diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-07 12:56:38 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-11 19:39:59 +0100 |
commit | 0f87f3e8e72bef1b951a1ee97c4e976e924f7912 (patch) | |
tree | 592ed7e1304d022f4ed97b85761d1e084630f4bc /src/resolve | |
parent | 0f23174c5c21f90929b3ee39fee48b774949510d (diff) |
resolved: look for revoked trust anchors before validating a message
There's not reason to wait for checking for revoked trust anchors until
after validation, after all revoked DNSKEYs only need to be self-signed,
but not have a full trust chain.
This way, we can be sure that all trust anchor lookups we do during
validation already honour that some keys might have been revoked.
Diffstat (limited to 'src/resolve')
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 43dc312091..b393c5238a 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2227,6 +2227,29 @@ static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr->key)); } +static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) { + DnsResourceRecord *rr; + int r; + + assert(t); + + /* Maybe warn the user that we encountered a revoked DNSKEY + * for a key from our trust anchor. Note that we don't care + * whether the DNSKEY can be authenticated or not. It's + * sufficient if it is self-signed. */ + + DNS_ANSWER_FOREACH(rr, t->answer) { + if (rr->key->type != DNS_TYPE_DNSKEY) + continue; + + r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, t->answer, rr->key); + if (r < 0) + return r; + } + + return 0; +} + int dns_transaction_validate_dnssec(DnsTransaction *t) { _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL; bool dnskeys_finalized = false; @@ -2267,7 +2290,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { log_debug("Validating response from transaction %" PRIu16 " (%s).", t->id, dns_transaction_key_string(t)); - /* First see if there are DNSKEYs we already known a validated DS for. */ + /* First, see if this response contains any revoked trust anchors we care about */ + r = dns_transaction_check_revoked_trust_anchors(t); + if (r < 0) + return r; + + /* Second see if there are DNSKEYs we already know a validated DS for. */ r = dns_transaction_validate_dnskey_by_ds(t); if (r < 0) return r; @@ -2299,14 +2327,6 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED); if (r < 0) return r; - - /* Maybe warn the user that we - * encountered a revoked - * DNSKEY for a key from our - * trust anchor */ - r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, t->answer, rr->key); - if (r < 0) - return r; } /* Add the validated RRset to the new |