- Fix validation in case a trust anchor enters into a zone with

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Wed, 4 Aug 2010 08:36:27 +0000 (08:36 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Wed, 4 Aug 2010 08:36:27 +0000 (08:36 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Wed, 4 Aug 2010 08:36:27 +0000 (08:36 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Wed, 4 Aug 2010 08:36:27 +0000 (08:36 +0000)
diff --git a/doc/Changelog b/doc/Changelog

index 8a4b78e80d22fe1c4bd56661570008f24bc790ed..f524e1b486c3d735f5fe7c13421268016b25f085 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+4 August 2010: Wouter
+       - Fix validation in case a trust anchor enters into a zone with
+         unsupported algorithms.
+
  3 August 2010: Wouter
         - updated ldns tarball with bugfixes.
         - release tag 1.4.6.
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c

index 0b05bbfc360c76dc0a792c35930a6782f988d3a8..986899e19972b09ac228fcf191e93d8ecec3f847 100644 (file)
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -462,6 +462,8 @@ void algo_needs_init_dnskey(struct algo_needs* n,
         memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
         for(i=0; i<num; i++) {
                 algo = (uint8_t)dnskey_get_algo(dnskey, i);
+               if(!dnskey_algo_id_is_supported(algo))
+                       continue;
                 if(n->needs[algo] == 0) {
                         n->needs[algo] = 1;
                         total++;
@@ -482,6 +484,8 @@ void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds,
                 if(ds_get_digest_algo(ds, i) != fav_ds_algo)
                         continue;
                 algo = (uint8_t)ds_get_key_algo(ds, i);
+               if(!dnskey_algo_id_is_supported(algo))
+                       continue;
                 if(n->needs[algo] == 0) {
                         n->needs[algo] = 1;
                         total++;
@@ -546,6 +550,11 @@ dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
         }
  
         algo_needs_init_dnskey(&needs, dnskey);
+       if(algo_needs_num_missing(&needs) == 0) {
+               verbose(VERB_QUERY, "DNSKEY has no known algorithms");
+               *reason = "DNSKEY has no known algorithms";
+               return sec_status_insecure;
+       }
         for(i=0; i<num; i++) {
                 sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, 
                         dnskey, i, &sortree, reason);
@@ -631,6 +640,10 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
         size_t numchecked = 0;
         int buf_canon = 0;
         verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
+       if(!dnskey_algo_id_is_supported(algo)) {
+               verbose(VERB_QUERY, "verify sig: unknown algorithm");
+               return sec_status_insecure;
+       }
         
         for(i=0; i<num; i++) {
                 /* see if key matches keytag and algo */
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Wed, 4 Aug 2010 08:36:27 +0000 (08:36 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Wed, 4 Aug 2010 08:36:27 +0000 (08:36 +0000)
doc/Changelog		patch \| blob \| blame \| history
validator/val_sigcrypt.c		patch \| blob \| blame \| history