From: Wouter Wijngaards Date: Tue, 10 Feb 2009 13:01:38 +0000 (+0000) Subject: Do not validate with revoked keys. X-Git-Tag: release-1.3.0~152 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b182b66e0e3237d8b105d434d3abb828bc651538;p=thirdparty%2Funbound.git Do not validate with revoked keys. git-svn-id: file:///svn/unbound/trunk@1471 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 2c74684ea..8bc7913d8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +10 February 2009: Wouter + - keys with rfc5011 REVOKE flag are skipped and not considered when + validating data. + 6 February 2009: Wouter - contrib contains specfile for fedora 1.2.1 (from Paul Wouters). - iana portlist updated. diff --git a/doc/TODO b/doc/TODO index 21d1a49e4..2729d7298 100644 --- a/doc/TODO +++ b/doc/TODO @@ -56,9 +56,8 @@ o on windows version, implement that OS ancillary data capabilities for interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. o local-zone directive with authority service, full authority server is a non-goal. +o remote control read ssl information while priviledged. -o make so revoke bit keys cannot verify signatures - o infra and lame cache: easier size config (in Mb), show usage in graphs. o #226: unbound_control dump_requestlist o #227: unbound_control flush_stats @@ -67,4 +66,4 @@ o unbound_control forward [addr {addr}] | [off] o config entry to denote that a zone is to be treated as unsigned (even if a DS exists to higher trust anchor). o see if we can include the python bindings (contrib). -o remote control read ssl information while priviledged. +o include cacti setup (contrib) diff --git a/testcode/unitverify.c b/testcode/unitverify.c index 1c257fea8..857783aee 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -482,6 +482,7 @@ verify_test() verifytest_file("testdata/test_signatures.10", "20070829144150"); #endif verifytest_file("testdata/test_signatures.12", "20090107100022"); + verifytest_file("testdata/test_signatures.13", "20080414005004"); dstest_file("testdata/test_ds_sig.1"); nsectest(); nsec3_hash_test("testdata/test_nsec3_hash.1"); diff --git a/testdata/test_signatures.13 b/testdata/test_signatures.13 new file mode 100644 index 000000000..c09679d27 --- /dev/null +++ b/testdata/test_signatures.13 @@ -0,0 +1,24 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + + +; DNSKEY is revoked. +ENTRY_BEGIN +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 384 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 31027 (zsk), size = 512b} +ENTRY_END + +; entry to test +ENTRY_BEGIN +SECTION QUESTION +bogus.example.com. IN SOA +SECTION ANSWER +example.com. 43200 IN SOA home.kuroiwa.eng.br. hostmaster.cesar.sec3.br. 2008040903 86400 86400 8640000 600 +example.com. 43200 IN RRSIG SOA 5 2 43200 20081010000000 20080410122550 31027 example.com. af7nqRak6cEeQLytqLHMIUKPsOECA4Cu/Zpm7vdnKSh2q2+/8ZwIxwHLyCEGdiu/mTYffZEHTZytJyzxnB0oxA== ;{id = 31027} +ENTRY_END + + diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index ff6fcefa5..f0b4c70d5 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -523,8 +523,11 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, if(algo != dnskey_get_algo(dnskey, i) || tag != dnskey_calc_keytag(dnskey, i)) continue; - numchecked ++; + /* skip revoked keys */ + if(dnskey_get_flags(dnskey, i) & LDNS_KEY_REVOKE_KEY) + continue; + /* see if key verifies */ sec = dnskey_verify_rrset_sig(env->scratch, env->scratch_buffer, ve, now, rrset, dnskey, i,