Commit 249bec72 authored by Mark Andrews's avatar Mark Andrews
Browse files

9.1.1-P3

parent b39f966a
--- 9.1.1-P3 released ---
2126. [security] Serialise validation of type ANY responses. [RT #16555]
--- 9.1.1-P2 released ---
1499. [bug] isc_random need to be seeded better if arc4random()
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.h,v 1.17.2.1 2001/01/09 22:46:27 bwelling Exp $ */
/* $Id: validator.h,v 1.17.2.1.4.1 2007/01/23 23:42:23 marka Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
......@@ -111,6 +111,11 @@ struct dns_validator {
ISC_LINK(dns_validator_t) link;
};
/*%
* dns_validator_create() options.
*/
#define DNS_VALIDATOR_DEFER 2U
ISC_LANG_BEGINDECLS
isc_result_t
......@@ -153,6 +158,15 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
* part of a known insecure domain.
*/
void
dns_validator_send(dns_validator_t *validator);
/*%<
* Send a deferred validation request
*
* Requires:
* 'validator' to points to a valid DNSSEC validator.
*/
void
dns_validator_cancel(dns_validator_t *validator);
/*
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.c,v 1.187.2.9.4.1 2002/06/01 02:13:13 marka Exp $ */
/* $Id: resolver.c,v 1.187.2.9.4.2 2007/01/23 23:42:23 marka Exp $ */
#include <config.h>
......@@ -701,6 +701,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
if (result != ISC_R_SUCCESS)
return (result);
INSIST(ISC_LIST_EMPTY(fctx->validators));
dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
query = isc_mem_get(res->mctx, sizeof *query);
......@@ -2373,12 +2375,21 @@ maybe_destroy(fetchctx_t *fctx) {
unsigned int bucketnum;
isc_boolean_t bucket_empty = ISC_FALSE;
dns_resolver_t *res = fctx->res;
dns_validator_t *validator;
REQUIRE(SHUTTINGDOWN(fctx));
if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
if (fctx->pending != 0)
return;
for (validator = ISC_LIST_HEAD(fctx->validators);
validator != NULL;
validator = ISC_LIST_HEAD(fctx->validators)) {
ISC_LIST_UNLINK(fctx->validators, validator, link);
dns_validator_cancel(validator);
dns_validator_destroy(&validator);
}
bucketnum = fctx->bucketnum;
LOCK(&res->buckets[bucketnum].lock);
if (fctx->references == 0)
......@@ -2549,7 +2560,9 @@ validated(isc_task_t *task, isc_event_t *event) {
goto noanswer_response;
}
if (sentresponse) {
if (!ISC_LIST_EMPTY(fctx->validators))
dns_validator_send(ISC_LIST_HEAD(fctx->validators));
else if (sentresponse) {
/*
* If we only deferred the destroy because we wanted to cache
* the data, destroy now.
......@@ -2569,6 +2582,7 @@ validated(isc_task_t *task, isc_event_t *event) {
* more rdatasets that still need to
* be validated.
*/
dns_validator_send(ISC_LIST_HEAD(fctx->validators));
goto cleanup_event;
}
......@@ -2617,6 +2631,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
unsigned int options;
isc_task_t *task;
dns_validator_t *validator;
unsigned int valoptions = 0;
/*
* The appropriate bucket lock must be held.
......@@ -2805,15 +2820,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
rdataset,
sigrdataset,
fctx->rmessage,
0,
valoptions,
task,
validated,
fctx,
&validator);
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS) {
ISC_LIST_APPEND(
fctx->validators,
validator, link);
valoptions |=
DNS_VALIDATOR_DEFER;
}
}
}
} else if (!EXTERNAL(rdataset)) {
......@@ -2886,7 +2904,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
valrdataset,
valsigrdataset,
fctx->rmessage,
0,
valoptions,
task,
validated,
fctx,
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.87.2.1 2001/01/09 22:44:26 bwelling Exp $ */
/* $Id: validator.c,v 1.87.2.1.4.1 2007/01/23 23:42:23 marka Exp $ */
#include <config.h>
......@@ -1512,7 +1512,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
ISC_LINK_INIT(val, link);
val->magic = VALIDATOR_MAGIC;
isc_task_send(task, (isc_event_t **)&event);
if ((options & DNS_VALIDATOR_DEFER) == 0)
isc_task_send(task, (isc_event_t **)&event);
*validatorp = val;
......@@ -1529,6 +1530,21 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
return (result);
}
void
dns_validator_send(dns_validator_t *validator) {
isc_event_t *event;
REQUIRE(VALID_VALIDATOR(validator));
LOCK(&validator->lock);
INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
event = (isc_event_t *)validator->event;
validator->options &= ~DNS_VALIDATOR_DEFER;
UNLOCK(&validator->lock);
isc_task_send(validator->task, &event);
}
void
dns_validator_cancel(dns_validator_t *validator) {
REQUIRE(VALID_VALIDATOR(validator));
......@@ -1548,6 +1564,13 @@ dns_validator_cancel(dns_validator_t *validator) {
if (validator->authvalidator != NULL)
dns_validator_cancel(validator->authvalidator);
if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
isc_task_t *task = validator->event->ev_sender;
validator->options &= ~DNS_VALIDATOR_DEFER;
isc_event_free((isc_event_t **)&validator->event);
isc_task_detach(&task);
}
}
UNLOCK(&validator->lock);
}
......
# $Id: version,v 1.18.4.13.4.2 2003/09/01 05:31:27 marka Exp $
# $Id: version,v 1.18.4.13.4.3 2007/01/23 23:42:23 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
......@@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=1
PATCHVER=1
RELEASETYPE=-P
RELEASEVER=2
RELEASEVER=3
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment