generated by GNU Autoconf 2.69 for unbound 1.6.8.
33 #
44 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
55 #
589589 # Identity of this package.
590590 PACKAGE_NAME='unbound'
591591 PACKAGE_TARNAME='unbound'
592 PACKAGE_VERSION='1.6.7'
593 PACKAGE_STRING='unbound 1.6.7'
592 PACKAGE_VERSION='1.6.8'
593 PACKAGE_STRING='unbound 1.6.8'
594594 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
595595 PACKAGE_URL=''
596596
14361436 # Omit some internal or obsolete options to make the list less imposing.
14371437 # This message is too long to be a string in the A/UX 3.1 sh.
14381438 cat <<_ACEOF
1439 \`configure' configures unbound 1.6.7 to adapt to many kinds of systems.
1439 \`configure' configures unbound 1.6.8 to adapt to many kinds of systems.
14401440
14411441 Usage: $0 [OPTION]... [VAR=VALUE]...
14421442
15011501
15021502 if test -n "$ac_init_help"; then
15031503 case $ac_init_help in
1504 short | recursive ) echo "Configuration of unbound 1.6.7:";;
1504 short | recursive ) echo "Configuration of unbound 1.6.8:";;
15051505 esac
15061506 cat <<\_ACEOF
15071507
17131713 test -n "$ac_init_help" && exit $ac_status
17141714 if $ac_init_version; then
17151715 cat <<\_ACEOF
1716 unbound configure 1.6.7
1716 unbound configure 1.6.8
17171717 generated by GNU Autoconf 2.69
17181718
17191719 Copyright (C) 2012 Free Software Foundation, Inc.
24222422 This file contains any messages produced by compilers while
24232423 running configure, to aid debugging if configure makes a mistake.
24242424
2425 It was created by unbound $as_me 1.6.7, which was
2425 It was created by unbound $as_me 1.6.8, which was
24262426 generated by GNU Autoconf 2.69. Invocation command line was
24272427
24282428 $ $0 $@
27742774
27752775 UNBOUND_VERSION_MINOR=6
27762776
2777 UNBOUND_VERSION_MICRO=7
2777 UNBOUND_VERSION_MICRO=8
27782778
27792779
27802780 LIBUNBOUND_CURRENT=7
2781 LIBUNBOUND_REVISION=6
2781 LIBUNBOUND_REVISION=7
27822782 LIBUNBOUND_AGE=5
27832783 # 1.0.0 had 0:12:0
27842784 # 1.0.1 had 0:13:0
28362836 # 1.6.5 had 7:4:5
28372837 # 1.6.6 had 7:5:5
28382838 # 1.6.7 had 7:6:5
2839 # 1.6.8 had 7:7:5
28392840
28402841 # Current -- the number of the binary API that we're implementing
28412842 # Revision -- which iteration of the implementation of the binary
2069320694
2069420695
2069520696
20696 version=1.6.7
20697 version=1.6.8
2069720698
2069820699 date=`date +'%b %e, %Y'`
2069920700
2121221213 # report actual input values of CONFIG_FILES etc. instead of their
2121321214 # values after options handling.
2121421215 ac_log="
21215 This file was extended by unbound $as_me 1.6.7, which was
21216 This file was extended by unbound $as_me 1.6.8, which was
2121621217 generated by GNU Autoconf 2.69. Invocation command line was
2121721218
2121821219 CONFIG_FILES = $CONFIG_FILES
2127821279 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
2127921280 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
2128021281 ac_cs_version="\\
21281 unbound config.status 1.6.7
21282 unbound config.status 1.6.8
2128221283 configured by $0, generated by GNU Autoconf 2.69,
2128321284 with options \\"\$ac_cs_config\\"
2128421285
+3
-2
configure.ac less more
1010 # must be numbers. ac_defun because of later processing
1111 m4_define([VERSION_MAJOR],[1])
1212 m4_define([VERSION_MINOR],[6])
13 m4_define([VERSION_MICRO],[7])
13 m4_define([VERSION_MICRO],[8])
1414 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
1515 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
1616 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
1717 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
1818
1919 LIBUNBOUND_CURRENT=7
20 LIBUNBOUND_REVISION=6
20 LIBUNBOUND_REVISION=7
2121 LIBUNBOUND_AGE=5
2222 # 1.0.0 had 0:12:0
2323 # 1.0.1 had 0:13:0
7575 # 1.6.5 had 7:4:5
7676 # 1.6.6 had 7:5:5
7777 # 1.6.7 had 7:6:5
78 # 1.6.8 had 7:7:5
7879
7980 # Current -- the number of the binary API that we're implementing
8081 # Revision -- which iteration of the implementation of the binary
+4
-0
doc/Changelog less more
0 19 January 2018: Wouter
1 - patch for CVE-2017-15105: vulnerability in the processing of
2 wildcard synthesized NSEC records.
3
04 10 October 2017: Wouter
15 - tag 1.6.7
26
+1
-1
doc/README less more
0 README for Unbound 1.6.7
0 README for Unbound 1.6.8
11 Copyright 2007 NLnet Labs
22 http://unbound.net
33
+1
-1
doc/example.conf.in less more
00 #
11 # Example configuration file.
22 #
3 # See unbound.conf(5) man page, version 1.6.7.
3 # See unbound.conf(5) man page, version 1.6.8.
44 #
55 # this is a comment.
66
+2
-2
doc/libunbound.3.in less more
0 .TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
0 .TH "libunbound" "3" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
11 .\"
22 .\" libunbound.3 -- unbound library functions manual
33 .\"
4242 .B ub_ctx_zone_remove,
4343 .B ub_ctx_data_add,
4444 .B ub_ctx_data_remove
45 \- Unbound DNS validating resolver 1.6.7 functions.
45 \- Unbound DNS validating resolver 1.6.8 functions.
4646 .SH "SYNOPSIS"
4747 .B #include <unbound.h>
4848 .LP
+1
-1
doc/unbound-anchor.8.in less more
0 .TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
0 .TH "unbound-anchor" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
11 .\"
22 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
33 .\"
+1
-1
doc/unbound-checkconf.8.in less more
0 .TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
0 .TH "unbound-checkconf" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
11 .\"
22 .\" unbound-checkconf.8 -- unbound configuration checker manual
33 .\"
+1
-1
doc/unbound-control.8.in less more
0 .TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
0 .TH "unbound-control" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
11 .\"
22 .\" unbound-control.8 -- unbound remote control manual
33 .\"
+1
-1
doc/unbound-host.1.in less more
0 .TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
0 .TH "unbound\-host" "1" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
11 .\"
22 .\" unbound-host.1 -- unbound DNS lookup utility
33 .\"
+2
-2
doc/unbound.8.in less more
0 .TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
0 .TH "unbound" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
11 .\"
22 .\" unbound.8 -- unbound manual
33 .\"
88 .\"
99 .SH "NAME"
1010 .B unbound
11 \- Unbound DNS validating resolver 1.6.7.
11 \- Unbound DNS validating resolver 1.6.8.
1212 .SH "SYNOPSIS"
1313 .B unbound
1414 .RB [ \-h ]
+1
-1
doc/unbound.conf.5.in less more
0 .TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
0 .TH "unbound.conf" "5" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
11 .\"
22 .\" unbound.conf.5 -- unbound.conf manual
33 .\"
+3
-1
testcode/unitverify.c less more
185185 ntohs(rrset->rk.rrset_class));
186186 }
187187 setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */
188 sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason);
188 /* ok to give null as qstate here, won't be used for answer section. */
189 sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason,
190 LDNS_SECTION_ANSWER, NULL);
189191 if(vsig) {
190192 printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
191193 reason?reason:"");
+14
-9
validator/autotrust.c less more
12261226 * @param ve: validator environment (with options) for verification.
12271227 * @param tp: trust point to verify with
12281228 * @param rrset: DNSKEY rrset to verify.
1229 * @param qstate: qstate with region.
12291230 * @return false on failure, true if verification successful.
12301231 */
12311232 static int
12321233 verify_dnskey(struct module_env* env, struct val_env* ve,
1233 struct trust_anchor* tp, struct ub_packed_rrset_key* rrset)
1234 struct trust_anchor* tp, struct ub_packed_rrset_key* rrset,
1235 struct module_qstate* qstate)
12341236 {
12351237 char* reason = NULL;
12361238 uint8_t sigalg[ALGO_NEEDS_MAX+1];
12371239 int downprot = env->cfg->harden_algo_downgrade;
12381240 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
1239 tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
1241 tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason,
1242 qstate);
12401243 /* sigalg is ignored, it returns algorithms signalled to exist, but
12411244 * in 5011 there are no other rrsets to check. if downprot is
12421245 * enabled, then it checks that the DNSKEY is signed with all
12751278 /** Is rr self-signed revoked key */
12761279 static int
12771280 rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve,
1278 struct ub_packed_rrset_key* dnskey_rrset, size_t i)
1281 struct ub_packed_rrset_key* dnskey_rrset, size_t i,
1282 struct module_qstate* qstate)
12791283 {
12801284 enum sec_status sec;
12811285 char* reason = NULL;
12841288 /* no algorithm downgrade protection necessary, if it is selfsigned
12851289 * revoked it can be removed. */
12861290 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i,
1287 &reason);
1291 &reason, LDNS_SECTION_ANSWER, qstate);
12881292 return (sec == sec_status_secure);
12891293 }
12901294
15001504 static void
15011505 check_contains_revoked(struct module_env* env, struct val_env* ve,
15021506 struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
1503 int* changed)
1507 int* changed, struct module_qstate* qstate)
15041508 {
15051509 struct packed_rrset_data* dd = (struct packed_rrset_data*)
15061510 dnskey_rrset->entry.data;
15201524 }
15211525 if(!ta)
15221526 continue; /* key not found */
1523 if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i)) {
1527 if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i, qstate)) {
15241528 /* checked if there is an rrsig signed by this key. */
15251529 /* same keytag, but stored can be revoked already, so
15261530 * compare keytags, with +0 or +128(REVOKE flag) */
21172121 }
21182122
21192123 int autr_process_prime(struct module_env* env, struct val_env* ve,
2120 struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset)
2124 struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
2125 struct module_qstate* qstate)
21212126 {
21222127 int changed = 0;
21232128 log_assert(tp && tp->autr);
21582163 return 1; /* trust point exists */
21592164 }
21602165 /* check for revoked keys to remove immediately */
2161 check_contains_revoked(env, ve, tp, dnskey_rrset, &changed);
2166 check_contains_revoked(env, ve, tp, dnskey_rrset, &changed, qstate);
21622167 if(changed) {
21632168 verbose(VERB_ALGO, "autotrust: revokedkeys, reassemble");
21642169 if(!autr_assemble(tp)) {
21742179 }
21752180 }
21762181 /* verify the dnskey rrset and see if it is valid. */
2177 if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
2182 if(!verify_dnskey(env, ve, tp, dnskey_rrset, qstate)) {
21782183 verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
21792184 /* only increase failure count if this is not the first prime,
21802185 * this means there was a previous successful probe */
+4
-1
validator/autotrust.h less more
4646 struct trust_anchor;
4747 struct ub_packed_rrset_key;
4848 struct module_env;
49 struct module_qstate;
4950 struct val_env;
5051 struct sldns_buffer;
5152
187188 * @param tp: trust anchor to process.
188189 * @param dnskey_rrset: DNSKEY rrset probed (can be NULL if bad prime result).
189190 * allocated in a region. Has not been validated yet.
191 * @param qstate: qstate with region.
190192 * @return false if trust anchor was revoked completely.
191193 * Otherwise logs errors to log, does not change return value.
192194 * On errors, likely the trust point has been unchanged.
193195 */
194196 int autr_process_prime(struct module_env* env, struct val_env* ve,
195 struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset);
197 struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
198 struct module_qstate* qstate);
196199
197200 /**
198201 * Debug printout of rfc5011 tracked anchors
+8
-5
validator/val_nsec.c less more
175175 static int
176176 nsec_verify_rrset(struct module_env* env, struct val_env* ve,
177177 struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
178 char** reason)
178 char** reason, struct module_qstate* qstate)
179179 {
180180 struct packed_rrset_data* d = (struct packed_rrset_data*)
181181 nsec->entry.data;
184184 rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
185185 if(d->security == sec_status_secure)
186186 return 1;
187 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
187 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
188 LDNS_SECTION_AUTHORITY, qstate);
188189 if(d->security == sec_status_secure) {
189190 rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
190191 return 1;
195196 enum sec_status
196197 val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
197198 struct query_info* qinfo, struct reply_info* rep,
198 struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
199 struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
200 struct module_qstate* qstate)
199201 {
200202 struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
201203 rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
212214 * 1) this is a delegation point and there is no DS
213215 * 2) this is not a delegation point */
214216 if(nsec) {
215 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
217 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
216218 verbose(VERB_ALGO, "NSEC RRset for the "
217219 "referral did not verify.");
218220 return sec_status_bogus;
241243 i++) {
242244 if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
243245 continue;
244 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
246 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
247 qstate)) {
245248 verbose(VERB_ALGO, "NSEC for empty non-terminal "
246249 "did not verify.");
247250 return sec_status_bogus;
+3
-1
validator/val_nsec.h less more
4545 #include "util/data/packed_rrset.h"
4646 struct val_env;
4747 struct module_env;
48 struct module_qstate;
4849 struct ub_packed_rrset_key;
4950 struct reply_info;
5051 struct query_info;
6364 * @param kkey: key entry to use for verification of signatures.
6465 * @param proof_ttl: if secure, the TTL of how long this proof lasts.
6566 * @param reason: string explaining why bogus.
67 * @param qstate: qstate with region.
6668 * @return security status.
6769 * SECURE: proved absence of DS.
6870 * INSECURE: proved that this was not a delegation point.
7274 enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
7375 struct val_env* ve, struct query_info* qinfo,
7476 struct reply_info* rep, struct key_entry_key* kkey,
75 time_t* proof_ttl, char** reason);
77 time_t* proof_ttl, char** reason, struct module_qstate* qstate);
7678
7779 /**
7880 * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
+5
-4
validator/val_nsec3.c less more
12841284 static int
12851285 list_is_secure(struct module_env* env, struct val_env* ve,
12861286 struct ub_packed_rrset_key** list, size_t num,
1287 struct key_entry_key* kkey, char** reason)
1287 struct key_entry_key* kkey, char** reason, struct module_qstate* qstate)
12881288 {
12891289 struct packed_rrset_data* d;
12901290 size_t i;
12981298 if(d->security == sec_status_secure)
12991299 continue;
13001300 d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
1301 reason);
1301 reason, LDNS_SECTION_AUTHORITY, qstate);
13021302 if(d->security != sec_status_secure) {
13031303 verbose(VERB_ALGO, "NSEC3 did not verify");
13041304 return 0;
13111311 enum sec_status
13121312 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
13131313 struct ub_packed_rrset_key** list, size_t num,
1314 struct query_info* qinfo, struct key_entry_key* kkey, char** reason)
1314 struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
1315 struct module_qstate* qstate)
13151316 {
13161317 rbtree_type ct;
13171318 struct nsec3_filter flt;
13241325 *reason = "no valid NSEC3s";
13251326 return sec_status_bogus; /* no valid NSEC3s, bogus */
13261327 }
1327 if(!list_is_secure(env, ve, list, num, kkey, reason))
1328 if(!list_is_secure(env, ve, list, num, kkey, reason, qstate))
13281329 return sec_status_bogus; /* not all NSEC3 records secure */
13291330 rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
13301331 filter_init(&flt, list, num, qinfo); /* init RR iterator */
+4
-1
validator/val_nsec3.h less more
7070 struct val_env;
7171 struct regional;
7272 struct module_env;
73 struct module_qstate;
7374 struct ub_packed_rrset_key;
7475 struct reply_info;
7576 struct query_info;
184185 * @param qinfo: query that is verified for.
185186 * @param kkey: key entry that signed the NSEC3s.
186187 * @param reason: string for bogus result.
188 * @param qstate: qstate with region.
187189 * @return:
188190 * sec_status SECURE of the proposition is proven by the NSEC3 RRs,
189191 * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
193195 enum sec_status
194196 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
195197 struct ub_packed_rrset_key** list, size_t num,
196 struct query_info* qinfo, struct key_entry_key* kkey, char** reason);
198 struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
199 struct module_qstate* qstate);
197200
198201 /**
199202 * Prove NXDOMAIN or NODATA.
+31
-9
validator/val_sigcrypt.c less more
484484 enum sec_status
485485 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
486486 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
487 uint8_t* sigalg, char** reason)
487 uint8_t* sigalg, char** reason, sldns_pkt_section section,
488 struct module_qstate* qstate)
488489 {
489490 enum sec_status sec;
490491 size_t i, num;
511512 }
512513 for(i=0; i<num; i++) {
513514 sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset,
514 dnskey, i, &sortree, reason);
515 dnskey, i, &sortree, reason, section, qstate);
515516 /* see which algorithm has been fixed up */
516517 if(sec == sec_status_secure) {
517518 if(!sigalg)
552553 enum sec_status
553554 dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
554555 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
555 size_t dnskey_idx, char** reason)
556 size_t dnskey_idx, char** reason, sldns_pkt_section section,
557 struct module_qstate* qstate)
556558 {
557559 enum sec_status sec;
558560 size_t i, num, numchecked = 0;
576578 buf_canon = 0;
577579 sec = dnskey_verify_rrset_sig(env->scratch,
578580 env->scratch_buffer, ve, *env->now, rrset,
579 dnskey, dnskey_idx, i, &sortree, &buf_canon, reason);
581 dnskey, dnskey_idx, i, &sortree, &buf_canon, reason,
582 section, qstate);
580583 if(sec == sec_status_secure)
581584 return sec;
582585 numchecked ++;
590593 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
591594 time_t now, struct ub_packed_rrset_key* rrset,
592595 struct ub_packed_rrset_key* dnskey, size_t sig_idx,
593 struct rbtree_type** sortree, char** reason)
596 struct rbtree_type** sortree, char** reason, sldns_pkt_section section,
597 struct module_qstate* qstate)
594598 {
595599 /* find matching keys and check them */
596600 enum sec_status sec = sec_status_bogus;
615619 /* see if key verifies */
616620 sec = dnskey_verify_rrset_sig(env->scratch,
617621 env->scratch_buffer, ve, now, rrset, dnskey, i,
618 sig_idx, sortree, &buf_canon, reason);
622 sig_idx, sortree, &buf_canon, reason, section, qstate);
619623 if(sec == sec_status_secure)
620624 return sec;
621625 }
11201124 * signer name length.
11211125 * @param sortree: if NULL is passed a new sorted rrset tree is built.
11221126 * Otherwise it is reused.
1127 * @param section: section of packet where this rrset comes from.
1128 * @param qstate: qstate with region.
11231129 * @return false on alloc error.
11241130 */
11251131 static int
11261132 rrset_canonical(struct regional* region, sldns_buffer* buf,
11271133 struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen,
1128 struct rbtree_type** sortree)
1134 struct rbtree_type** sortree, sldns_pkt_section section,
1135 struct module_qstate* qstate)
11291136 {
11301137 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
11311138 uint8_t* can_owner = NULL;
11741181 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
11751182 }
11761183 sldns_buffer_flip(buf);
1184
1185 /* Replace RR owner with canonical owner for NSEC records in authority
1186 * section, to prevent that a wildcard synthesized NSEC can be used in
1187 * the non-existence proves. */
1188 if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC &&
1189 section == LDNS_SECTION_AUTHORITY) {
1190 k->rk.dname = regional_alloc_init(qstate->region, can_owner,
1191 can_owner_len);
1192 if(!k->rk.dname)
1193 return 0;
1194 k->rk.dname_len = can_owner_len;
1195 }
1196
1197
11771198 return 1;
11781199 }
11791200
13171338 struct val_env* ve, time_t now,
13181339 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
13191340 size_t dnskey_idx, size_t sig_idx,
1320 struct rbtree_type** sortree, int* buf_canon, char** reason)
1341 struct rbtree_type** sortree, int* buf_canon, char** reason,
1342 sldns_pkt_section section, struct module_qstate* qstate)
13211343 {
13221344 enum sec_status sec;
13231345 uint8_t* sig; /* RRSIG rdata */
14161438 /* create rrset canonical format in buffer, ready for
14171439 * signature */
14181440 if(!rrset_canonical(region, buf, rrset, sig+2,
1419 18 + signer_len, sortree)) {
1441 18 + signer_len, sortree, section, qstate)) {
14201442 log_err("verify: failed due to alloc error");
14211443 return sec_status_unchecked;
14221444 }
+18
-4
validator/val_sigcrypt.h less more
4343 #ifndef VALIDATOR_VAL_SIGCRYPT_H
4444 #define VALIDATOR_VAL_SIGCRYPT_H
4545 #include "util/data/packed_rrset.h"
46 #include "sldns/pkthdr.h"
4647 struct val_env;
4748 struct module_env;
49 struct module_qstate;
4850 struct ub_packed_rrset_key;
4951 struct rbtree_type;
5052 struct regional;
236238 * @param sigalg: if nonNULL provide downgrade protection otherwise one
237239 * algorithm is enough.
238240 * @param reason: if bogus, a string returned, fixed or alloced in scratch.
241 * @param section: section of packet where this rrset comes from.
242 * @param qstate: qstate with region.
239243 * @return SECURE if one key in the set verifies one rrsig.
240244 * UNCHECKED on allocation errors, unsupported algorithms, malformed data,
241245 * and BOGUS on verification failures (no keys match any signatures).
242246 */
243247 enum sec_status dnskeyset_verify_rrset(struct module_env* env,
244248 struct val_env* ve, struct ub_packed_rrset_key* rrset,
245 struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason);
249 struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason,
250 sldns_pkt_section section, struct module_qstate* qstate);
246251
247252 /**
248253 * verify rrset against one specific dnskey (from rrset)
252257 * @param dnskey: DNSKEY rrset, keyset.
253258 * @param dnskey_idx: which key from the rrset to try.
254259 * @param reason: if bogus, a string returned, fixed or alloced in scratch.
260 * @param section: section of packet where this rrset comes from.
261 * @param qstate: qstate with region.
255262 * @return secure if *this* key signs any of the signatures on rrset.
256263 * unchecked on error or and bogus on bad signature.
257264 */
258265 enum sec_status dnskey_verify_rrset(struct module_env* env,
259266 struct val_env* ve, struct ub_packed_rrset_key* rrset,
260 struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason);
267 struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason,
268 sldns_pkt_section section, struct module_qstate* qstate);
261269
262270 /**
263271 * verify rrset, with dnskey rrset, for a specific rrsig in rrset
270278 * @param sortree: reused sorted order. Stored in region. Pass NULL at start,
271279 * and for a new rrset.
272280 * @param reason: if bogus, a string returned, fixed or alloced in scratch.
281 * @param section: section of packet where this rrset comes from.
282 * @param qstate: qstate with region.
273283 * @return secure if any key signs *this* signature. bogus if no key signs it,
274284 * or unchecked on error.
275285 */
276286 enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env,
277287 struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset,
278288 struct ub_packed_rrset_key* dnskey, size_t sig_idx,
279 struct rbtree_type** sortree, char** reason);
289 struct rbtree_type** sortree, char** reason, sldns_pkt_section section,
290 struct module_qstate* qstate);
280291
281292 /**
282293 * verify rrset, with specific dnskey(from set), for a specific rrsig
294305 * pass false at start. pass old value only for same rrset and same
295306 * signature (but perhaps different key) for reuse.
296307 * @param reason: if bogus, a string returned, fixed or alloced in scratch.
308 * @param section: section of packet where this rrset comes from.
309 * @param qstate: qstate with region.
297310 * @return secure if this key signs this signature. unchecked on error or
298311 * bogus if it did not validate.
299312 */
301314 struct sldns_buffer* buf, struct val_env* ve, time_t now,
302315 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
303316 size_t dnskey_idx, size_t sig_idx,
304 struct rbtree_type** sortree, int* buf_canon, char** reason);
317 struct rbtree_type** sortree, int* buf_canon, char** reason,
318 sldns_pkt_section section, struct module_qstate* qstate);
305319
306320 /**
307321 * canonical compare for two tree entries
+22
-15
validator/val_utils.c less more
334334 enum sec_status
335335 val_verify_rrset(struct module_env* env, struct val_env* ve,
336336 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
337 uint8_t* sigalg, char** reason)
337 uint8_t* sigalg, char** reason, sldns_pkt_section section,
338 struct module_qstate* qstate)
338339 {
339340 enum sec_status sec;
340341 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
356357 }
357358 log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
358359 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
359 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason);
360 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason,
361 section, qstate);
360362 verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
361363 regional_free_all(env->scratch);
362364
389391 enum sec_status
390392 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
391393 struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
392 char** reason)
394 char** reason, sldns_pkt_section section, struct module_qstate* qstate)
393395 {
394396 /* temporary dnskey rrset-key */
395397 struct ub_packed_rrset_key dnskey;
402404 dnskey.rk.dname_len = kkey->namelen;
403405 dnskey.entry.key = &dnskey;
404406 dnskey.entry.data = kd->rrset_data;
405 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason);
407 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason,
408 section, qstate);
406409 return sec;
407410 }
408411
410413 static enum sec_status
411414 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
412415 struct ub_packed_rrset_key* dnskey_rrset,
413 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason)
416 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
417 struct module_qstate* qstate)
414418 {
415419 enum sec_status sec = sec_status_bogus;
416420 size_t i, num, numchecked = 0, numhashok = 0;
441445 /* Otherwise, we have a match! Make sure that the DNSKEY
442446 * verifies *with this key* */
443447 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
444 dnskey_rrset, i, reason);
448 dnskey_rrset, i, reason, LDNS_SECTION_ANSWER, qstate);
445449 if(sec == sec_status_secure) {
446450 return sec;
447451 }
477481 enum sec_status
478482 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
479483 struct ub_packed_rrset_key* dnskey_rrset,
480 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason)
484 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
485 struct module_qstate* qstate)
481486 {
482487 /* as long as this is false, we can consider this DS rrset to be
483488 * equivalent to no DS rrset. */
519524 has_useful_ds = 1;
520525
521526 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
522 ds_rrset, i, reason);
527 ds_rrset, i, reason, qstate);
523528 if(sec == sec_status_secure) {
524529 if(!sigalg || algo_needs_set_secure(&needs,
525530 (uint8_t)ds_get_key_algo(ds_rrset, i))) {
552557 struct key_entry_key*
553558 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
554559 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
555 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason)
560 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
561 struct module_qstate* qstate)
556562 {
557563 uint8_t sigalg[ALGO_NEEDS_MAX+1];
558564 enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
559 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason);
565 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, qstate);
560566
561567 if(sec == sec_status_secure) {
562568 return key_entry_create_rrset(region,
578584 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
579585 struct ub_packed_rrset_key* dnskey_rrset,
580586 struct ub_packed_rrset_key* ta_ds,
581 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason)
587 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
588 struct module_qstate* qstate)
582589 {
583590 /* as long as this is false, we can consider this anchor to be
584591 * equivalent to no anchor. */
629636 has_useful_ta = 1;
630637
631638 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
632 ta_ds, i, reason);
639 ta_ds, i, reason, qstate);
633640 if(sec == sec_status_secure) {
634641 if(!sigalg || algo_needs_set_secure(&needs,
635642 (uint8_t)ds_get_key_algo(ta_ds, i))) {
655662 has_useful_ta = 1;
656663
657664 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
658 ta_dnskey, i, reason);
665 ta_dnskey, i, reason, LDNS_SECTION_ANSWER, qstate);
659666 if(sec == sec_status_secure) {
660667 if(!sigalg || algo_needs_set_secure(&needs,
661668 (uint8_t)dnskey_get_algo(ta_dnskey, i))) {
689696 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
690697 struct ub_packed_rrset_key* ta_ds_rrset,
691698 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
692 char** reason)
699 char** reason, struct module_qstate* qstate)
693700 {
694701 uint8_t sigalg[ALGO_NEEDS_MAX+1];
695702 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
696703 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
697 downprot?sigalg:NULL, reason);
704 downprot?sigalg:NULL, reason, qstate);
698705
699706 if(sec == sec_status_secure) {
700707 return key_entry_create_rrset(region,
+22
-7
validator/val_utils.h less more
4141 #ifndef VALIDATOR_VAL_UTILS_H
4242 #define VALIDATOR_VAL_UTILS_H
4343 #include "util/data/packed_rrset.h"
44 #include "sldns/pkthdr.h"
4445 struct query_info;
4546 struct reply_info;
4647 struct val_env;
4748 struct module_env;
49 struct module_qstate;
4850 struct ub_packed_rrset_key;
4951 struct key_entry_key;
5052 struct regional;
119121 * @param sigalg: if nonNULL provide downgrade protection otherwise one
120122 * algorithm is enough. Algo list is constructed in here.
121123 * @param reason: reason of failure. Fixed string or alloced in scratch.
124 * @param section: section of packet where this rrset comes from.
125 * @param qstate: qstate with region.
122126 * @return security status of verification.
123127 */
124128 enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve,
125129 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
126 uint8_t* sigalg, char** reason);
130 uint8_t* sigalg, char** reason, sldns_pkt_section section,
131 struct module_qstate* qstate);
127132
128133 /**
129134 * Verify RRset with keys from a keyset.
132137 * @param rrset: what to verify
133138 * @param kkey: key_entry to verify with.
134139 * @param reason: reason of failure. Fixed string or alloced in scratch.
140 * @param section: section of packet where this rrset comes from.
141 * @param qstate: qstate with region.
135142 * @return security status of verification.
136143 */
137144 enum sec_status val_verify_rrset_entry(struct module_env* env,
138145 struct val_env* ve, struct ub_packed_rrset_key* rrset,
139 struct key_entry_key* kkey, char** reason);
146 struct key_entry_key* kkey, char** reason, sldns_pkt_section section,
147 struct module_qstate* qstate);
140148
141149 /**
142150 * Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but
149157 * algorithm is enough. The list of signalled algorithms is returned,
150158 * must have enough space for ALGO_NEEDS_MAX+1.
151159 * @param reason: reason of failure. Fixed string or alloced in scratch.
160 * @param qstate: qstate with region.
152161 * @return: sec_status_secure if a DS matches.
153162 * sec_status_insecure if end of trust (i.e., unknown algorithms).
154163 * sec_status_bogus if it fails.
155164 */
156165 enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env,
157166 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
158 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason);
167 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
168 struct module_qstate* qstate);
159169
160170 /**
161171 * Verify DNSKEYs with DS and DNSKEY rrset. Like val_verify_DNSKEY_with_DS
169179 * algorithm is enough. The list of signalled algorithms is returned,
170180 * must have enough space for ALGO_NEEDS_MAX+1.
171181 * @param reason: reason of failure. Fixed string or alloced in scratch.
182 * @param qstate: qstate with region.
172183 * @return: sec_status_secure if a DS matches.
173184 * sec_status_insecure if end of trust (i.e., unknown algorithms).
174185 * sec_status_bogus if it fails.
176187 enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env,
177188 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
178189 struct ub_packed_rrset_key* ta_ds,
179 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason);
190 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
191 struct module_qstate* qstate);
180192
181193 /**
182194 * Verify new DNSKEYs with DS rrset. The DS contains hash values that should
191203 * @param downprot: if true provide downgrade protection otherwise one
192204 * algorithm is enough.
193205 * @param reason: reason of failure. Fixed string or alloced in scratch.
206 * @param qstate: qstate with region.
194207 * @return a KeyEntry. This will either contain the now trusted
195208 * dnskey_rrset, a "null" key entry indicating that this DS
196209 * rrset/DNSKEY pair indicate an secure end to the island of trust
204217 struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region,
205218 struct module_env* env, struct val_env* ve,
206219 struct ub_packed_rrset_key* dnskey_rrset,
207 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason);
220 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
221 struct module_qstate* qstate);
208222
209223
210224 /**
219233 * @param downprot: if true provide downgrade protection otherwise one
220234 * algorithm is enough.
221235 * @param reason: reason of failure. Fixed string or alloced in scratch.
236 * @param qstate: qstate with region.
222237 * @return a KeyEntry. This will either contain the now trusted
223238 * dnskey_rrset, a "null" key entry indicating that this DS
224239 * rrset/DNSKEY pair indicate an secure end to the island of trust
234249 struct ub_packed_rrset_key* dnskey_rrset,
235250 struct ub_packed_rrset_key* ta_ds_rrset,
236251 struct ub_packed_rrset_key* ta_dnskey_rrset,
237 int downprot, char** reason);
252 int downprot, char** reason, struct module_qstate* qstate);
238253
239254 /**
240255 * Determine if DS rrset is usable for validator or not.
251266 * the result of a wildcard expansion. If so, return the name of the
252267 * generating wildcard.
253268 *
254 * @param rrset The rrset to chedck.
269 * @param rrset The rrset to check.
255270 * @param wc: the wildcard name, if the rrset was synthesized from a wildcard.
256271 * unchanged if not. The wildcard name, without "*." in front, is
257272 * returned. This is a pointer into the rrset owner name.
+14
-10
validator/validator.c less more
571571 }
572572
573573 /* Verify the answer rrset */
574 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
574 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
575 LDNS_SECTION_ANSWER, qstate);
575576 /* If the (answer) rrset failed to validate, then this
576577 * message is BAD. */
577578 if(sec != sec_status_secure) {
600601 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
601602 chase_reply->ns_numrrsets; i++) {
602603 s = chase_reply->rrsets[i];
603 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
604 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
605 LDNS_SECTION_AUTHORITY, qstate);
604606 /* If anything in the authority section fails to be secure,
605607 * we have a bad message. */
606608 if(sec != sec_status_secure) {
628630 val_find_rrset_signer(s, &sname, &slen);
629631 if(sname && query_dname_compare(sname, key_entry->name)==0)
630632 (void)val_verify_rrset_entry(env, ve, s, key_entry,
631 &reason);
633 &reason, LDNS_SECTION_ADDITIONAL, qstate);
632634 /* the additional section can fail to be secure,
633635 * it is optional, check signature in case we need
634636 * to clean the additional section later. */
24832485 /* attempt to verify with trust anchor DS and DNSKEY */
24842486 kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve,
24852487 dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot,
2486 &reason);
2488 &reason, qstate);
24872489 if(!kkey) {
24882490 log_err("out of memory: verifying prime TA");
24892491 return NULL;
25732575 /* Verify only returns BOGUS or SECURE. If the rrset is
25742576 * bogus, then we are done. */
25752577 sec = val_verify_rrset_entry(qstate->env, ve, ds,
2576 vq->key_entry, &reason);
2578 vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
25772579 if(sec != sec_status_secure) {
25782580 verbose(VERB_DETAIL, "DS rrset in DS response did "
25792581 "not verify");
26202622 /* Try to prove absence of the DS with NSEC */
26212623 sec = val_nsec_prove_nodata_dsreply(
26222624 qstate->env, ve, qinfo, msg->rep, vq->key_entry,
2623 &proof_ttl, &reason);
2625 &proof_ttl, &reason, qstate);
26242626 switch(sec) {
26252627 case sec_status_secure:
26262628 verbose(VERB_DETAIL, "NSEC RRset for the "
26482650
26492651 sec = nsec3_prove_nods(qstate->env, ve,
26502652 msg->rep->rrsets + msg->rep->an_numrrsets,
2651 msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason);
2653 msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason,
2654 qstate);
26522655 switch(sec) {
26532656 case sec_status_insecure:
26542657 /* case insecure also continues to unsigned
27092712 goto return_bogus;
27102713 }
27112714 sec = val_verify_rrset_entry(qstate->env, ve, cname,
2712 vq->key_entry, &reason);
2715 vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
27132716 if(sec == sec_status_secure) {
27142717 verbose(VERB_ALGO, "CNAME validated, "
27152718 "proof that DS does not exist");
28752878 }
28762879 downprot = qstate->env->cfg->harden_algo_downgrade;
28772880 vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
2878 ve, dnskey, vq->ds_rrset, downprot, &reason);
2881 ve, dnskey, vq->ds_rrset, downprot, &reason, qstate);
28792882
28802883 if(!vq->key_entry) {
28812884 log_err("out of memory in verify new DNSKEYs");
29512954 }
29522955
29532956 if(ta->autr) {
2954 if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) {
2957 if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset,
2958 qstate)) {
29552959 /* trust anchor revoked, restart with less anchors */
29562960 vq->state = VAL_INIT_STATE;
29572961 vq->trust_anchor_name = NULL;