File unbound-cve-2009-3602.patch of Package unbound

Overview Repositories Revisions Requests Users Attributes Meta

File unbound-cve-2009-3602.patch of Package unbound

Index: unbound-1.0.0/validator/val_nsec3.c
===================================================================
--- unbound-1.0.0.orig/validator/val_nsec3.c
+++ unbound-1.0.0/validator/val_nsec3.c
@@ -1170,6 +1170,26 @@ nsec3_prove_wildcard(struct module_env*
 	return sec_status_secure;
 }
 
+/** test if list is all secure */
+static int
+list_is_secure(struct module_env* env, struct val_env* ve,
+       struct ub_packed_rrset_key** list, size_t num,
+       struct key_entry_key* kkey)
+{
+       size_t i;
+       enum sec_status sec;
+       for(i=0; i<num; i++) {
+               if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3))
+                       continue;
+               sec = val_verify_rrset_entry(env, ve, list[i], kkey);
+               if(sec != sec_status_secure) {
+                       verbose(VERB_ALGO, "NSEC3 did not verify");
+                       return 0;
+               }
+       }
+       return 1;
+}
+
 enum sec_status
 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key** list, size_t num,
@@ -1184,6 +1204,8 @@ nsec3_prove_nods(struct module_env* env,
 
 	if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
 		return sec_status_bogus; /* no valid NSEC3s, bogus */
+	if(!list_is_secure(env, ve, list, num, kkey))
+		return sec_status_bogus; /* not all NSEC3 records secure */
 	rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
 	filter_init(&flt, list, num, qinfo); /* init RR iterator */
 	if(!flt.zone)

Places

File unbound-cve-2009-3602.patch of Package unbound

Places