Skip to content

D
Dnsmasq
Commit 23c21766 authored by Giovanni Bajo's avatar Giovanni Bajo Committed by Simon Kelley
Browse files
Options

Process RRSIGs also in authority and additional sections.

parent e83297d0
Show whitespace changes
Inline Side-by-side
Showing with 24 additions and 19 deletions
src/dnssec.c
View file @ 23c21766
...@@ -435,17 +435,18 @@ int dnssec_validate(struct dns_header *header, size_t pktlen) ...@@ -435,17 +435,18 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
{ {
unsigned char *p, *reply; unsigned char *p, *reply;
char *owner = daemon->namebuff; char *owner = daemon->namebuff;
int i, qtype, qclass, rdlen; int i, s, qtype, qclass, rdlen;
unsigned long ttl; unsigned long ttl;
int slen[3] = { ntohs(header->ancount), ntohs(header->nscount), ntohs(header->arcount) };
if (header->ancount == 0) if (slen[0] + slen[1] + slen[2] == 0)
return 0; return 0;
if (!(reply = p = skip_questions(header, pktlen))) if (!(reply = p = skip_questions(header, pktlen)))
return 0; return 0;
/* First, process DNSKEY/DS records and add them to the cache. */ /* First, process DNSKEY/DS records and add them to the cache. */
cache_start_insert(); cache_start_insert();
for (i = 0; i < ntohs(header->ancount); i++) for (i = 0; i < slen[0]; i++)
{ {
if (!extract_name(header, pktlen, &p, owner, 1, 10)) if (!extract_name(header, pktlen, &p, owner, 1, 10))
return 0; return 0;
...@@ -471,7 +472,10 @@ int dnssec_validate(struct dns_header *header, size_t pktlen) ...@@ -471,7 +472,10 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
We want to do this in a separate step because we want the cache We want to do this in a separate step because we want the cache
to be already populated with DNSKEYs before parsing signatures. */ to be already populated with DNSKEYs before parsing signatures. */
p = reply; p = reply;
for (i = 0; i < ntohs(header->ancount); i++) for (s = 0; s < 3; ++s)
{
reply = p;
for (i = 0; i < slen[s]; i++)
{ {
if (!extract_name(header, pktlen, &p, owner, 1, 10)) if (!extract_name(header, pktlen, &p, owner, 1, 10))
return 0; return 0;
...@@ -487,10 +491,11 @@ int dnssec_validate(struct dns_header *header, size_t pktlen) ...@@ -487,10 +491,11 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
There is a memory vs CPU conflict here; should we validate everything There is a memory vs CPU conflict here; should we validate everything
to save memory and thus waste CPU, or better first acquire all information to save memory and thus waste CPU, or better first acquire all information
(wasting memory) and then doing the minimum CPU computations required? */ (wasting memory) and then doing the minimum CPU computations required? */
dnssec_parserrsig(header, pktlen, reply, ntohs(header->ancount), owner, qclass, rdlen, p); dnssec_parserrsig(header, pktlen, reply, slen[s], owner, qclass, rdlen, p);
} }
p += rdlen; p += rdlen;
} }
}
return 1; return 1;
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment