Merge branch '16-security-mirror-key-check' into security-master

b1e29022 · Evan Hunt · 6923a803 · 03278d60 · b1e29022 · b1e29022
Commit b1e29022 authored Oct 01, 2019 by Evan Hunt
--- a/CHANGES
+++ b/CHANGES
-5299.	[placeholder]
+5299.	[security]	A flaw in DNSSEC verification when transferring
+			mirror zones could allow data to be incorrectly
+			marked valid. (CVE-2019-6475) [GL #16P]
  
 5298.	[security]	Named could assert if a forwarder returned a
 			referral, rather than resolving the query, when QNAME

--- a/doc/arm/notes-sec-fixes.xml
+++ b/doc/arm/notes-sec-fixes.xml
@@ -42,5 +42,12 @@
 	disclosed in CVE-2019-6476. [GL #1501]
      </para>
    </listitem>
+    <listitem>
+      <para>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #16P]
+      </para>
+    </listitem>
  </itemizedlist>
 </section>
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1503,9 +1503,9 @@ static isc_result_t
 check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
 		  dns_rdata_t *rdata, bool is_ksk)
 {
-	unsigned char *active_keys, *standby_keys;
+	unsigned char *active_keys = NULL, *standby_keys = NULL;
 	dns_keynode_t *keynode = NULL;
-	bool *goodkey;
+	bool *goodkey = NULL;
 	dst_key_t *key = NULL;
 	isc_result_t result;

@@ -1551,42 +1551,48 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
 	if (result != ISC_R_SUCCESS) {
 		return (result);
 	}
+
 	result = dns_keytable_findkeynode(vctx->secroots, vctx->origin,
 					  dst_key_alg(key), dst_key_id(key),
 					  &keynode);
-	switch (result) {
-	case ISC_R_SUCCESS:
-		/*
-		 * The supplied key is a trust anchor.
-		 */
-		dns_keytable_detachkeynode(vctx->secroots, &keynode);
-		dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
-		dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
-		*goodkey = true;
-		break;
-	case DNS_R_PARTIALMATCH:
-	case ISC_R_NOTFOUND:
-		/*
-		 * The supplied key is not present in the trust anchor table,
-		 * but other keys signing the DNSKEY RRset may be, so this is
-		 * not an error, we just do not set 'vctx->good[kz]sk'.
-		 */
-		result = ISC_R_SUCCESS;
-		break;
-	default:
-		/*
-		 * An error occurred while searching the trust anchor table,
-		 * return it to the caller.
-		 */
-		break;
-	}

 	/*
-	 * Clean up.
+	 * No such trust anchor.
 	 */
-	dst_key_free(&key);
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}

-	return (result);
+		goto cleanup;
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		dns_keynode_t *nextnode = NULL;
+
+		if (dst_key_compare(key, dns_keynode_key(keynode))) {
+			dns_keytable_detachkeynode(vctx->secroots, &keynode);
+			dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
+			dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
+			*goodkey = true;
+
+			goto cleanup;
+		}
+
+		result = dns_keytable_findnextkeynode(vctx->secroots,
+						      keynode, &nextnode);
+		dns_keytable_detachkeynode(vctx->secroots, &keynode);
+		keynode = nextnode;
+	}
+
+ cleanup:
+	if (keynode != NULL) {
+		dns_keytable_detachkeynode(vctx->secroots, &keynode);
+	}
+	if (key != NULL) {
+		dst_key_free(&key);
+	}
+	return (ISC_R_SUCCESS);
 }

 /*%