Merge pull request #9240 from poettering/ds-validate

resolved: fix DNSKEY validation by DS RR
2018-06-08 20:44:01 +02:00 · 2018-06-08 20:44:01 +02:00 · b5cbe199c7
parent ee73a176a2 5e55cde9b8
commit b5cbe199c7
5 changed files with 13 additions and 9 deletions
--- a/man/systemd-resolved.service.xml
+++ b/man/systemd-resolved.service.xml
@ -79,7 +79,7 @@
    <filename>/etc/systemd/resolved.conf</filename>, the per-link static settings in
    <filename>/etc/systemd/network/*.network</filename> files (in case
    <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> is
-    used), the per-link dynamic settings received over DHCP and any DNS server information made available by other
+    used), the per-link dynamic settings received over DHCP, and any DNS server information made available by other
    system services. See
    <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
    <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details
--- a/src/libsystemd-network/dhcp6-option.c
+++ b/src/libsystemd-network/dhcp6-option.c
@ -141,7 +141,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
 }

 int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn) {
-        uint8_t buffer[1 + DNS_WIRE_FOMAT_HOSTNAME_MAX];
+        uint8_t buffer[1 + DNS_WIRE_FORMAT_HOSTNAME_MAX];
        int r;

        assert_return(buf && *buf && buflen && fqdn, -EINVAL);
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@ -700,7 +700,7 @@ int dnssec_verify_rrset(
                usec_t realtime,
                DnssecResult *result) {

-        uint8_t wire_format_name[DNS_WIRE_FOMAT_HOSTNAME_MAX];
+        uint8_t wire_format_name[DNS_WIRE_FORMAT_HOSTNAME_MAX];
        DnsResourceRecord **list, *rr;
        const char *source, *name;
        _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
@ -1153,7 +1153,7 @@ static int digest_to_gcrypt_md(uint8_t algorithm) {
 }

 int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
-        char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX];
+        uint8_t wire_format[DNS_WIRE_FORMAT_HOSTNAME_MAX];
        _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
        size_t hash_size;
        int md_algorithm, r;
@ -1192,7 +1192,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
        if (ds->ds.digest_size != hash_size)
                return 0;

-        r = dnssec_canonicalize(dns_resource_key_name(dnskey->key), owner_name, sizeof(owner_name));
+        r = dns_name_to_wire_format(dns_resource_key_name(dnskey->key), wire_format, sizeof(wire_format), true);
        if (r < 0)
                return r;

@ -1200,7 +1200,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
        if (!md)
                return -EIO;

-        gcry_md_write(md, owner_name, r);
+        gcry_md_write(md, wire_format, r);
        if (mask_revoke)
                md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE);
        else
@ -1213,7 +1213,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
        if (!result)
                return -EIO;

-        return memcmp(result, ds->ds.digest, ds->ds.digest_size) != 0;
+        return memcmp(result, ds->ds.digest, ds->ds.digest_size) == 0;
 }

 int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {
@ -1269,7 +1269,7 @@ static int nsec3_hash_to_gcrypt_md(uint8_t algorithm) {
 }

 int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
-        uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX];
+        uint8_t wire_format[DNS_WIRE_FORMAT_HOSTNAME_MAX];
        gcry_md_hd_t md = NULL;
        size_t hash_size;
        int algorithm;
--- a/src/resolve/test-dnssec-complex.c
+++ b/src/resolve/test-dnssec-complex.c
@ -146,6 +146,10 @@ int main(int argc, char* argv[]) {
        test_rr_lookup(bus, ".wilda.rhybar.ecdsa.0skar.cz", DNS_TYPE_A, BUS_ERROR_DNSSEC_FAILED);
        test_hostname_lookup(bus, ".wilda.rhybar.ecdsa.0skar.cz", AF_INET, BUS_ERROR_DNSSEC_FAILED);

+        /* Missing DS for DNSKEY */
+        test_rr_lookup(bus, "www.dnssec-bogus.sg", DNS_TYPE_A, BUS_ERROR_DNSSEC_FAILED);
+        test_hostname_lookup(bus, "www.dnssec-bogus.sg", AF_INET, BUS_ERROR_DNSSEC_FAILED);
+
        /* NXDOMAIN in NSEC domain */
        test_rr_lookup(bus, "hhh.nasa.gov", DNS_TYPE_A, _BUS_ERROR_DNS "NXDOMAIN");
        test_hostname_lookup(bus, "hhh.nasa.gov", AF_UNSPEC, _BUS_ERROR_DNS "NXDOMAIN");
--- a/src/shared/dns-domain.h
+++ b/src/shared/dns-domain.h
@ -25,7 +25,7 @@
 #define DNS_HOSTNAME_MAX 253

 /* Maximum length of a full hostname, on the wire, including the final NUL byte */
-#define DNS_WIRE_FOMAT_HOSTNAME_MAX 255
+#define DNS_WIRE_FORMAT_HOSTNAME_MAX 255

 /* Maximum number of labels per valid hostname */
 #define DNS_N_LABELS_MAX 127