mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-23 17:34:00 +03:00
resolved: when following a CNAME initialize authenticated bit by the weakest answer
When following a CNAME chain, don't set the authenticated bit, unless all lookups in the chain could be authenticated.
This commit is contained in:
parent
e8d23f92b5
commit
28830a6410
@ -211,7 +211,7 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) {
|
||||
r = sd_bus_message_append(
|
||||
reply, "st",
|
||||
normalized,
|
||||
SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
|
||||
SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
@ -439,7 +439,7 @@ static void bus_method_resolve_address_complete(DnsQuery *q) {
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
|
||||
r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
@ -605,7 +605,7 @@ static void bus_method_resolve_record_complete(DnsQuery *q) {
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
|
||||
r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
@ -979,7 +979,7 @@ static void resolve_service_all_complete(DnsQuery *q) {
|
||||
reply,
|
||||
"ssst",
|
||||
name, type, domain,
|
||||
SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
|
||||
SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, dns_query_fully_authenticated(q)));
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
|
@ -1029,6 +1029,9 @@ int dns_query_process_cname(DnsQuery *q) {
|
||||
if (q->flags & SD_RESOLVED_NO_CNAME)
|
||||
return -ELOOP;
|
||||
|
||||
if (!q->answer_authenticated)
|
||||
q->previous_redirect_unauthenticated = true;
|
||||
|
||||
/* OK, let's actually follow the CNAME */
|
||||
r = dns_query_cname_redirect(q, cname);
|
||||
if (r < 0)
|
||||
@ -1116,3 +1119,9 @@ const char *dns_query_string(DnsQuery *q) {
|
||||
|
||||
return dns_question_first_name(q->question_idna);
|
||||
}
|
||||
|
||||
bool dns_query_fully_authenticated(DnsQuery *q) {
|
||||
assert(q);
|
||||
|
||||
return q->answer_authenticated && !q->previous_redirect_unauthenticated;
|
||||
}
|
||||
|
@ -89,6 +89,7 @@ struct DnsQuery {
|
||||
int answer_family;
|
||||
DnsSearchDomain *answer_search_domain;
|
||||
int answer_errno; /* if state is DNS_TRANSACTION_ERRNO */
|
||||
bool previous_redirect_unauthenticated;
|
||||
|
||||
/* Bus client information */
|
||||
sd_bus_message *request;
|
||||
@ -139,3 +140,5 @@ DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol);
|
||||
const char *dns_query_string(DnsQuery *q);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuery*, dns_query_free);
|
||||
|
||||
bool dns_query_fully_authenticated(DnsQuery *q);
|
||||
|
@ -214,7 +214,7 @@ static void dns_stub_query_complete(DnsQuery *q) {
|
||||
q->answer_rcode,
|
||||
!!q->request_dns_packet->opt,
|
||||
DNS_PACKET_DO(q->request_dns_packet),
|
||||
DNS_PACKET_DO(q->request_dns_packet) && q->answer_authenticated);
|
||||
DNS_PACKET_DO(q->request_dns_packet) && dns_query_fully_authenticated(q));
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Failed to finish reply packet: %m");
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user