mitigate KeyTrap DoS = CVE-2023-50387

Improve: don't retry in this case.
(cherry picked from commit cc5051b4441307d9b262fa382bc715391112ddbb)

diff --git a/lib/dnssec.c b/lib/dnssec.c
index 1e6eb58c16eddc1bf8bf34576f1160a69101126b..262570c44f73f0ee99a0f2241ddec143874176f1 100644 (file)
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -134,7 +134,7 @@ int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, knot_rrset_t *covered)
        memset(&vctx->rrs_counters, 0, sizeof(vctx->rrs_counters));
        for (unsigned i = 0; i < vctx->keys->rrs.count; ++i) {
                int ret = kr_rrset_validate_with_key(vctx, covered, i, NULL);
-               if (ret == 0) {
+               if (ret == 0 || ret == kr_error(E2BIG)) {
                        return ret;
                }
        }
@@ -307,7 +307,7 @@ int kr_svldr_rrset(knot_rrset_t *rrs, const knot_rdataset_t *rrsigs,
        }
        for (ssize_t i = 0; i < ctx->keys.len; ++i) {
                kr_svldr_rrset_with_key(rrs, rrsigs, &ctx->vctx, &ctx->keys.at[i]);
-               if (ctx->vctx.result == 0)
+               if (ctx->vctx.result == 0 || ctx->vctx.result == kr_error(E2BIG))
                        break;
        }
        return ctx->vctx.result;
@@ -393,6 +393,7 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
                                }
                        }
                        if (!check_crypto_limit(vctx)) {
+                               vctx->result = kr_error(E2BIG);
                                goto finish;
                        }
                        if (kr_check_signature(rdata_j, key, covered, trim_labels) != 0) {
@@ -475,7 +476,7 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s
                if (ret == 0)
                        ret = kr_svldr_rrset_with_key(keys, sigs, vctx, &key);
                svldr_key_del(&key);
-               if (ret == 0) {
+               if (ret == 0 || ret == kr_error(E2BIG)) {
                        kr_assert(vctx->result == 0);
                        return vctx->result;
                }

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index af094290e46a610bd7209a908827d65e97b707fb..c2b3a85b02491d0bb8f95b453d152b1903268afe 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -1176,6 +1176,10 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
                ret = validate_records(req, pkt, req->rplan.pool, has_nsec3);
                if (ret == KNOT_EDOWNGRADED) {
                        return KR_STATE_DONE;
+               } else if (ret == kr_error(E2BIG)) {
+                       qry->flags.DNSSEC_BOGUS = true;
+                       return KR_STATE_FAIL;
+
                } else if (ret != 0) {
                        /* something exceptional - no DNS key, empty pointers etc
                         * normally it shouldn't happen */

diff --git a/lib/resolve.c b/lib/resolve.c
index aa3d52153085f6548461be3c7f21b29bb947cf5c..e9e1fd102c7f0c91552dd1e698732e556ccc89eb 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -880,7 +880,9 @@ int kr_resolve_consume(struct kr_request *request, struct kr_transport **transpo
 
        /* Do not finish with bogus answer. */
        if (qry->flags.DNSSEC_BOGUS)  {
-               if (qry->flags.FORWARD || qry->flags.STUB) {
+               if (qry->flags.FORWARD || qry->flags.STUB
+                               /* Probably CPU exhaustion attempt, so do not retry. */
+                               || qry->vld_limit_crypto_remains <= 0) {
                        return KR_STATE_FAIL;
                }
                /* Other servers might not have broken DNSSEC. */