Commit 8dac5cd7 authored by Vladimír Čunát's avatar Vladimír Čunát

zonecut: fix possible opportunities to use insecure

... data from cache as keys for validation
parent d8fed142
Pipeline #8486 canceled with stages
in 31 seconds
Knot Resolver 1.3.2 (2017-07-xx) Knot Resolver 1.3.2 (2017-07-xx)
================================ ================================
Security
--------
- fix possible opportunities to use insecure data from cache as keys
for validation
Bugfixes Bugfixes
-------- --------
- daemon: check existence of config file even if rundir isn't specified - daemon: check existence of config file even if rundir isn't specified
......
...@@ -354,6 +354,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut, ...@@ -354,6 +354,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
/* Note: we accept *any* rank from the cache. We assume that nothing
* completely untrustworthy could get into the cache, e.g out-of-bailiwick
* records that weren't validated.
*/
/* Materialize as we'll going to do more cache lookups. */ /* Materialize as we'll going to do more cache lookups. */
knot_rrset_t rr_copy; knot_rrset_t rr_copy;
...@@ -384,10 +388,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut, ...@@ -384,10 +388,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
} }
/** /**
* Fetch RRSet of given type. (and of reasonable trustworthiness) * Fetch secure RRSet of given type.
*/ */
static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache, static int fetch_secure_rrset(knot_rrset_t **rr, struct kr_cache *cache,
const knot_dname_t *owner, uint16_t type, knot_mm_t *pool, uint32_t timestamp) const knot_dname_t *owner, uint16_t type, knot_mm_t *pool, uint32_t timestamp)
{ {
if (!rr) { if (!rr) {
return kr_error(ENOENT); return kr_error(ENOENT);
...@@ -401,8 +405,7 @@ static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache, ...@@ -401,8 +405,7 @@ static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache,
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
const bool rankOK = kr_rank_test(rank, KR_RANK_SECURE) const bool rankOK = kr_rank_test(rank, KR_RANK_SECURE);
|| (kr_rank_test(rank, KR_RANK_INSECURE) && kr_rank_test(rank, KR_RANK_AUTH));
if (!rankOK) { if (!rankOK) {
return kr_error(ENOENT); return kr_error(ENOENT);
} }
...@@ -448,9 +451,9 @@ int kr_zonecut_find_cached(struct kr_context *ctx, struct kr_zonecut *cut, const ...@@ -448,9 +451,9 @@ int kr_zonecut_find_cached(struct kr_context *ctx, struct kr_zonecut *cut, const
} }
/* Fetch DS and DNSKEY if caller wants secure zone cut */ /* Fetch DS and DNSKEY if caller wants secure zone cut */
if (*secured || is_root) { if (*secured || is_root) {
fetch_rrset(&cut->trust_anchor, &ctx->cache, label, fetch_secure_rrset(&cut->trust_anchor, &ctx->cache, label,
KNOT_RRTYPE_DS, cut->pool, timestamp); KNOT_RRTYPE_DS, cut->pool, timestamp);
fetch_rrset(&cut->key, &ctx->cache, label, fetch_secure_rrset(&cut->key, &ctx->cache, label,
KNOT_RRTYPE_DNSKEY, cut->pool, timestamp); KNOT_RRTYPE_DNSKEY, cut->pool, timestamp);
} }
update_cut_name(cut, label); update_cut_name(cut, label);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment