diff options
Diffstat (limited to 'external/unbound/validator')
-rw-r--r-- | external/unbound/validator/autotrust.c | 10 | ||||
-rw-r--r-- | external/unbound/validator/val_anchor.c | 20 | ||||
-rw-r--r-- | external/unbound/validator/val_kentry.c | 4 | ||||
-rw-r--r-- | external/unbound/validator/val_neg.c | 4 | ||||
-rw-r--r-- | external/unbound/validator/val_nsec3.c | 2 | ||||
-rw-r--r-- | external/unbound/validator/val_secalgo.c | 9 | ||||
-rw-r--r-- | external/unbound/validator/val_sigcrypt.c | 12 | ||||
-rw-r--r-- | external/unbound/validator/val_utils.c | 12 | ||||
-rw-r--r-- | external/unbound/validator/val_utils.h | 7 | ||||
-rw-r--r-- | external/unbound/validator/validator.c | 65 |
10 files changed, 117 insertions, 28 deletions
diff --git a/external/unbound/validator/autotrust.c b/external/unbound/validator/autotrust.c index 5e1dc4ef3..bb5723468 100644 --- a/external/unbound/validator/autotrust.c +++ b/external/unbound/validator/autotrust.c @@ -57,11 +57,11 @@ #include "services/mesh.h" #include "services/cache/rrset.h" #include "validator/val_kcache.h" -#include "ldns/sbuffer.h" -#include "ldns/wire2str.h" -#include "ldns/str2wire.h" -#include "ldns/keyraw.h" -#include "ldns/rrdef.h" +#include "sldns/sbuffer.h" +#include "sldns/wire2str.h" +#include "sldns/str2wire.h" +#include "sldns/keyraw.h" +#include "sldns/rrdef.h" #include <stdarg.h> #include <ctype.h> diff --git a/external/unbound/validator/val_anchor.c b/external/unbound/validator/val_anchor.c index 3a67fff45..845b54a2e 100644 --- a/external/unbound/validator/val_anchor.c +++ b/external/unbound/validator/val_anchor.c @@ -48,9 +48,9 @@ #include "util/log.h" #include "util/net_help.h" #include "util/config_file.h" -#include "ldns/sbuffer.h" -#include "ldns/rrdef.h" -#include "ldns/str2wire.h" +#include "sldns/sbuffer.h" +#include "sldns/rrdef.h" +#include "sldns/str2wire.h" #ifdef HAVE_GLOB_H #include <glob.h> #endif @@ -882,14 +882,14 @@ assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) memset(pd, 0, sizeof(*pd)); pd->count = num; pd->trust = rrset_trust_ultimate; - pd->rr_len = (size_t*)malloc(num*sizeof(size_t)); + pd->rr_len = (size_t*)reallocarray(NULL, num, sizeof(size_t)); if(!pd->rr_len) { free(pd); free(pkey->rk.dname); free(pkey); return NULL; } - pd->rr_ttl = (time_t*)malloc(num*sizeof(time_t)); + pd->rr_ttl = (time_t*)reallocarray(NULL, num, sizeof(time_t)); if(!pd->rr_ttl) { free(pd->rr_len); free(pd); @@ -897,7 +897,7 @@ assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) free(pkey); return NULL; } - pd->rr_data = (uint8_t**)malloc(num*sizeof(uint8_t*)); + pd->rr_data = (uint8_t**)reallocarray(NULL, num, sizeof(uint8_t*)); if(!pd->rr_data) { free(pd->rr_ttl); free(pd->rr_len); @@ -1020,7 +1020,13 @@ anchors_assemble_rrsets(struct val_anchors* anchors) dname_str(ta->name, b); log_warn("trust anchor %s has no supported algorithms," " the anchor is ignored (check if you need to" - " upgrade unbound and openssl)", b); + " upgrade unbound and " +#ifdef HAVE_LIBRESSL + "libressl" +#else + "openssl" +#endif + ")", b); (void)rbtree_delete(anchors->tree, &ta->node); lock_basic_unlock(&ta->lock); anchors_delfunc(&ta->node, NULL); diff --git a/external/unbound/validator/val_kentry.c b/external/unbound/validator/val_kentry.c index f99f18e89..93fe2145e 100644 --- a/external/unbound/validator/val_kentry.c +++ b/external/unbound/validator/val_kentry.c @@ -45,8 +45,8 @@ #include "util/storage/lookup3.h" #include "util/regional.h" #include "util/net_help.h" -#include "ldns/rrdef.h" -#include "ldns/keyraw.h" +#include "sldns/rrdef.h" +#include "sldns/keyraw.h" size_t key_entry_sizefunc(void* key, void* data) diff --git a/external/unbound/validator/val_neg.c b/external/unbound/validator/val_neg.c index 1d7a5c56e..b1ff8d9a1 100644 --- a/external/unbound/validator/val_neg.c +++ b/external/unbound/validator/val_neg.c @@ -59,8 +59,8 @@ #include "util/config_file.h" #include "services/cache/rrset.h" #include "services/cache/dns.h" -#include "ldns/rrdef.h" -#include "ldns/sbuffer.h" +#include "sldns/rrdef.h" +#include "sldns/sbuffer.h" int val_neg_data_compare(const void* a, const void* b) { diff --git a/external/unbound/validator/val_nsec3.c b/external/unbound/validator/val_nsec3.c index 548daf2bf..80ca4d0ba 100644 --- a/external/unbound/validator/val_nsec3.c +++ b/external/unbound/validator/val_nsec3.c @@ -62,7 +62,7 @@ #include "util/data/msgreply.h" /* we include nsec.h for the bitmap_has_type function */ #include "validator/val_nsec.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" /** * This function we get from ldns-compat or from base system diff --git a/external/unbound/validator/val_secalgo.c b/external/unbound/validator/val_secalgo.c index d89675f83..8ed403dfc 100644 --- a/external/unbound/validator/val_secalgo.c +++ b/external/unbound/validator/val_secalgo.c @@ -41,12 +41,13 @@ * and do the library calls (for the crypto library in use). */ #include "config.h" -#include "validator/val_secalgo.h" +/* packed_rrset on top to define enum types (forced by c99 standard) */ #include "util/data/packed_rrset.h" +#include "validator/val_secalgo.h" #include "util/log.h" -#include "ldns/rrdef.h" -#include "ldns/keyraw.h" -#include "ldns/sbuffer.h" +#include "sldns/rrdef.h" +#include "sldns/keyraw.h" +#include "sldns/sbuffer.h" #if !defined(HAVE_SSL) && !defined(HAVE_NSS) #error "Need crypto library to do digital signature cryptography" diff --git a/external/unbound/validator/val_sigcrypt.c b/external/unbound/validator/val_sigcrypt.c index 5a4d0f471..7c643cab1 100644 --- a/external/unbound/validator/val_sigcrypt.c +++ b/external/unbound/validator/val_sigcrypt.c @@ -51,10 +51,10 @@ #include "util/module.h" #include "util/net_help.h" #include "util/regional.h" -#include "ldns/keyraw.h" -#include "ldns/sbuffer.h" -#include "ldns/parseutil.h" -#include "ldns/wire2str.h" +#include "sldns/keyraw.h" +#include "sldns/sbuffer.h" +#include "sldns/parseutil.h" +#include "sldns/wire2str.h" #include <ctype.h> #if !defined(HAVE_SSL) && !defined(HAVE_NSS) @@ -1079,6 +1079,8 @@ int rrset_canonical_equal(struct regional* region, fd.rr_data = fdata; rbtree_init(&sortree1, &canonical_tree_compare); rbtree_init(&sortree2, &canonical_tree_compare); + if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX) + return 1; /* protection against integer overflow */ rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count); rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count); if(!rrs1 || !rrs2) return 1; /* alloc failure */ @@ -1135,6 +1137,8 @@ rrset_canonical(struct regional* region, sldns_buffer* buf, sizeof(rbtree_t)); if(!*sortree) return 0; + if(d->count > RR_COUNT_MAX) + return 0; /* integer overflow protection */ rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); if(!rrs) { *sortree = NULL; diff --git a/external/unbound/validator/val_utils.c b/external/unbound/validator/val_utils.c index ecf2dfaf0..475b0c905 100644 --- a/external/unbound/validator/val_utils.c +++ b/external/unbound/validator/val_utils.c @@ -846,6 +846,18 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig, chase->ar_numrrsets; } +void val_reply_remove_auth(struct reply_info* rep, size_t index) +{ + log_assert(index < rep->rrset_count); + log_assert(index >= rep->an_numrrsets); + log_assert(index < rep->an_numrrsets+rep->ns_numrrsets); + memmove(rep->rrsets+index, rep->rrsets+index+1, + sizeof(struct ub_packed_rrset_key*)* + (rep->rrset_count - index - 1)); + rep->ns_numrrsets--; + rep->rrset_count--; +} + void val_check_nonsecure(struct val_env* ve, struct reply_info* rep) { diff --git a/external/unbound/validator/val_utils.h b/external/unbound/validator/val_utils.h index b0344eff7..cdb87697e 100644 --- a/external/unbound/validator/val_utils.h +++ b/external/unbound/validator/val_utils.h @@ -295,6 +295,13 @@ void val_fill_reply(struct reply_info* chase, struct reply_info* orig, size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer); /** + * Remove rrset with index from reply, from the authority section. + * @param rep: reply to remove it from. + * @param index: rrset to remove, must be in the authority section. + */ +void val_reply_remove_auth(struct reply_info* rep, size_t index); + +/** * Remove all unsigned or non-secure status rrsets from NS and AR sections. * So that unsigned data does not get let through to clients, when we have * found the data to be secure. diff --git a/external/unbound/validator/validator.c b/external/unbound/validator/validator.c index 9d5d5c390..a02525fee 100644 --- a/external/unbound/validator/validator.c +++ b/external/unbound/validator/validator.c @@ -58,8 +58,8 @@ #include "util/regional.h" #include "util/config_file.h" #include "util/fptr_wlist.h" -#include "ldns/rrdef.h" -#include "ldns/wire2str.h" +#include "sldns/rrdef.h" +#include "sldns/wire2str.h" /* forward decl for cache response and normal super inform calls of a DS */ static void process_ds_response(struct module_qstate* qstate, @@ -226,6 +226,8 @@ val_new_getmsg(struct module_qstate* qstate, struct val_qstate* vq) sizeof(struct reply_info) - sizeof(struct rrset_ref)); if(!vq->chase_reply) return NULL; + if(vq->orig_msg->rep->rrset_count > RR_COUNT_MAX) + return NULL; /* protect against integer overflow */ vq->chase_reply->rrsets = regional_alloc_init(qstate->region, vq->orig_msg->rep->rrsets, sizeof(struct ub_packed_rrset_key*) * vq->orig_msg->rep->rrset_count); @@ -574,6 +576,61 @@ detect_wrongly_truncated(struct reply_info* rep) return 1; } +/** + * For messages that are not referrals, if the chase reply contains an + * unsigned NS record in the authority section it could have been + * inserted by a (BIND) forwarder that thinks the zone is insecure, and + * that has an NS record without signatures in cache. Remove the NS + * record since the reply does not hinge on that record (in the authority + * section), but do not remove it if it removes the last record from the + * answer+authority sections. + * @param chase_reply: the chased reply, we have a key for this contents, + * so we should have signatures for these rrsets and not having + * signatures means it will be bogus. + * @param orig_reply: original reply, remove NS from there as well because + * we cannot mark the NS record as DNSSEC valid because it is not + * validated by signatures. + */ +static void +remove_spurious_authority(struct reply_info* chase_reply, + struct reply_info* orig_reply) +{ + size_t i, found = 0; + int remove = 0; + /* if no answer and only 1 auth RRset, do not remove that one */ + if(chase_reply->an_numrrsets == 0 && chase_reply->ns_numrrsets == 1) + return; + /* search authority section for unsigned NS records */ + for(i = chase_reply->an_numrrsets; + i < chase_reply->an_numrrsets+chase_reply->ns_numrrsets; i++) { + struct packed_rrset_data* d = (struct packed_rrset_data*) + chase_reply->rrsets[i]->entry.data; + if(ntohs(chase_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS + && d->rrsig_count == 0) { + found = i; + remove = 1; + break; + } + } + /* see if we found the entry */ + if(!remove) return; + log_rrset_key(VERB_ALGO, "Removing spurious unsigned NS record " + "(likely inserted by forwarder)", chase_reply->rrsets[found]); + + /* find rrset in orig_reply */ + for(i = orig_reply->an_numrrsets; + i < orig_reply->an_numrrsets+orig_reply->ns_numrrsets; i++) { + if(ntohs(orig_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS + && query_dname_compare(orig_reply->rrsets[i]->rk.dname, + chase_reply->rrsets[found]->rk.dname) == 0) { + /* remove from orig_msg */ + val_reply_remove_auth(orig_reply, i); + break; + } + } + /* remove rrset from chase_reply */ + val_reply_remove_auth(chase_reply, found); +} /** * Given a "positive" response -- a response that contains an answer to the @@ -1642,6 +1699,8 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq, } subtype = val_classify_response(qstate->query_flags, &qstate->qinfo, &vq->qchase, vq->orig_msg->rep, vq->rrset_skip); + if(subtype != VAL_CLASS_REFERRAL) + remove_spurious_authority(vq->chase_reply, vq->orig_msg->rep); /* check signatures in the message; * answer and authority must be valid, additional is only checked. */ @@ -2295,7 +2354,7 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset, struct key_entry_key* kkey = NULL; enum sec_status sec = sec_status_unchecked; char* reason = NULL; - int downprot = 1; + int downprot = qstate->env->cfg->harden_algo_downgrade; if(!dnskey_rrset) { log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- " |