rpms / unbound

Clone
Source Code
GIT

Files

el5 el6 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f9 main rawhide unbound-1.13.2-rebase
  1.   f25
  2.   unbound-1.6.2-permissive.patch
Blob Blame History Raw 
diff --git a/validator/val_utils.c b/validator/val_utils.c
index e3677e1..e4eff1b 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -54,6 +54,7 @@
 #include "util/net_help.h"
 #include "util/module.h"
 #include "util/regional.h"
+#include "util/config_file.h"
 #include "sldns/wire2str.h"
 #include "sldns/parseutil.h"
 
@@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index)
 }
 
 void
-val_check_nonsecure(struct val_env* ve, struct reply_info* rep) 
+val_check_nonsecure(struct module_env* env, struct reply_info* rep) 
 {
 	size_t i;
 	/* authority */
@@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
 		}
 	}
 	/* additional */
-	if(!ve->clean_additional)
+	if(!env->cfg->val_clean_additional)
 		return;
 	for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
diff --git a/validator/val_utils.h b/validator/val_utils.h
index 051824a..649adc2 100644
--- a/validator/val_utils.h
+++ b/validator/val_utils.h
@@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index);
  * So that unsigned data does not get let through to clients, when we have
  * found the data to be secure.
  *
- * @param ve: validator environment with cleaning options.
+ * @param env: environment with cleaning options.
  * @param rep: reply to dump all nonsecure stuff out of.
  */
-void val_check_nonsecure(struct val_env* ve, struct reply_info* rep);
+void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
 
 /**
  * Mark all unchecked rrset entries not below a trust anchor as indeterminate.
diff --git a/validator/validator.c b/validator/validator.c
index e8b6317..5f4a1eb 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -113,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
 {
 	int c;
 	val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
-	val_env->clean_additional = cfg->val_clean_additional;
-	val_env->permissive_mode = cfg->val_permissive_mode;
 	if(!env->anchors)
 		env->anchors = anchors_create();
 	if(!env->anchors) {
@@ -171,7 +169,6 @@ val_init(struct module_env* env, int id)
 	}
 	env->modinfo[id] = (void*)val_env;
 	env->need_to_validate = 1;
-	val_env->permissive_mode = 0;
 	lock_basic_init(&val_env->bogus_lock);
 	lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
 		sizeof(val_env->num_rrset_bogus));
@@ -619,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
 		}
 	}
 
-	/* attempt to validate the ADDITIONAL section rrsets */
-	if(!ve->clean_additional)
+	/* If set, the validator should clean the additional section of
+	 * secure messages. */
+	if(!env->cfg->val_clean_additional)
 		return 1;
+	/* attempt to validate the ADDITIONAL section rrsets */
 	for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 
 		i<chase_reply->rrset_count; i++) {
 		s = chase_reply->rrsets[i];
@@ -2129,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 		 * a different signer name). And drop additional rrsets
 		 * that are not secure (if clean-additional option is set) */
 		/* this may cause the msg to be marked bogus */
-		val_check_nonsecure(ve, vq->orig_msg->rep);
+		val_check_nonsecure(qstate->env, vq->orig_msg->rep);
 		if(vq->orig_msg->rep->security == sec_status_secure) {
 			log_query_info(VERB_DETAIL, "validation success", 
 				&qstate->qinfo);
@@ -2170,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 				free(err);
 			}
 		}
+		/*
+		 * If set, the validator will not make messages bogus, instead
+		 * indeterminate is issued, so that no clients receive SERVFAIL.
+		 * This allows an operator to run validation 'shadow' without
+		 * hurting responses to clients.
+		 */
 		/* If we are in permissive mode, bogus gets indeterminate */
-		if(ve->permissive_mode)
+		if(qstate->env->cfg->val_permissive_mode)
 			vq->orig_msg->rep->security = sec_status_indeterminate;
 	}
 
diff --git a/validator/validator.h b/validator/validator.h
index 23d3072..9a59107 100644
--- a/validator/validator.h
+++ b/validator/validator.h
@@ -93,19 +93,6 @@ struct val_env {
 	 * seconds. */
 	uint32_t bogus_ttl;
 
-	/** If set, the validator should clean the additional section of
-	 * secure messages.
-	 */
-	int clean_additional;
-
-	/**
-	 * If set, the validator will not make messages bogus, instead
-	 * indeterminate is issued, so that no clients receive SERVFAIL.
-	 * This allows an operator to run validation 'shadow' without
-	 * hurting responses to clients.
-	 */
-	int permissive_mode;
-
 	/**
 	 * Number of entries in the NSEC3 maximum iteration count table.
 	 * Keep this table short, and sorted by size
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.