From: Yorgos Thessalonikefs <george@nlnetlabs.nl>
Date: Sun, 3 Jul 2022 20:24:58 +0000 (+0200)
Subject: Merge pull request #660 from InfrastructureServices/sha1-runtime-insecure
X-Git-Tag: release-1.16.1rc1~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e102aea75171a95000d2489408d4cc7be489f909;p=thirdparty%2Funbound.git

Merge pull request #660 from InfrastructureServices/sha1-runtime-insecure

Sha1 runtime insecure
---

e102aea75171a95000d2489408d4cc7be489f909
diff --cc validator/val_sigcrypt.c
index d5f16b11f,fb8bbb911..5fd774d7a
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@@ -610,11 -597,11 +610,11 @@@ void algo_needs_reason(struct module_en
  enum sec_status 
  dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
          struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
 -	size_t dnskey_idx, char** reason, sldns_pkt_section section,
 -	struct module_qstate* qstate)
 +	size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus,
 +	sldns_pkt_section section, struct module_qstate* qstate)
  {
  	enum sec_status sec;
- 	size_t i, num, numchecked = 0;
+ 	size_t i, num, numchecked = 0, numindeterminate = 0;
  	rbtree_type* sortree = NULL;
  	int buf_canon = 0;
  	uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx);
@@@ -679,12 -669,13 +687,14 @@@ dnskeyset_verify_rrset_sig(struct modul
  		numchecked ++;
  
  		/* see if key verifies */
 -		sec = dnskey_verify_rrset_sig(env->scratch, 
 -			env->scratch_buffer, ve, now, rrset, dnskey, i, 
 -			sig_idx, sortree, &buf_canon, reason, section, qstate);
 +		sec = dnskey_verify_rrset_sig(env->scratch,
 +			env->scratch_buffer, ve, now, rrset, dnskey, i,
 +			sig_idx, sortree, &buf_canon, reason, reason_bogus,
 +			section, qstate);
  		if(sec == sec_status_secure)
  			return sec;
+ 		else if(sec == sec_status_indeterminate)
+ 			numindeterminate ++;
  	}
  	if(numchecked == 0) {
  		*reason = "signatures from unknown keys";