From 8dac5cd7ffa0961ca3f6f3bc177acc88092cb652 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 11 Jul 2017 13:35:59 +0200 Subject: [PATCH] zonecut: fix possible opportunities to use insecure ... data from cache as keys for validation --- NEWS | 5 +++++ lib/zonecut.c | 17 ++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 03bd455aa..177cc9a6d 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,11 @@ Knot Resolver 1.3.2 (2017-07-xx) ================================ +Security +-------- +- fix possible opportunities to use insecure data from cache as keys + for validation + Bugfixes -------- - daemon: check existence of config file even if rundir isn't specified diff --git a/lib/zonecut.c b/lib/zonecut.c index a61a9054b..8a108c190 100644 --- a/lib/zonecut.c +++ b/lib/zonecut.c @@ -354,6 +354,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut, if (ret != 0) { return ret; } + /* Note: we accept *any* rank from the cache. We assume that nothing + * completely untrustworthy could get into the cache, e.g out-of-bailiwick + * records that weren't validated. + */ /* Materialize as we'll going to do more cache lookups. */ knot_rrset_t rr_copy; @@ -384,10 +388,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut, } /** - * Fetch RRSet of given type. (and of reasonable trustworthiness) + * Fetch secure RRSet of given type. */ -static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache, - const knot_dname_t *owner, uint16_t type, knot_mm_t *pool, uint32_t timestamp) +static int fetch_secure_rrset(knot_rrset_t **rr, struct kr_cache *cache, + const knot_dname_t *owner, uint16_t type, knot_mm_t *pool, uint32_t timestamp) { if (!rr) { return kr_error(ENOENT); @@ -401,8 +405,7 @@ static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache, if (ret != 0) { return ret; } - const bool rankOK = kr_rank_test(rank, KR_RANK_SECURE) - || (kr_rank_test(rank, KR_RANK_INSECURE) && kr_rank_test(rank, KR_RANK_AUTH)); + const bool rankOK = kr_rank_test(rank, KR_RANK_SECURE); if (!rankOK) { return kr_error(ENOENT); } @@ -448,9 +451,9 @@ int kr_zonecut_find_cached(struct kr_context *ctx, struct kr_zonecut *cut, const } /* Fetch DS and DNSKEY if caller wants secure zone cut */ if (*secured || is_root) { - fetch_rrset(&cut->trust_anchor, &ctx->cache, label, + fetch_secure_rrset(&cut->trust_anchor, &ctx->cache, label, KNOT_RRTYPE_DS, cut->pool, timestamp); - fetch_rrset(&cut->key, &ctx->cache, label, + fetch_secure_rrset(&cut->key, &ctx->cache, label, KNOT_RRTYPE_DNSKEY, cut->pool, timestamp); } update_cut_name(cut, label); -- 2.47.2