Do not validate with revoked keys.

git-svn-id: file:///svn/unbound/trunk@1471 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 2c74684ea3556026fed1c1cce40068ec50874b0b..8bc7913d8e89f14d9ff84f13c1cb56f37d84e39c 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+10 February 2009: Wouter
+       - keys with rfc5011 REVOKE flag are skipped and not considered when
+         validating data.
+
 6 February 2009: Wouter
        - contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
        - iana portlist updated.

diff --git a/doc/TODO b/doc/TODO
index 21d1a49e4c2184cfc3cad310e8f500ea2cab71cc..2729d7298e01c4108e1d59ec68532e28b4b8c7f9 100644 (file)
--- a/doc/TODO
+++ b/doc/TODO
@@ -56,9 +56,8 @@ o on windows version, implement that OS ancillary data capabilities for
   interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg.
 o local-zone directive with authority service, full authority server 
   is a non-goal.
+o remote control read ssl information while priviledged.
  
-o make so revoke bit keys cannot verify signatures
-
 o infra and lame cache: easier size config (in Mb), show usage in graphs.
 o #226: unbound_control dump_requestlist
 o #227: unbound_control flush_stats
@@ -67,4 +66,4 @@ o unbound_control forward [addr {addr}] | [off]
 o config entry to denote that a zone is to be treated as unsigned (even if 
   a DS exists to higher trust anchor).
 o see if we can include the python bindings (contrib).
-o remote control read ssl information while priviledged.
+o include cacti setup (contrib)

diff --git a/testcode/unitverify.c b/testcode/unitverify.c
index 1c257fea80ac2ac38d87a69be4e5bab5163d2d40..857783aeed6326f2692bb47a2c92c0d775932768 100644 (file)
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@@ -482,6 +482,7 @@ verify_test()
        verifytest_file("testdata/test_signatures.10", "20070829144150");
 #endif
        verifytest_file("testdata/test_signatures.12", "20090107100022");
+       verifytest_file("testdata/test_signatures.13", "20080414005004");
        dstest_file("testdata/test_ds_sig.1");
        nsectest();
        nsec3_hash_test("testdata/test_nsec3_hash.1");

diff --git a/testdata/test_signatures.13 b/testdata/test_signatures.13
new file mode 100644 (file)
index 0000000..c09679d
--- /dev/null
+++ b/testdata/test_signatures.13
@@ -0,0 +1,24 @@
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. 
+; later entries are verified with it.
+
+
+; DNSKEY is revoked.
+ENTRY_BEGIN
+SECTION QUESTION
+example.com.                 IN      DNSKEY
+SECTION ANSWER
+example.com.   3600    IN      DNSKEY  384 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 31027 (zsk), size = 512b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+bogus.example.com.       IN      SOA
+SECTION ANSWER
+example.com.  43200   IN      SOA     home.kuroiwa.eng.br. hostmaster.cesar.sec3.br. 2008040903 86400 86400 8640000 600
+example.com.   43200   IN      RRSIG   SOA 5 2 43200 20081010000000 20080410122550 31027 example.com. af7nqRak6cEeQLytqLHMIUKPsOECA4Cu/Zpm7vdnKSh2q2+/8ZwIxwHLyCEGdiu/mTYffZEHTZytJyzxnB0oxA== ;{id = 31027}
+ENTRY_END
+
+

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index ff6fcefa554b2585e5b86e6a9aecf4fbeb0981fa..f0b4c70d5316972272bce7a2f5ec7dd8c0f3b2d8 100644 (file)
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -523,8 +523,11 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
                if(algo != dnskey_get_algo(dnskey, i) ||
                        tag != dnskey_calc_keytag(dnskey, i))
                        continue;
-
                numchecked ++;
+               /* skip revoked keys */
+               if(dnskey_get_flags(dnskey, i) & LDNS_KEY_REVOKE_KEY)
+                       continue;
+
                /* see if key verifies */
                sec = dnskey_verify_rrset_sig(env->scratch, 
                        env->scratch_buffer, ve, now, rrset, dnskey, i,