diff options
| author |   sthen <sthen@openbsd.org> | 2017-08-12 11:22:45 +0000 |
|---|---|---|
| committer | sthen <sthen@openbsd.org> | 2017-08-12 11:22:45 +0000 |
| commit | 2be9e038cdf8e9bb60fc3afb4a2f01fcd3263713 (patch) | |
| tree | 304f9b960b1b02dbc747cbb456481bc5628c1519 /usr.sbin/unbound/validator/val_utils.c | |
| parent | add a new option to set limits on max-sessions each IPCP. (diff) | |
| download | wireguard-openbsd-2be9e038cdf8e9bb60fc3afb4a2f01fcd3263713.tar.xz wireguard-openbsd-2be9e038cdf8e9bb60fc3afb4a2f01fcd3263713.zip | |
update to unbound 1.6.4, ok florian@
Diffstat (limited to 'usr.sbin/unbound/validator/val_utils.c')
| -rw-r--r-- | usr.sbin/unbound/validator/val_utils.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/usr.sbin/unbound/validator/val_utils.c b/usr.sbin/unbound/validator/val_utils.c index da8066aad7e..e4eff1b2523 100644 --- a/usr.sbin/unbound/validator/val_utils.c +++ b/usr.sbin/unbound/validator/val_utils.c @@ -54,6 +54,7 @@ #include "util/net_help.h" #include "util/module.h" #include "util/regional.h" +#include "util/config_file.h" #include "sldns/wire2str.h" #include "sldns/parseutil.h" @@ -495,16 +496,21 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, return sec_status_bogus; } - digest_algo = val_favorite_ds_algo(ds_rrset); - if(sigalg) + if(sigalg) { + /* harden against algo downgrade is enabled */ + digest_algo = val_favorite_ds_algo(ds_rrset); algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg); + } else { + /* accept any key algo, any digest algo */ + digest_algo = -1; + } num = rrset_get_count(ds_rrset); for(i=0; i<num; i++) { /* Check to see if we can understand this DS. * And check it is the strongest digest */ if(!ds_digest_algo_is_supported(ds_rrset, i) || !ds_key_algo_is_supported(ds_rrset, i) || - ds_get_digest_algo(ds_rrset, i) != digest_algo) { + (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) { continue; } @@ -909,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index) } void -val_check_nonsecure(struct val_env* ve, struct reply_info* rep) +val_check_nonsecure(struct module_env* env, struct reply_info* rep) { size_t i; /* authority */ @@ -950,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep) } } /* additional */ - if(!ve->clean_additional) + if(!env->cfg->val_clean_additional) return; for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) { if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) |