9.5.1-P2

diff --git a/CHANGES b/CHANGES
index 124d232c7a12e1528460aa14b25d2852cc287b0d..982a6f744b0476cbd9fb1cbecb072a140af25ec4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+       --- 9.5.1-P2 released ---
+
+2579.  [bug]           DNSSEC lookaside validation failed to handle unknown
+                       algorithms. [RT #19479]
+
        --- 9.5.1-P1 released ---
 
 2522.  [security]      Handle -1 from DSA_do_verify().

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 5d4fd1e102d86e289c97fcefc0b3086e9df28de5..628c76cc2ecbb2e5dc1366266efc7a337a43054e 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.155.52.8 2008/11/14 23:46:41 tbox Exp $ */
+/* $Id: validator.c,v 1.155.52.8.2.1 2009/03/17 02:11:19 marka Exp $ */
 
 #include <config.h>
 
@@ -209,6 +209,37 @@ exit_check(dns_validator_t *val) {
        return (ISC_TRUE);
 }
 
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline isc_boolean_t
+dlv_algorithm_supported(dns_validator_t *val) {
+       dns_rdata_t rdata = DNS_RDATA_INIT;
+       dns_rdata_dlv_t dlv;
+       isc_result_t result;
+
+       for (result = dns_rdataset_first(&val->dlv);
+            result == ISC_R_SUCCESS;
+            result = dns_rdataset_next(&val->dlv)) {
+               dns_rdata_reset(&rdata);
+               dns_rdataset_current(&val->dlv, &rdata);
+               result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+               RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+               if (!dns_resolver_algorithm_supported(val->view->resolver,
+                                                     val->event->name,
+                                                     dlv.algorithm))
+                       continue;
+
+               if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+                   dlv.digest_type != DNS_DSDIGEST_SHA1)
+                       continue;
+
+               return (ISC_TRUE);
+       }
+       return (ISC_FALSE);
+}
+
 /*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
@@ -2320,19 +2351,36 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
                                sizeof(namebuf));
                dns_rdataset_clone(&val->frdataset, &val->dlv);
                val->havedlvsep = ISC_TRUE;
-               validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-               dlv_validator_start(val);
+               if (dlv_algorithm_supported(val)) {
+                       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+                                     namebuf);
+                       dlv_validator_start(val);
+               } else {
+                       validator_log(val, ISC_LOG_DEBUG(3),
+                                     "DLV %s found with no supported algorithms",
+                                     namebuf);
+                       markanswer(val);
+                       validator_done(val, ISC_R_SUCCESS);
+               }
        } else if (eresult == DNS_R_NXRRSET ||
                   eresult == DNS_R_NXDOMAIN ||
                   eresult == DNS_R_NCACHENXRRSET ||
                   eresult == DNS_R_NCACHENXDOMAIN) {
-                  result = finddlvsep(val, ISC_TRUE);
+               result = finddlvsep(val, ISC_TRUE);
                if (result == ISC_R_SUCCESS) {
-                       dns_name_format(dns_fixedname_name(&val->dlvsep),
-                                       namebuf, sizeof(namebuf));
-                       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
-                                     namebuf);
-                       dlv_validator_start(val);
+                       if (dlv_algorithm_supported(val)) {
+                               dns_name_format(dns_fixedname_name(&val->dlvsep),
+                                               namebuf, sizeof(namebuf));
+                               validator_log(val, ISC_LOG_DEBUG(3),
+                                             "DLV %s found", namebuf);
+                               dlv_validator_start(val);
+                       } else {
+                               validator_log(val, ISC_LOG_DEBUG(3),
+                                             "DLV %s found with no supported "
+                                             "algorithms", namebuf);
+                               markanswer(val);
+                               validator_done(val, ISC_R_SUCCESS);
+                       }
                } else if (result == ISC_R_NOTFOUND) {
                        validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
                        markanswer(val);
@@ -2395,9 +2443,16 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
        }
        dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
                        sizeof(namebuf));
-       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-       dlv_validator_start(val);
-       return (DNS_R_WAIT);
+       if (dlv_algorithm_supported(val)) {
+               validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+               dlv_validator_start(val);
+               return (DNS_R_WAIT);
+       } 
+       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+                     "algorithms", namebuf);
+       markanswer(val);
+       validator_done(val, ISC_R_SUCCESS);
+       return (ISC_R_SUCCESS);
 }
 
 /*%

diff --git a/version b/version
index 6b0f11c07826ded02f5293ea90163f8cb4e37bdd..09a82776f7721847ef425e7aea5a6293b90f0d4b 100644 (file)
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.39.18.9.2.3 2008/12/24 00:20:59 marka Exp $
+# $Id: version,v 1.39.18.9.2.4 2009/03/17 02:11:19 marka Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=5
 PATCHVER=1
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2