From owner-svn-src-all@FreeBSD.ORG Sat Mar 21 21:37:06 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97F62106564A; Sat, 21 Mar 2009 21:37:06 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 7CBCE8FC18; Sat, 21 Mar 2009 21:37:06 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n2LLb6Hq047597; Sat, 21 Mar 2009 21:37:06 GMT (envelope-from dougb@svn.freebsd.org) Received: (from dougb@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n2LLb6db047594; Sat, 21 Mar 2009 21:37:06 GMT (envelope-from dougb@svn.freebsd.org) Message-Id: <200903212137.n2LLb6db047594@svn.freebsd.org> From: Doug Barton Date: Sat, 21 Mar 2009 21:37:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org X-SVN-Group: vendor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r190218 - in vendor/bind9/dist: . lib/dns X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2009 21:37:07 -0000 Author: dougb Date: Sat Mar 21 21:37:05 2009 New Revision: 190218 URL: http://svn.freebsd.org/changeset/base/190218 Log: Vendor import of BIND 9.4.3-P2 Modified: vendor/bind9/dist/CHANGES vendor/bind9/dist/lib/dns/validator.c vendor/bind9/dist/version Modified: vendor/bind9/dist/CHANGES ============================================================================== --- vendor/bind9/dist/CHANGES Sat Mar 21 21:16:05 2009 (r190217) +++ vendor/bind9/dist/CHANGES Sat Mar 21 21:37:05 2009 (r190218) @@ -1,3 +1,8 @@ + --- 9.4.3-P2 released --- + +2579. [bug] DNSSEC lookaside validation failed to handle unknown + algorithms. [RT #19479] + --- 9.4.3-P1 released --- 2522. [security] Handle -1 from DSA_do_verify(). Modified: vendor/bind9/dist/lib/dns/validator.c ============================================================================== --- vendor/bind9/dist/lib/dns/validator.c Sat Mar 21 21:16:05 2009 (r190217) +++ vendor/bind9/dist/lib/dns/validator.c Sat Mar 21 21:37:05 2009 (r190218) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.119.18.41 2008/08/21 04:59:42 marka Exp $ */ +/* $Id: validator.c,v 1.119.18.41.2.1 2009/03/17 02:23:49 marka Exp $ */ /*! \file */ @@ -211,6 +211,37 @@ exit_check(dns_validator_t *val) { return (ISC_TRUE); } +/* + * Check that we have atleast one supported algorithm in the DLV RRset. + */ +static inline isc_boolean_t +dlv_algorithm_supported(dns_validator_t *val) { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_dlv_t dlv; + isc_result_t result; + + for (result = dns_rdataset_first(&val->dlv); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&val->dlv)) { + dns_rdata_reset(&rdata); + dns_rdataset_current(&val->dlv, &rdata); + result = dns_rdata_tostruct(&rdata, &dlv, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + if (!dns_resolver_algorithm_supported(val->view->resolver, + val->event->name, + dlv.algorithm)) + continue; + + if (dlv.digest_type != DNS_DSDIGEST_SHA256 && + dlv.digest_type != DNS_DSDIGEST_SHA1) + continue; + + return (ISC_TRUE); + } + return (ISC_FALSE); +} + /*% * Look in the NSEC record returned from a DS query to see if there is * a NS RRset at this name. If it is found we are at a delegation point. @@ -2297,19 +2328,36 @@ dlvfetched(isc_task_t *task, isc_event_t sizeof(namebuf)); dns_rdataset_clone(&val->frdataset, &val->dlv); val->havedlvsep = ISC_TRUE; - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); - dlv_validator_start(val); + if (dlv_algorithm_supported(val)) { + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", + namebuf); + dlv_validator_start(val); + } else { + validator_log(val, ISC_LOG_DEBUG(3), + "DLV %s found with no supported algorithms", + namebuf); + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + } } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NXDOMAIN || eresult == DNS_R_NCACHENXRRSET || eresult == DNS_R_NCACHENXDOMAIN) { - result = finddlvsep(val, ISC_TRUE); + result = finddlvsep(val, ISC_TRUE); if (result == ISC_R_SUCCESS) { - dns_name_format(dns_fixedname_name(&val->dlvsep), - namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", - namebuf); - dlv_validator_start(val); + if (dlv_algorithm_supported(val)) { + dns_name_format(dns_fixedname_name(&val->dlvsep), + namebuf, sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(3), + "DLV %s found", namebuf); + dlv_validator_start(val); + } else { + validator_log(val, ISC_LOG_DEBUG(3), + "DLV %s found with no supported " + "algorithms", namebuf); + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + } } else if (result == ISC_R_NOTFOUND) { validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); markanswer(val); @@ -2372,9 +2420,16 @@ startfinddlvsep(dns_validator_t *val, dn } dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); - dlv_validator_start(val); - return (DNS_R_WAIT); + if (dlv_algorithm_supported(val)) { + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); + dlv_validator_start(val); + return (DNS_R_WAIT); + } + validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported " + "algorithms", namebuf); + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } /*% Modified: vendor/bind9/dist/version ============================================================================== --- vendor/bind9/dist/version Sat Mar 21 21:16:05 2009 (r190217) +++ vendor/bind9/dist/version Sat Mar 21 21:37:05 2009 (r190218) @@ -1,4 +1,4 @@ -# $Id: version,v 1.29.134.23.2.1 2008/12/24 00:21:22 marka Exp $ +# $Id: version,v 1.29.134.23.2.2 2009/03/17 02:23:49 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=4 PATCHVER=3 RELEASETYPE=-P -RELEASEVER=1 +RELEASEVER=2