Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1
unbound
unbound-cve-2009-3602.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File unbound-cve-2009-3602.patch of Package unbound
Index: unbound-1.0.0/validator/val_nsec3.c =================================================================== --- unbound-1.0.0.orig/validator/val_nsec3.c +++ unbound-1.0.0/validator/val_nsec3.c @@ -1170,6 +1170,26 @@ nsec3_prove_wildcard(struct module_env* return sec_status_secure; } +/** test if list is all secure */ +static int +list_is_secure(struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key** list, size_t num, + struct key_entry_key* kkey) +{ + size_t i; + enum sec_status sec; + for(i=0; i<num; i++) { + if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3)) + continue; + sec = val_verify_rrset_entry(env, ve, list[i], kkey); + if(sec != sec_status_secure) { + verbose(VERB_ALGO, "NSEC3 did not verify"); + return 0; + } + } + return 1; +} + enum sec_status nsec3_prove_nods(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, @@ -1184,6 +1204,8 @@ nsec3_prove_nods(struct module_env* env, if(!list || num == 0 || !kkey || !key_entry_isgood(kkey)) return sec_status_bogus; /* no valid NSEC3s, bogus */ + if(!list_is_secure(env, ve, list, num, kkey)) + return sec_status_bogus; /* not all NSEC3 records secure */ rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */ filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor