diff options
| author | dougb <dougb@FreeBSD.org> | 2010-12-04 05:58:56 +0000 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2010-12-04 05:58:56 +0000 |
| commit | 63d4368df223bad2a05f63e74fc3c3d7ba334775 (patch) | |
| tree | f01f0fcdfd363df827bfbc878514d9fc94ccdca9 /contrib/bind9/lib | |
| parent | 0ff0fd520ddd39c32c55398023b24fe199cbc02b (diff) | |
| parent | d2262df647cb68b7a55a79623696e646c546774e (diff) | |
| download | FreeBSD-src-63d4368df223bad2a05f63e74fc3c3d7ba334775.zip FreeBSD-src-63d4368df223bad2a05f63e74fc3c3d7ba334775.tar.gz | |
Update to version 9.6-ESV-R3, the latest from ISC, which addresses
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC, and
querying zones which are in a key rollover period. The bug will
cause answers to incorrectly be marked as insecure.
Diffstat (limited to 'contrib/bind9/lib')
| -rw-r--r-- | contrib/bind9/lib/dns/api | 4 | ||||
| -rw-r--r-- | contrib/bind9/lib/dns/include/dns/view.h | 6 | ||||
| -rw-r--r-- | contrib/bind9/lib/dns/journal.c | 21 | ||||
| -rw-r--r-- | contrib/bind9/lib/dns/rbtdb.c | 65 | ||||
| -rw-r--r-- | contrib/bind9/lib/dns/validator.c | 58 | ||||
| -rw-r--r-- | contrib/bind9/lib/dns/view.c | 8 | ||||
| -rw-r--r-- | contrib/bind9/lib/isc/api | 2 | ||||
| -rw-r--r-- | contrib/bind9/lib/isc/print.c | 6 |
8 files changed, 131 insertions, 39 deletions
diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api index b1adf784..82e6786 100644 --- a/contrib/bind9/lib/dns/api +++ b/contrib/bind9/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 57 +LIBINTERFACE = 58 LIBREVISION = 0 -LIBAGE = 2 +LIBAGE = 0 diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h index 5b53c16..0b4dedc 100644 --- a/contrib/bind9/lib/dns/include/dns/view.h +++ b/contrib/bind9/lib/dns/include/dns/view.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.h,v 1.111.88.4 2009/01/29 22:40:35 jinmei Exp $ */ +/* $Id: view.h,v 1.111.88.4.24.2 2010/09/29 23:46:31 tbox Exp $ */ #ifndef DNS_VIEW_H #define DNS_VIEW_H 1 @@ -118,6 +118,8 @@ struct dns_view { isc_boolean_t enablevalidation; isc_boolean_t acceptexpired; dns_transfer_format_t transfer_format; + dns_acl_t * cacheacl; + dns_acl_t * cacheonacl; dns_acl_t * queryacl; dns_acl_t * queryonacl; dns_acl_t * recursionacl; diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c index 638e647..933576f 100644 --- a/contrib/bind9/lib/dns/journal.c +++ b/contrib/bind9/lib/dns/journal.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.103.48.6 2009/11/04 23:47:25 tbox Exp $ */ +/* $Id: journal.c,v 1.103.48.6.10.2 2010/11/17 23:46:16 tbox Exp $ */ #include <config.h> @@ -2173,6 +2173,12 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, indexend = new->header.end.offset; } + + /* + * Close both journals before trying to rename files (this is + * necessary on WIN32). + */ + dns_journal_destroy(&j); dns_journal_destroy(&new); /* @@ -2180,12 +2186,14 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, * Any IXFR outs will just continue and the old journal will be * removed on final close. * - * With MSDOS / NTFS we need to do a two stage rename triggered - * bu EEXISTS. Hopefully all IXFR's that were active at the last - * rename are now complete. + * With MSDOS / NTFS we need to do a two stage rename, triggered + * by EEXIST. (If any IXFR's are running in other threads, however, + * this will fail, and the journal will not be compacted. But + * if so, hopefully they'll be finished by the next time we + * compact.) */ if (rename(newname, filename) == -1) { - if (errno == EACCES && !is_backup) { + if (errno == EEXIST && !is_backup) { result = isc_file_remove(backup); if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) @@ -2202,7 +2210,6 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, } } - dns_journal_destroy(&j); result = ISC_R_SUCCESS; failure: diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c index 538c228..f61b83b 100644 --- a/contrib/bind9/lib/dns/rbtdb.c +++ b/contrib/bind9/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.16.10.3 2010/08/13 07:25:21 marka Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.16.10.6 2010/11/16 07:46:23 marka Exp $ */ /*! \file */ @@ -5421,14 +5421,14 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, dns_rdataset_t *addedrdataset, isc_stdtime_t now) { rbtdb_changed_t *changed = NULL; - rdatasetheader_t *topheader, *topheader_prev, *header; + rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader; unsigned char *merged; isc_result_t result; isc_boolean_t header_nx; isc_boolean_t newheader_nx; isc_boolean_t merge; dns_rdatatype_t rdtype, covers; - rbtdb_rdatatype_t negtype; + rbtdb_rdatatype_t negtype, sigtype; dns_trust_t trust; int idx; @@ -5466,7 +5466,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE; topheader_prev = NULL; - + sigheader = NULL; negtype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); @@ -5475,26 +5475,34 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, * We're adding a negative cache entry. */ covers = RBTDB_RDATATYPE_EXT(newheader->type); - if (covers == dns_rdatatype_any) { + sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, + covers); + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { /* - * We're adding an negative cache entry + * If we're adding an negative cache entry * which covers all types (NXDOMAIN, * NODATA(QTYPE=ANY)). * * We make all other data stale so that the * only rdataset that can be found at this * node is the negative cache entry. + * + * Otherwise look for any RRSIGs of the + * given type so they can be marked stale + * later. */ - for (topheader = rbtnode->data; - topheader != NULL; - topheader = topheader->next) { + if (covers == dns_rdatatype_any) { set_ttl(rbtdb, topheader, 0); topheader->attributes |= RDATASET_ATTR_STALE; - } - rbtnode->dirty = 1; - goto find_header; + rbtnode->dirty = 1; + } else if (topheader->type == sigtype) + sigheader = topheader; } + if (covers == dns_rdatatype_any) + goto find_header; negtype = RBTDB_RDATATYPE_VALUE(covers, 0); } else { /* @@ -5732,6 +5740,11 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, if (rbtversion == NULL) { set_ttl(rbtdb, header, 0); header->attributes |= RDATASET_ATTR_STALE; + if (sigheader != NULL) { + set_ttl(rbtdb, sigheader, 0); + sigheader->attributes |= + RDATASET_ATTR_STALE; + } } idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { @@ -7071,6 +7084,8 @@ dns_rbtdb_create * change. */ if (!IS_CACHE(rbtdb)) { + dns_rbtnode_t *nsec3node; + rbtdb->origin_node = NULL; result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin, &rbtdb->origin_node); @@ -7094,6 +7109,32 @@ dns_rbtdb_create dns_name_hash(&name, ISC_TRUE) % rbtdb->node_lock_count; #endif + /* + * Add an apex node to the NSEC3 tree so that NSEC3 searches + * return partial matches when there is only a single NSEC3 + * record in the tree. + */ + nsec3node = NULL; + result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin, + &nsec3node); + if (result != ISC_R_SUCCESS) { + INSIST(result != ISC_R_EXISTS); + free_rbtdb(rbtdb, ISC_FALSE, NULL); + return (result); + } + nsec3node->nsec3 = 1; + /* + * We need to give the nsec3 origin node the right locknum. + */ + dns_name_init(&name, NULL); + dns_rbt_namefromnode(nsec3node, &name); +#ifdef DNS_RBT_USEHASH + nsec3node->locknum = nsec3node->hashval % + rbtdb->node_lock_count; +#else + nsec3node->locknum = dns_name_hash(&name, ISC_TRUE) % + rbtdb->node_lock_count; +#endif } /* diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c index 90c18bc..fc6f454 100644 --- a/contrib/bind9/lib/dns/validator.c +++ b/contrib/bind9/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.11.10.6 2010/09/03 02:55:18 marka Exp $ */ +/* $Id: validator.c,v 1.164.12.11.10.7 2010/11/16 01:48:32 marka Exp $ */ #include <config.h> @@ -393,6 +393,7 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; + isc_result_t saved_result; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_FETCHDONE); @@ -429,6 +430,17 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { val->keyset = &val->frdataset; } result = validate(val, ISC_TRUE); + if (result == DNS_R_NOVALIDSIG && + (val->attributes & VALATTR_TRIEDVERIFY) == 0) + { + saved_result = result; + validator_log(val, ISC_LOG_DEBUG(3), + "falling back to insecurity proof"); + val->attributes |= VALATTR_INSECURITY; + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); + if (result == DNS_R_NOTINSECURE) + result = saved_result; + } if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -619,6 +631,7 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; + isc_result_t saved_result; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); @@ -645,6 +658,17 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { if (val->frdataset.trust >= dns_trust_secure) (void) get_dst_key(val, val->siginfo, &val->frdataset); result = validate(val, ISC_TRUE); + if (result == DNS_R_NOVALIDSIG && + (val->attributes & VALATTR_TRIEDVERIFY) == 0) + { + saved_result = result; + validator_log(val, ISC_LOG_DEBUG(3), + "falling back to insecurity proof"); + val->attributes |= VALATTR_INSECURITY; + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); + if (result == DNS_R_NOTINSECURE) + result = saved_result; + } if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -1875,9 +1899,11 @@ validate(dns_validator_t *val, isc_boolean_t resume) { * was known and "sufficiently good". */ if (!dns_resolver_algorithm_supported(val->view->resolver, - event->name, - val->siginfo->algorithm)) + event->name, + val->siginfo->algorithm)) { + resume = ISC_FALSE; continue; + } if (!resume) { result = get_key(val, val->siginfo); @@ -1888,16 +1914,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) { } /* - * The key is insecure, so mark the data as insecure also. + * There isn't a secure DNSKEY for this signature so move + * onto the next RRSIG. */ if (val->key == NULL) { - if (val->mustbesecure) { - validator_log(val, ISC_LOG_WARNING, - "must be secure failure"); - return (DNS_R_MUSTBESECURE); - } - markanswer(val, "validate"); - return (ISC_R_SUCCESS); + resume = ISC_FALSE; + continue; } do { @@ -3703,6 +3725,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) */ result = DNS_R_NOVALIDNSEC; goto out; + } else if (DNS_TRUST_PENDING(val->frdataset.trust) || + DNS_TRUST_ANSWER(val->frdataset.trust)) { + /* + * If we have "trust == answer" then this namespace + * has switched from insecure to should be secure. + */ + result = create_validator(val, tname, + dns_rdatatype_ds, + &val->frdataset, + NULL, dsvalidated, + "proveunsecure"); + if (result != ISC_R_SUCCESS) + goto out; + return (DNS_R_WAIT); } else if (val->frdataset.trust < dns_trust_secure) { /* * This shouldn't happen, since the negative diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c index 3726eef..54f0d26 100644 --- a/contrib/bind9/lib/dns/view.c +++ b/contrib/bind9/lib/dns/view.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.150.84.3.10.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: view.c,v 1.150.84.3.10.2 2010/09/29 00:03:32 marka Exp $ */ /*! \file */ @@ -168,6 +168,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->acceptexpired = ISC_FALSE; view->minimalresponses = ISC_FALSE; view->transfer_format = dns_one_answer; + view->cacheacl = NULL; + view->cacheonacl = NULL; view->queryacl = NULL; view->queryonacl = NULL; view->recursionacl = NULL; @@ -294,6 +296,10 @@ destroy(dns_view_t *view) { dns_acl_detach(&view->matchclients); if (view->matchdestinations != NULL) dns_acl_detach(&view->matchdestinations); + if (view->cacheacl != NULL) + dns_acl_detach(&view->cacheacl); + if (view->cacheonacl != NULL) + dns_acl_detach(&view->cacheonacl); if (view->queryacl != NULL) dns_acl_detach(&view->queryacl); if (view->queryonacl != NULL) diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api index 823f692..b765f45 100644 --- a/contrib/bind9/lib/isc/api +++ b/contrib/bind9/lib/isc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 53 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 3 diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c index b892e3a..6b98195 100644 --- a/contrib/bind9/lib/isc/print.c +++ b/contrib/bind9/lib/isc/print.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: print.c,v 1.35 2008/02/18 23:46:59 tbox Exp $ */ +/* $Id: print.c,v 1.35.418.2 2010/10/18 23:46:34 tbox Exp $ */ /*! \file */ @@ -468,7 +468,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { if (width > 0) { count += width; width--; - if (left) { + if (left && size > 1) { *str++ = c; size--; } |
