From 75792c34dca4d17c09b145cde7c66a709520ecb1 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 17 Oct 2007 15:48:54 +0000
Subject: [PATCH] fixup insecure glue on referrals.

git-svn-id: file:///svn/unbound/trunk@688 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 daemon/worker.c       |  1 +
 doc/Changelog         |  2 ++
 validator/val_utils.c | 28 +++++++++++++++++++++-------
 validator/val_utils.h |  4 +++-
 validator/validator.c |  3 ++-
 5 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/daemon/worker.c b/daemon/worker.c
index 25091f8e5..ebde077bc 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -359,6 +359,7 @@ deleg_remove_nonsecure_additional(struct reply_info* rep)
 				(rep->rrset_count - i - 1));
 			rep->ar_numrrsets--; 
 			rep->rrset_count--;
+			i--;
 		}
 	}
 }
diff --git a/doc/Changelog b/doc/Changelog
index 05d0cef7a..ca537dbbf 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -13,6 +13,8 @@
 	- removed some debug prints, only verb_algo (4) enables them.
 	- fixup test; new random generator took new paths; such as one 
 	  where no scripted answer was available.
+	- mark insecure RRs as insecure.
+	- fixup removal of nonsecure items from the additional.
 
 16 October 2007: Wouter
 	- no malloc in log_hex.
diff --git a/validator/val_utils.c b/validator/val_utils.c
index 40a470e1f..c882ca8a9 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -550,11 +550,8 @@ rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
 
 void 
 val_fill_reply(struct reply_info* chase, struct reply_info* orig, 
-	size_t skip, uint8_t* name, size_t len)
+	size_t skip, uint8_t* name, size_t len, uint8_t* signer)
 {
-	/* unsigned RRsets are never copied, but should not happen in 
-	 * secure answers anyway. Except for the synthesized CNAME after 
-	 * a DNAME. */
 	size_t i;
 	int seen_dname = 0;
 	chase->rrset_count = 0;
@@ -563,7 +560,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 	chase->ar_numrrsets = 0;
 	/* ANSWER section */
 	for(i=skip; i<orig->an_numrrsets; i++) {
-		if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 
+		if(!signer) {
+			if(query_dname_compare(name, 
+				orig->rrsets[i]->rk.dname) == 0)
+				chase->rrsets[chase->an_numrrsets++] = 
+					orig->rrsets[i];
+		} else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 
 			LDNS_RR_TYPE_CNAME) {
 			chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
 			seen_dname = 0;
@@ -579,7 +581,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 	for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
 		i<orig->an_numrrsets+orig->ns_numrrsets; 
 		i++) {
-		if(rrset_has_signer(orig->rrsets[i], name, len)) {
+		if(!signer) {
+			if(query_dname_compare(name, 
+				orig->rrsets[i]->rk.dname) == 0)
+				chase->rrsets[chase->an_numrrsets+
+				    chase->ns_numrrsets++] = orig->rrsets[i];
+		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 			chase->rrsets[chase->an_numrrsets+
 				chase->ns_numrrsets++] = orig->rrsets[i];
 		}
@@ -588,7 +595,13 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 	for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
 		skip:orig->an_numrrsets+orig->ns_numrrsets; 
 		i<orig->rrset_count; i++) {
-		if(rrset_has_signer(orig->rrsets[i], name, len)) {
+		if(!signer) {
+			if(query_dname_compare(name, 
+				orig->rrsets[i]->rk.dname) == 0)
+			    chase->rrsets[chase->an_numrrsets
+				+orig->ns_numrrsets+chase->ar_numrrsets++] 
+				= orig->rrsets[i];
+		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 			chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
 				chase->ar_numrrsets++] = orig->rrsets[i];
 		}
@@ -643,6 +656,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
 				(rep->rrset_count - i - 1));
 			rep->ar_numrrsets--;
 			rep->rrset_count--;
+			i--;
 		}
 	}
 }
diff --git a/validator/val_utils.h b/validator/val_utils.h
index c6fe5f748..cd4579ed0 100644
--- a/validator/val_utils.h
+++ b/validator/val_utils.h
@@ -206,9 +206,11 @@ int val_chase_cname(struct query_info* qchase, struct reply_info* rep,
  * 	The skipped part contains CNAME(and DNAME)s that have been chased.
  * @param name: the signer name to look for.
  * @param len: length of name.
+ * @param signer: signer name or NULL if an unsigned RRset is considered.
+ *	If NULL, rrsets with the lookup name are copied over.
  */
 void val_fill_reply(struct reply_info* chase, struct reply_info* orig, 
-	size_t cname_skip, uint8_t* name, size_t len);
+	size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer);
 
 /**
  * Remove all unsigned or non-secure status rrsets from NS and AR sections.
diff --git a/validator/validator.c b/validator/validator.c
index 55a69c5dc..126b0918d 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -1164,7 +1164,8 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
 		/* extract this part of orig_msg into chase_reply for
 		 * the eventual VALIDATE stage */
 		val_fill_reply(vq->chase_reply, vq->orig_msg->rep, 
-			vq->rrset_skip, lookup_name, lookup_len);
+			vq->rrset_skip, lookup_name, lookup_len, 
+			vq->signer_name);
 		if(verbosity >= VERB_ALGO)
 			log_dns_msg("chased extract", &vq->qchase, 
 				vq->chase_reply);
-- 
2.47.2