summaryrefslogtreecommitdiff
path: root/validator/val_sigcrypt.c
diff options
context:
space:
mode:
Diffstat (limited to 'validator/val_sigcrypt.c')
-rw-r--r--validator/val_sigcrypt.c40
1 files changed, 31 insertions, 9 deletions
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 099e658a3d2b2..9987b9b3f6272 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -485,7 +485,8 @@ int algo_needs_missing(struct algo_needs* n)
enum sec_status
dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
- uint8_t* sigalg, char** reason)
+ uint8_t* sigalg, char** reason, sldns_pkt_section section,
+ struct module_qstate* qstate)
{
enum sec_status sec;
size_t i, num;
@@ -512,7 +513,7 @@ dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
}
for(i=0; i<num; i++) {
sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset,
- dnskey, i, &sortree, reason);
+ dnskey, i, &sortree, reason, section, qstate);
/* see which algorithm has been fixed up */
if(sec == sec_status_secure) {
if(!sigalg)
@@ -553,7 +554,8 @@ void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
enum sec_status
dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
- size_t dnskey_idx, char** reason)
+ size_t dnskey_idx, char** reason, sldns_pkt_section section,
+ struct module_qstate* qstate)
{
enum sec_status sec;
size_t i, num, numchecked = 0;
@@ -577,7 +579,8 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
buf_canon = 0;
sec = dnskey_verify_rrset_sig(env->scratch,
env->scratch_buffer, ve, *env->now, rrset,
- dnskey, dnskey_idx, i, &sortree, &buf_canon, reason);
+ dnskey, dnskey_idx, i, &sortree, &buf_canon, reason,
+ section, qstate);
if(sec == sec_status_secure)
return sec;
numchecked ++;
@@ -591,7 +594,8 @@ enum sec_status
dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
time_t now, struct ub_packed_rrset_key* rrset,
struct ub_packed_rrset_key* dnskey, size_t sig_idx,
- struct rbtree_type** sortree, char** reason)
+ struct rbtree_type** sortree, char** reason, sldns_pkt_section section,
+ struct module_qstate* qstate)
{
/* find matching keys and check them */
enum sec_status sec = sec_status_bogus;
@@ -616,7 +620,7 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
/* see if key verifies */
sec = dnskey_verify_rrset_sig(env->scratch,
env->scratch_buffer, ve, now, rrset, dnskey, i,
- sig_idx, sortree, &buf_canon, reason);
+ sig_idx, sortree, &buf_canon, reason, section, qstate);
if(sec == sec_status_secure)
return sec;
}
@@ -1121,12 +1125,15 @@ int rrset_canonical_equal(struct regional* region,
* signer name length.
* @param sortree: if NULL is passed a new sorted rrset tree is built.
* Otherwise it is reused.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
* @return false on alloc error.
*/
static int
rrset_canonical(struct regional* region, sldns_buffer* buf,
struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen,
- struct rbtree_type** sortree)
+ struct rbtree_type** sortree, sldns_pkt_section section,
+ struct module_qstate* qstate)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
uint8_t* can_owner = NULL;
@@ -1175,6 +1182,20 @@ rrset_canonical(struct regional* region, sldns_buffer* buf,
canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
}
sldns_buffer_flip(buf);
+
+ /* Replace RR owner with canonical owner for NSEC records in authority
+ * section, to prevent that a wildcard synthesized NSEC can be used in
+ * the non-existence proves. */
+ if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC &&
+ section == LDNS_SECTION_AUTHORITY) {
+ k->rk.dname = regional_alloc_init(qstate->region, can_owner,
+ can_owner_len);
+ if(!k->rk.dname)
+ return 0;
+ k->rk.dname_len = can_owner_len;
+ }
+
+
return 1;
}
@@ -1318,7 +1339,8 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
struct val_env* ve, time_t now,
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
size_t dnskey_idx, size_t sig_idx,
- struct rbtree_type** sortree, int* buf_canon, char** reason)
+ struct rbtree_type** sortree, int* buf_canon, char** reason,
+ sldns_pkt_section section, struct module_qstate* qstate)
{
enum sec_status sec;
uint8_t* sig; /* RRSIG rdata */
@@ -1417,7 +1439,7 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
/* create rrset canonical format in buffer, ready for
* signature */
if(!rrset_canonical(region, buf, rrset, sig+2,
- 18 + signer_len, sortree)) {
+ 18 + signer_len, sortree, section, qstate)) {
log_err("verify: failed due to alloc error");
return sec_status_unchecked;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-07 06:32:32 +0000