vendor/unbound/1.6.6

2 files changed, 56 insertions, 4 deletions

diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 88d23472118f4..e9ec5a5b5879d 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -1320,6 +1320,9 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 #include "ecdsa.h"
 #include "ecc-curve.h"
 #endif
+#ifdef HAVE_NETTLE_EDDSA_H
+#include "eddsa.h"
+#endif
 
 static int
 _digest_nettle(int algo, uint8_t* buf, size_t len,
@@ -1477,6 +1480,10 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_ECDSAP384SHA384:
 #endif
 		return 1;
+#ifdef USE_ED25519
+	case LDNS_ED25519:
+		return 1;
+#endif
 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
 	case LDNS_ECC_GOST:
 	default:
@@ -1718,6 +1725,30 @@ _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char*
 }
 #endif
 
+#ifdef USE_ED25519
+static char *
+_verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock,
+	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
+{
+	int res = 0;
+
+	if(sigblock_len != ED25519_SIGNATURE_SIZE) {
+		return "wrong ED25519 signature length";
+	}
+	if(keylen != ED25519_KEY_SIZE) {
+		return "wrong ED25519 key length";
+	}
+
+	res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf),
+		sldns_buffer_begin(buf), (uint8_t*)sigblock);
+
+	if (!res)
+		return "ED25519 signature verification failed";
+	else
+		return NULL;
+}
+#endif
+
 /**
  * Check a canonical sig+rrset and signature against a dnskey
  * @param buf: buffer with data to verify, the first rrsig part and the
@@ -1759,9 +1790,13 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 	case LDNS_RSASHA1_NSEC3:
 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
 #endif
+		/* double fallthrough annotation to please gcc parser */
+		/* fallthrough */
 #ifdef USE_SHA2
+		/* fallthrough */
 	case LDNS_RSASHA256:
 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+		/* fallthrough */
 	case LDNS_RSASHA512:
 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
 
@@ -1776,6 +1811,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 #ifdef USE_ECDSA
 	case LDNS_ECDSAP256SHA256:
 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+		/* fallthrough */
 	case LDNS_ECDSAP384SHA384:
 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
@@ -1785,6 +1821,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		else
 			return sec_status_secure;
 #endif
+#ifdef USE_ED25519
+	case LDNS_ED25519:
+		*reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len,
+			key, keylen);
+		if (*reason != NULL)
+			return sec_status_bogus;
+		else
+			return sec_status_secure;
+#endif
 	case LDNS_RSAMD5:
 	case LDNS_ECC_GOST:
 	default:
diff --git a/validator/val_utils.c b/validator/val_utils.c
index e4eff1b2523b9..973473f9dc85e 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -932,17 +932,24 @@ val_check_nonsecure(struct module_env* env, struct reply_info* rep)
 			 * Therefore the message is bogus.
 			 */
 
-			/* check if authority consists of only an NS record
+			/* check if authority has an NS record
 			 * which is bad, and there is an answer section with
 			 * data.  In that case, delete NS and additional to 
 			 * be lenient and make a minimal response */
-			if(rep->an_numrrsets != 0 && rep->ns_numrrsets == 1 &&
+			if(rep->an_numrrsets != 0 &&
 				ntohs(rep->rrsets[i]->rk.type) 
 				== LDNS_RR_TYPE_NS) {
 				verbose(VERB_ALGO, "truncate to minimal");
-				rep->ns_numrrsets = 0;
 				rep->ar_numrrsets = 0;
-				rep->rrset_count = rep->an_numrrsets;
+				rep->rrset_count = rep->an_numrrsets +
+					rep->ns_numrrsets;
+				/* remove this unneeded authority rrset */
+				memmove(rep->rrsets+i, rep->rrsets+i+1, 
+					sizeof(struct ub_packed_rrset_key*)*
+					(rep->rrset_count - i - 1));
+				rep->ns_numrrsets--;
+				rep->rrset_count--;
+				i--;
 				return;
 			}