Author: dougb
Date: Sat Mar 21 21:37:05 2009
New Revision: 190218
URL: http://svn.freebsd.org/changeset/base/190218
Log:
Vendor import of BIND 9.4.3-P2
Modified:
vendor/bind9/dist/CHANGES
vendor/bind9/dist/lib/dns/validator.c
vendor/bind9/dist/version
Modified: vendor/bind9/dist/CHANGES
==============================================================================
--- vendor/bind9/dist/CHANGES Sat Mar 21 21:16:05 2009 (r190217)
+++ vendor/bind9/dist/CHANGES Sat Mar 21 21:37:05 2009 (r190218)
@@ -1,3 +1,8 @@
+ --- 9.4.3-P2 released ---
+
+2579. [bug] DNSSEC lookaside validation failed to handle unknown
+ algorithms. [RT #19479]
+
--- 9.4.3-P1 released ---
2522. [security] Handle -1 from DSA_do_verify().
Modified: vendor/bind9/dist/lib/dns/validator.c
==============================================================================
--- vendor/bind9/dist/lib/dns/validator.c Sat Mar 21 21:16:05 2009
(r190217)
+++ vendor/bind9/dist/lib/dns/validator.c Sat Mar 21 21:37:05 2009
(r190218)
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.119.18.41 2008/08/21 04:59:42 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.41.2.1 2009/03/17 02:23:49 marka Exp $ */
/*! \file */
@@ -211,6 +211,37 @@ exit_check(dns_validator_t *val) {
return (ISC_TRUE);
}
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline isc_boolean_t
+dlv_algorithm_supported(dns_validator_t *val) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_dlv_t dlv;
+ isc_result_t result;
+
+ for (result = dns_rdataset_first(&val->dlv);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&val->dlv)) {
+ dns_rdata_reset(&rdata);
+ dns_rdataset_current(&val->dlv, &rdata);
+ result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ if (!dns_resolver_algorithm_supported(val->view->resolver,
+ val->event->name,
+ dlv.algorithm))
+ continue;
+
+ if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+ dlv.digest_type != DNS_DSDIGEST_SHA1)
+ continue;
+
+ return (ISC_TRUE);
+ }
+ return (ISC_FALSE);
+}
+
/*%
* Look in the NSEC record returned from a DS query to see if there is
* a NS RRset at this name. If it is found we are at a delegation point.
@@ -2297,19 +2328,36 @@ dlvfetched(isc_task_t *task, isc_event_t
sizeof(namebuf));
dns_rdataset_clone(&val->frdataset, &val->dlv);
val->havedlvsep = ISC_TRUE;
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
- dlv_validator_start(val);
+ if (dlv_algorithm_supported(val)) {
+ validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+ namebuf);
+ dlv_validator_start(val);
+ } else {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "DLV %s found with no supported
algorithms",
+ namebuf);
+ markanswer(val);
+ validator_done(val, ISC_R_SUCCESS);
+ }
} else if (eresult == DNS_R_NXRRSET ||
eresult == DNS_R_NXDOMAIN ||
eresult == DNS_R_NCACHENXRRSET ||
eresult == DNS_R_NCACHENXDOMAIN) {
- result = finddlvsep(val, ISC_TRUE);
+ result = finddlvsep(val, ISC_TRUE);
if (result == ISC_R_SUCCESS) {
- dns_name_format(dns_fixedname_name(&val->dlvsep),
- namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
- namebuf);
- dlv_validator_start(val);
+ if (dlv_algorithm_supported(val)) {
+
dns_name_format(dns_fixedname_name(&val->dlvsep),
+ namebuf, sizeof(namebuf));
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "DLV %s found", namebuf);
+ dlv_validator_start(val);
+ } else {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "DLV %s found with no supported "
+ "algorithms", namebuf);
+ markanswer(val);
+ validator_done(val, ISC_R_SUCCESS);
+ }
} else if (result == ISC_R_NOTFOUND) {
validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
markanswer(val);
@@ -2372,9 +2420,16 @@ startfinddlvsep(dns_validator_t *val, dn
}
dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
- dlv_validator_start(val);
- return (DNS_R_WAIT);
+ if (dlv_algorithm_supported(val)) {
+ validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+ dlv_validator_start(val);
+ return (DNS_R_WAIT);
+ }
+ validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+ "algorithms", namebuf);
+ markanswer(val);
+ validator_done(val, ISC_R_SUCCESS);
+ return (ISC_R_SUCCESS);
}
/*%
Modified: vendor/bind9/dist/version
==============================================================================
--- vendor/bind9/dist/version Sat Mar 21 21:16:05 2009 (r190217)
+++ vendor/bind9/dist/version Sat Mar 21 21:37:05 2009 (r190218)
@@ -1,4 +1,4 @@
-# $Id: version,v 1.29.134.23.2.1 2008/12/24 00:21:22 marka Exp $
+# $Id: version,v 1.29.134.23.2.2 2009/03/17 02:23:49 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=4
PATCHVER=3
RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
