resolved: when following a CNAME initialize authenticated bit by the weakest answer

author Lennart Poettering <lennart@poettering.net>

Wed, 8 Feb 2017 18:22:49 +0000 (19:22 +0100)

committer Lennart Poettering <lennart@poettering.net>

Thu, 9 Feb 2017 15:13:07 +0000 (16:13 +0100)
author Lennart Poettering <lennart@poettering.net>
Wed, 8 Feb 2017 18:22:49 +0000 (19:22 +0100)
committer Lennart Poettering <lennart@poettering.net>
Thu, 9 Feb 2017 15:13:07 +0000 (16:13 +0100)
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c

index 2ca65e695369222e08b2be5ea226cde1bf66784c..2c501093882635e605af5e2857fcc3bcc34dcabc 100644 (file)
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -211,7 +211,7 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) {
          r = sd_bus_message_append(
                          reply, "st",
                          normalized,
-                        SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
+                        SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
          if (r < 0)
                  goto finish;
  
@@ -439,7 +439,7 @@ static void bus_method_resolve_address_complete(DnsQuery *q) {
          if (r < 0)
                  goto finish;
  
-        r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
+        r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
          if (r < 0)
                  goto finish;
  
@@ -605,7 +605,7 @@ static void bus_method_resolve_record_complete(DnsQuery *q) {
          if (r < 0)
                  goto finish;
  
-        r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
+        r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
          if (r < 0)
                  goto finish;
  
@@ -979,7 +979,7 @@ static void resolve_service_all_complete(DnsQuery *q) {
                          reply,
                          "ssst",
                          name, type, domain,
-                        SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
+                        SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
          if (r < 0)
                  goto finish;
  
diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c

index 39fb213cbccdf009e47e7f862bc8e4379075b5c8..c58845c3b60fe24396b44345eb41a31d1dd36f6a 100644 (file)
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -1029,6 +1029,9 @@ int dns_query_process_cname(DnsQuery *q) {
          if (q->flags & SD_RESOLVED_NO_CNAME)
                  return -ELOOP;
  
+        if (!q->answer_authenticated)
+                q->previous_redirect_unauthenticated = true;
+
          /* OK, let's actually follow the CNAME */
          r = dns_query_cname_redirect(q, cname);
          if (r < 0)
@@ -1116,3 +1119,9 @@ const char *dns_query_string(DnsQuery *q) {
  
          return dns_question_first_name(q->question_idna);
  }
+
+bool dns_query_fully_authenticated(DnsQuery *q) {
+        assert(q);
+
+        return q->answer_authenticated && !q->previous_redirect_unauthenticated;
+}
diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h

index 8f378999d659cd6357695e9a79a4fea210a6f683..b8ea48f6afcd7fa4b8d79f55a17dc00bb0d0ea5a 100644 (file)
--- a/src/resolve/resolved-dns-query.h
+++ b/src/resolve/resolved-dns-query.h
@@ -89,6 +89,7 @@ struct DnsQuery {
          int answer_family;
          DnsSearchDomain *answer_search_domain;
          int answer_errno; /* if state is DNS_TRANSACTION_ERRNO */
+        bool previous_redirect_unauthenticated;
  
          /* Bus client information */
          sd_bus_message *request;
@@ -139,3 +140,5 @@ DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol);
  const char *dns_query_string(DnsQuery *q);
  
  DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuery*, dns_query_free);
+
+bool dns_query_fully_authenticated(DnsQuery *q);
diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c

index 77ee7e97dbbfe68dbeda89afe8f2f58bfcc61e34..9376b0fe4c5856e382d06343bd54d26341f4f407 100644 (file)
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@@ -214,7 +214,7 @@ static void dns_stub_query_complete(DnsQuery *q) {
                                  q->answer_rcode,
                                  !!q->request_dns_packet->opt,
                                  DNS_PACKET_DO(q->request_dns_packet),
-                                DNS_PACKET_DO(q->request_dns_packet) && q->answer_authenticated);
+                                DNS_PACKET_DO(q->request_dns_packet) && dns_query_fully_authenticated(q));
                  if (r < 0) {
                          log_debug_errno(r, "Failed to finish reply packet: %m");
                          break;
author	Lennart Poettering <lennart@poettering.net>
	Wed, 8 Feb 2017 18:22:49 +0000 (19:22 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 9 Feb 2017 15:13:07 +0000 (16:13 +0100)
src/resolve/resolved-bus.c		patch \| blob \| blame \| history
src/resolve/resolved-dns-query.c		patch \| blob \| blame \| history
src/resolve/resolved-dns-query.h		patch \| blob \| blame \| history
src/resolve/resolved-dns-stub.c		patch \| blob \| blame \| history