Commit b1e29022 authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge branch '16-security-mirror-key-check' into security-master

parents 6923a803 03278d60
5299. [placeholder]
5299. [security] A flaw in DNSSEC verification when transferring
mirror zones could allow data to be incorrectly
marked valid. (CVE-2019-6475) [GL #16P]
 
5298. [security] Named could assert if a forwarder returned a
referral, rather than resolving the query, when QNAME
......
......@@ -42,5 +42,12 @@
disclosed in CVE-2019-6476. [GL #1501]
</para>
</listitem>
<listitem>
<para>
A flaw in DNSSEC verification when transferring mirror zones
could allow data to be incorrectly marked valid. This flaw
is disclosed in CVE-2019-6475. [GL #16P]
</para>
</listitem>
</itemizedlist>
</section>
......@@ -1503,9 +1503,9 @@ static isc_result_t
check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
dns_rdata_t *rdata, bool is_ksk)
{
unsigned char *active_keys, *standby_keys;
unsigned char *active_keys = NULL, *standby_keys = NULL;
dns_keynode_t *keynode = NULL;
bool *goodkey;
bool *goodkey = NULL;
dst_key_t *key = NULL;
isc_result_t result;
......@@ -1551,42 +1551,48 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
if (result != ISC_R_SUCCESS) {
return (result);
}
result = dns_keytable_findkeynode(vctx->secroots, vctx->origin,
dst_key_alg(key), dst_key_id(key),
&keynode);
switch (result) {
case ISC_R_SUCCESS:
/*
* The supplied key is a trust anchor.
*/
dns_keytable_detachkeynode(vctx->secroots, &keynode);
dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
*goodkey = true;
break;
case DNS_R_PARTIALMATCH:
case ISC_R_NOTFOUND:
/*
* The supplied key is not present in the trust anchor table,
* but other keys signing the DNSKEY RRset may be, so this is
* not an error, we just do not set 'vctx->good[kz]sk'.
*/
result = ISC_R_SUCCESS;
break;
default:
/*
* An error occurred while searching the trust anchor table,
* return it to the caller.
*/
break;
}
/*
* Clean up.
* No such trust anchor.
*/
dst_key_free(&key);
if (result != ISC_R_SUCCESS) {
if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
result = ISC_R_SUCCESS;
}
return (result);
goto cleanup;
}
while (result == ISC_R_SUCCESS) {
dns_keynode_t *nextnode = NULL;
if (dst_key_compare(key, dns_keynode_key(keynode))) {
dns_keytable_detachkeynode(vctx->secroots, &keynode);
dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
*goodkey = true;
goto cleanup;
}
result = dns_keytable_findnextkeynode(vctx->secroots,
keynode, &nextnode);
dns_keytable_detachkeynode(vctx->secroots, &keynode);
keynode = nextnode;
}
cleanup:
if (keynode != NULL) {
dns_keytable_detachkeynode(vctx->secroots, &keynode);
}
if (key != NULL) {
dst_key_free(&key);
}
return (ISC_R_SUCCESS);
}
/*%
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment