Commit a9aba58e authored by Grigorii Demidov's avatar Grigorii Demidov

layer/validate: additional check when validating CNAME chain

parent 897fafdb
......@@ -65,6 +65,7 @@ typedef struct {
struct ranked_rr_array_entry {
uint32_t qry_uid;
uint8_t rank;
uint8_t revalidation_cnt;
_Bool cached;
_Bool yielded;
_Bool to_wire;
......
......@@ -37,6 +37,8 @@
#define VERBOSE_MSG(qry, fmt...) QRVERBOSE(qry, "vldr", fmt)
#define MAX_REVALIDATION_CNT 2
/**
* Search in section for given type.
* @param sec Packet section.
......@@ -267,7 +269,8 @@ static void mark_insecure_parents(const struct kr_query *qry)
while (parent && ((parent->flags & cut_flags) == 0)) {
parent->flags &= ~QUERY_DNSSEC_WANT;
parent->flags |= QUERY_DNSSEC_INSECURE;
if (parent->stype != KNOT_RRTYPE_DS) {
if (parent->stype != KNOT_RRTYPE_DS &&
parent->stype != KNOT_RRTYPE_RRSIG) {
break;
}
parent = parent->parent;
......@@ -406,13 +409,6 @@ static int rrsig_not_found(kr_layer_t *ctx, const knot_rrset_t *rr)
struct kr_request *req = ctx->req;
struct kr_query *qry = req->current_query;
if (knot_dname_is_equal(rr->owner, qry->zone_cut.name) ||
ctx->state == KR_STATE_YIELD) {
/* Already yielded for revalidation. */
VERBOSE_MSG(qry, "<= couldn't validate RRSIGs\n");
qry->flags |= QUERY_DNSSEC_BOGUS;
return KR_STATE_FAIL;
}
VERBOSE_MSG(qry, ">< no RRSIGs found\n");
struct kr_zonecut *cut = &qry->zone_cut;
const knot_dname_t *cut_name_start = qry->zone_cut.name;
......@@ -455,7 +451,7 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr)
int ret = KR_STATE_DONE;
struct kr_request *req = ctx->req;
struct kr_query *qry = req->current_query;
const ranked_rr_array_entry_t *invalid_entry = NULL;
ranked_rr_array_entry_t *invalid_entry = NULL;
for (size_t i = 0; i < arr->len; ++i) {
ranked_rr_array_entry_t *entry = arr->at[i];
if (entry->yielded) {
......@@ -477,6 +473,13 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr)
return ret;
}
if ((invalid_entry->rank != KR_VLDRANK_SECURE) &&
(++(invalid_entry->revalidation_cnt) > MAX_REVALIDATION_CNT)) {
VERBOSE_MSG(qry, "<= continuous revalidation, fails\n");
qry->flags |= QUERY_DNSSEC_BOGUS;
return KR_STATE_FAIL;
}
const knot_rrset_t *rr = invalid_entry->rr;
if (invalid_entry->rank == KR_VLDRANK_MISMATCH) {
const knot_dname_t *signer_name = knot_rrsig_signer_name(&rr->rrs, 0);
......@@ -657,7 +660,10 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
VERBOSE_MSG(qry, "<= can't prove NODATA due to optout, going insecure\n");
qry->flags &= ~QUERY_DNSSEC_WANT;
qry->flags |= QUERY_DNSSEC_INSECURE;
/* Could not return here, we must to update parent query */
/* Could not return from here,
* we must continue and
* call update_parent_keys() to mark
* parent queries as insecured */
} else {
VERBOSE_MSG(qry, "<= bad NODATA proof\n");
qry->flags |= QUERY_DNSSEC_BOGUS;
......
......@@ -457,6 +457,7 @@ int kr_ranked_rrarray_add(ranked_rr_array_t *array, const knot_rrset_t *rr,
entry->qry_uid = qry_uid;
entry->rr = copy;
entry->rank = rank;
entry->revalidation_cnt = 0;
entry->cached = false;
entry->yielded = false;
entry->to_wire = to_wire;
......
......@@ -94,6 +94,7 @@ typedef array_t(knot_rrset_t *) rr_array_t;
struct ranked_rr_array_entry {
uint32_t qry_uid;
uint8_t rank;
uint8_t revalidation_cnt;
bool cached;
bool yielded;
bool to_wire;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment