vendor/unbound/1.6.2

author: Dag-Erling Smørgrav <des@FreeBSD.org> 2018-05-12 11:53:39 +0000
committer: Dag-Erling Smørgrav <des@FreeBSD.org> 2018-05-12 11:53:39 +0000
commit: 6cacf549d3c2d5bddb0dcadd620e1db2897c7f26 (patch)
tree: e187e7d708a063f1628697fe779e2bb101d451b8 /validator/val_utils.c
parent: fbdb9ac866a647da0919b224f05cca039afc02fa (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/validator/val_utils.c b/validator/val_utils.c
index da8066aad7e96..e3677e1d9cebc 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -495,16 +495,21 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 		return sec_status_bogus;
 	}
 
-	digest_algo = val_favorite_ds_algo(ds_rrset);
-	if(sigalg)
+	if(sigalg) {
+		/* harden against algo downgrade is enabled */
+		digest_algo = val_favorite_ds_algo(ds_rrset);
 		algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
+	} else {
+		/* accept any key algo, any digest algo */
+		digest_algo = -1;
+	}
 	num = rrset_get_count(ds_rrset);
 	for(i=0; i<num; i++) {
 		/* Check to see if we can understand this DS. 
 		 * And check it is the strongest digest */
 		if(!ds_digest_algo_is_supported(ds_rrset, i) ||
 			!ds_key_algo_is_supported(ds_rrset, i) ||
-			ds_get_digest_algo(ds_rrset, i) != digest_algo) {
+			(sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) {
 			continue;
 		}
author	Dag-Erling Smørgrav <des@FreeBSD.org>	2018-05-12 11:53:39 +0000
committer	Dag-Erling Smørgrav <des@FreeBSD.org>	2018-05-12 11:53:39 +0000
commit	6cacf549d3c2d5bddb0dcadd620e1db2897c7f26 (patch)
tree	e187e7d708a063f1628697fe779e2bb101d451b8 /validator/val_utils.c
parent	fbdb9ac866a647da0919b224f05cca039afc02fa (diff)