From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 4 Aug 2010 08:36:27 +0000 (+0000)
Subject:       - Fix validation in case a trust anchor enters into a zone with
X-Git-Tag: release-1.4.7rc1~120
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c4671a63f0684c394e3a33fd55d6a905d981268;p=thirdparty%2Funbound.git

  - Fix validation in case a trust anchor enters into a zone with
         unsupported algorithms.


git-svn-id: file:///svn/unbound/trunk@2205 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 8a4b78e80..f524e1b48 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+4 August 2010: Wouter
+	- Fix validation in case a trust anchor enters into a zone with
+	  unsupported algorithms.
+
 3 August 2010: Wouter
 	- updated ldns tarball with bugfixes.
 	- release tag 1.4.6.
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 0b05bbfc3..986899e19 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -462,6 +462,8 @@ void algo_needs_init_dnskey(struct algo_needs* n,
 	memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
 	for(i=0; i<num; i++) {
 		algo = (uint8_t)dnskey_get_algo(dnskey, i);
+		if(!dnskey_algo_id_is_supported(algo))
+			continue;
 		if(n->needs[algo] == 0) {
 			n->needs[algo] = 1;
 			total++;
@@ -482,6 +484,8 @@ void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds,
 		if(ds_get_digest_algo(ds, i) != fav_ds_algo)
 			continue;
 		algo = (uint8_t)ds_get_key_algo(ds, i);
+		if(!dnskey_algo_id_is_supported(algo))
+			continue;
 		if(n->needs[algo] == 0) {
 			n->needs[algo] = 1;
 			total++;
@@ -546,6 +550,11 @@ dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
 	}
 
 	algo_needs_init_dnskey(&needs, dnskey);
+	if(algo_needs_num_missing(&needs) == 0) {
+		verbose(VERB_QUERY, "DNSKEY has no known algorithms");
+		*reason = "DNSKEY has no known algorithms";
+		return sec_status_insecure;
+	}
 	for(i=0; i<num; i++) {
 		sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, 
 			dnskey, i, &sortree, reason);
@@ -631,6 +640,10 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 	size_t numchecked = 0;
 	int buf_canon = 0;
 	verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
+	if(!dnskey_algo_id_is_supported(algo)) {
+		verbose(VERB_QUERY, "verify sig: unknown algorithm");
+		return sec_status_insecure;
+	}
 	
 	for(i=0; i<num; i++) {
 		/* see if key matches keytag and algo */