From 757e94a3dfd7ec792c01e3ecee295ea987955f5a Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Fri, 7 Sep 2018 18:58:51 +0000 Subject: meta-openembedded: sumo refresh be79b8b111..2bb21ef27c Update meta-openembedded to sumo HEAD. Armin Kuster (1): grpc: move it from oe to networking layer Khem Raj (2): gedit: Add dep on python-six-native poppler: Update to 0.64 Martin Jansa (2): libqb: Fix build with gold openocd: prevent fetching git submodules during do_configure Nicolas Dechesne (1): meta-multimedia: fixup LAYERDEPENDS Paul Eggleton (1): protobuf: make python-protobuf dependency optional and default to off Sinan Kaya (1): dnsmasq: CVE-2017-15107 Takuro Ashie (1): uim: Fix SRC_URI Change-Id: I611fc4019b8a7fcbcaf2bcca40d7e35a650e5120 Signed-off-by: Brad Bishop --- ...txt-Fix-grpc_cpp_plugin-path-during-cross.patch | 68 ++++++ ....txt-Fix-libraries-installation-for-Linux.patch | 166 +++++++++++++ ...s.txt-Find-c-ares-in-target-sysroot-alone.patch | 42 ++++ .../recipes-devtools/grpc/grpc_1.8.5.bb | 36 +++ .../recipes-support/dnsmasq/dnsmasq_2.78.bb | 1 + .../dnsmasq/files/CVE-2017-15107.patch | 263 +++++++++++++++++++++ 6 files changed, 576 insertions(+) create mode 100644 meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch create mode 100644 meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch create mode 100644 meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0004-CMakeLists.txt-Find-c-ares-in-target-sysroot-alone.patch create mode 100644 meta-openembedded/meta-networking/recipes-devtools/grpc/grpc_1.8.5.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2017-15107.patch (limited to 'meta-openembedded/meta-networking') diff --git a/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch new file mode 100644 index 000000000..5774e62eb --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch @@ -0,0 +1,68 @@ +From cc6dbabea0e452ebc93682df860a79ed9a45722e Mon Sep 17 00:00:00 2001 +From: Alexey Firago +Date: Fri, 20 Oct 2017 00:04:19 +0300 +Subject: [PATCH] CMakeLists.txt: Fix grpc_cpp_plugin path during + cross-compilation + +Signed-off-by: Alexey Firago +--- + CMakeLists.txt | 9 ++++++++- + templates/CMakeLists.txt.template | 9 ++++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index f9cd630..9663934 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -328,6 +328,13 @@ function(protobuf_generate_grpc_cpp) + return() + endif() + ++ #if cross-compiling, find host plugin ++ if(CMAKE_CROSSCOMPILING) ++ find_program(gRPC_CPP_PLUGIN grpc_cpp_plugin) ++ else() ++ set(gRPC_CPP_PLUGIN $) ++ endif() ++ + set(_protobuf_include_path -I . -I ${PROTOBUF_WELLKNOWN_IMPORT_DIR}) + foreach(FIL ${ARGN}) + get_filename_component(ABS_FIL ${FIL} ABSOLUTE) +@@ -345,7 +352,7 @@ function(protobuf_generate_grpc_cpp) + COMMAND ${_gRPC_PROTOBUF_PROTOC_EXECUTABLE} + ARGS --grpc_out=generate_mock_code=true:${_gRPC_PROTO_GENS_DIR} + --cpp_out=${_gRPC_PROTO_GENS_DIR} +- --plugin=protoc-gen-grpc=$ ++ --plugin=protoc-gen-grpc=${gRPC_CPP_PLUGIN} + ${_protobuf_include_path} + ${REL_FIL} + DEPENDS ${ABS_FIL} ${_gRPC_PROTOBUF_PROTOC} grpc_cpp_plugin +diff --git a/templates/CMakeLists.txt.template b/templates/CMakeLists.txt.template +index 64daf04..a7e8629 100644 +--- a/templates/CMakeLists.txt.template ++++ b/templates/CMakeLists.txt.template +@@ -373,6 +373,13 @@ + return() + endif() + ++ #if cross-compiling, find host plugin ++ if(CMAKE_CROSSCOMPILING) ++ find_program(gRPC_CPP_PLUGIN grpc_cpp_plugin) ++ else() ++ set(gRPC_CPP_PLUGIN $) ++ endif() ++ + set(_protobuf_include_path -I . -I <%text>${PROTOBUF_WELLKNOWN_IMPORT_DIR}) + foreach(FIL <%text>${ARGN}) + get_filename_component(ABS_FIL <%text>${FIL} ABSOLUTE) +@@ -390,7 +397,7 @@ + COMMAND <%text>${_gRPC_PROTOBUF_PROTOC_EXECUTABLE} + ARGS --grpc_out=<%text>generate_mock_code=true:${_gRPC_PROTO_GENS_DIR} + --cpp_out=<%text>${_gRPC_PROTO_GENS_DIR} +- --plugin=protoc-gen-grpc=$ ++ --plugin=protoc-gen-grpc=${gRPC_CPP_PLUGIN} + <%text>${_protobuf_include_path} + <%text>${REL_FIL} + DEPENDS <%text>${ABS_FIL} <%text>${_gRPC_PROTOBUF_PROTOC} grpc_cpp_plugin +-- +2.7.4 diff --git a/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch new file mode 100644 index 000000000..f8d965294 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch @@ -0,0 +1,166 @@ +From 8e9bf962a45a82f1c2eb5858e29fa89a3a60b564 Mon Sep 17 00:00:00 2001 +From: Alexey Firago +Date: Mon, 30 Oct 2017 23:24:49 +0300 +Subject: [PATCH 1/4] CMakeLists.txt: Fix libraries installation for Linux + +* Set libs versions as in Makefile + +Signed-off-by: Alexey Firago + +%% original patch: 0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch +--- + CMakeLists.txt | 55 +++++++++++++++++++++++++++++++++++ + CMakeLists.txt => CMakeLists.txt.orig | 0 + 2 files changed, 55 insertions(+) + copy CMakeLists.txt => CMakeLists.txt.orig (100%) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b1a49df..13e64ac 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -30,6 +30,15 @@ set(PACKAGE_TARNAME "${PACKAGE_NAME}-${PACKAGE_VERSION}") + set(PACKAGE_BUGREPORT "https://github.com/grpc/grpc/issues/") + project(${PACKAGE_NAME} C CXX) + ++set (CORE_VERSION_MAJOR "4") ++set (CORE_VERSION "4.0.0") ++ ++set (CPP_VERSION_MAJOR "1") ++set (CPP_VERSION "${PACKAGE_VERSION}") ++ ++set (CSHARP_VERSION_MAJOR "1") ++set (CSHARP_VERSION "${PACKAGE_VERSION}") ++ + set(gRPC_INSTALL_BINDIR "${CMAKE_INSTALL_PREFIX}/bin" CACHE PATH "Installation directory for executables") + set(gRPC_INSTALL_LIBDIR "${CMAKE_INSTALL_PREFIX}/lib" CACHE PATH "Installation directory for libraries") + set(gRPC_INSTALL_INCLUDEDIR "${CMAKE_INSTALL_PREFIX}/include" CACHE PATH "Installation directory for headers") +@@ -841,6 +850,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET gpr PROPERTY VERSION ${CORE_VERSION}) ++ set_property(TARGET gpr PROPERTY SOVERSION ${CORE_VERSION_MAJOR}) ++endif() + + target_include_directories(gpr + PUBLIC $ $ +@@ -1221,6 +1234,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc PROPERTY VERSION ${CORE_VERSION}) ++ set_property(TARGET grpc PROPERTY SOVERSION ${CORE_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc + PUBLIC $ $ +@@ -1535,6 +1552,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc_cronet PROPERTY VERSION ${CORE_VERSION}) ++ set_property(TARGET grpc_cronet PROPERTY SOVERSION ${CORE_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc_cronet + PUBLIC $ $ +@@ -2377,6 +2398,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc_unsecure PROPERTY VERSION ${CORE_VERSION}) ++ set_property(TARGET grpc_unsecure PROPERTY SOVERSION ${CORE_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc_unsecure + PUBLIC $ $ +@@ -2592,6 +2617,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc++ PROPERTY VERSION ${CPP_VERSION}) ++ set_property(TARGET grpc++ PROPERTY SOVERSION ${CPP_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc++ + PUBLIC $ $ +@@ -3078,6 +3107,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc++_cronet PROPERTY VERSION ${CPP_VERSION}) ++ set_property(TARGET grpc++_cronet PROPERTY SOVERSION ${CPP_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc++_cronet + PUBLIC $ $ +@@ -3282,6 +3315,11 @@ protobuf_generate_grpc_cpp( + src/proto/grpc/status/status.proto + ) + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc++_error_details PROPERTY VERSION ${CPP_VERSION}) ++ set_property(TARGET grpc++_error_details PROPERTY SOVERSION ${CPP_VERSION_MAJOR}) ++endif() ++ + target_include_directories(grpc++_error_details + PUBLIC $ $ + PRIVATE ${CMAKE_CURRENT_SOURCE_DIR} +@@ -3408,6 +3446,11 @@ protobuf_generate_grpc_cpp( + src/proto/grpc/reflection/v1alpha/reflection.proto + ) + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc++_reflection PROPERTY VERSION ${CPP_VERSION}) ++ set_property(TARGET grpc++_reflection PROPERTY SOVERSION ${CPP_VERSION_MAJOR}) ++endif() ++ + target_include_directories(grpc++_reflection + PUBLIC $ $ + PRIVATE ${CMAKE_CURRENT_SOURCE_DIR} +@@ -3827,6 +3870,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc++_unsecure PROPERTY VERSION ${CPP_VERSION}) ++ set_property(TARGET grpc++_unsecure PROPERTY SOVERSION ${CPP_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc++_unsecure + PUBLIC $ $ +@@ -4140,6 +4187,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc_plugin_support PROPERTY VERSION ${CORE_VERSION}) ++ set_property(TARGET grpc_plugin_support PROPERTY SOVERSION ${CORE_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc_plugin_support + PUBLIC $ $ +@@ -4649,6 +4700,10 @@ if(WIN32 AND MSVC) + endif() + endif() + ++if(_gRPC_PLATFORM_LINUX) ++ set_property(TARGET grpc_csharp_ext PROPERTY VERSION ${CSHARP_VERSION}) ++ set_property(TARGET grpc_csharp_ext PROPERTY SOVERSION ${CSHARP_VERSION_MAJOR}) ++endif() + + target_include_directories(grpc_csharp_ext + PUBLIC $ $ +diff --git a/CMakeLists.txt b/CMakeLists.txt.orig +similarity index 100% +copy from CMakeLists.txt +copy to CMakeLists.txt.orig +-- +2.16.1 + diff --git a/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0004-CMakeLists.txt-Find-c-ares-in-target-sysroot-alone.patch b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0004-CMakeLists.txt-Find-c-ares-in-target-sysroot-alone.patch new file mode 100644 index 000000000..8985022fa --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc/0004-CMakeLists.txt-Find-c-ares-in-target-sysroot-alone.patch @@ -0,0 +1,42 @@ +From a498b56ba96948015f0f2784b2ab8296946716ee Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Thu, 1 Feb 2018 23:28:17 -0800 +Subject: [PATCH 4/4] CMakeLists.txt: Find c-ares in target sysroot alone + +Current code lets it look into native sysroot as well +which is then preferred during cross compile and it adds +absolute path to libcares into linker flags +on heterogenous architectures linker complains and build +fails + +| /mnt/a/oe/build/tmp/work/cortexa7t2hf-neon-vfpv4-bec-linux-gnueabi/grpc/1.8.5-r0/recipe-sysroot-native/usr/lib/lib +cares.so.2.2.0: file not recognized: File format not recognized +| collect2: error: ld returned 1 exit status + +Upstream-Status: Pending + +Signed-off-by: Khem Raj +--- + CMakeLists.txt | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 1d7eef1..058423d 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -153,10 +153,8 @@ if("${gRPC_CARES_PROVIDER}" STREQUAL "module") + set(gRPC_INSTALL FALSE) + endif() + elseif("${gRPC_CARES_PROVIDER}" STREQUAL "package") +- find_package(c-ares REQUIRED CONFIG) +- if(TARGET c-ares::cares) +- set(_gRPC_CARES_LIBRARIES c-ares::cares) +- endif() ++ find_package(c-ares REQUIRED) ++ set(_gRPC_CARES_LIBRARIES cares) + set(_gRPC_FIND_CARES "if(NOT c-ares_FOUND)\n find_package(c-ares CONFIG)\nendif()") + endif() + +-- +2.16.1 + diff --git a/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc_1.8.5.bb b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc_1.8.5.bb new file mode 100644 index 000000000..0883ec176 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-devtools/grpc/grpc_1.8.5.bb @@ -0,0 +1,36 @@ +DESCRIPTION = "A high performance, open source, general-purpose RPC framework. \ +Provides gRPC libraries for multiple languages written on top of shared C core library \ +(C++, Node.js, Python, Ruby, Objective-C, PHP, C#)" +HOMEPAGE = "https://github.com/grpc/grpc" +SECTION = "libs" +LICENSE = "Apache-2" + +DEPENDS = "gflags c-ares protobuf protobuf-native protobuf-c protobuf-c-native openssl" +DEPENDS_append_class-target = " gtest grpc-native " + +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "https://github.com/grpc/grpc/archive/v${PV}.tar.gz \ + file://0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch \ + file://0004-CMakeLists.txt-Find-c-ares-in-target-sysroot-alone.patch \ + " +SRC_URI[md5sum] = "b565fa6787e42f4969395870c2ad436e" +SRC_URI[sha256sum] = "df9168da760fd2ee970c74c9d1b63377e0024be248deaa844e784d0df47599de" + +SRC_URI_append_class-target = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch" + +inherit cmake + +EXTRA_OECMAKE = " \ + -DgRPC_CARES_PROVIDER=package \ + -DgRPC_ZLIB_PROVIDER=package \ + -DgRPC_SSL_PROVIDER=package \ + -DgRPC_PROTOBUF_PROVIDER=package \ + -DgRPC_GFLAGS_PROVIDER=package \ + -DgRPC_INSTALL=1 \ + -DBUILD_SHARED_LIBS=ON \ + " + +FILES_${PN}-dev += "${libdir}/cmake" + +BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.78.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.78.bb index 4d1dc6e69..d2465f82d 100644 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.78.bb +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.78.bb @@ -2,6 +2,7 @@ require dnsmasq.inc SRC_URI += "\ file://lua.patch \ + file://CVE-2017-15107.patch \ " SRC_URI[dnsmasq-2.78.md5sum] = "3bb97f264c73853f802bf70610150788" diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2017-15107.patch b/meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2017-15107.patch new file mode 100644 index 000000000..701101bcb --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2017-15107.patch @@ -0,0 +1,263 @@ +From 5a56e1b78a753d3295564daddc9ce389cc69fd68 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Fri, 19 Jan 2018 12:26:08 +0000 +Subject: [PATCH] DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. + +It's OK for NSEC records to be expanded from wildcards, +but in that case, the proof of non-existence is only valid +starting at the wildcard name, *. NOT the name expanded +from the wildcard. Without this check it's possible for an +attacker to craft an NSEC which wrongly proves non-existence +in a domain which includes a wildcard for NSEC. + +Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4fe6744a220eddd3f1749b40cac3dfc510787de6] +CVE: CVE-2017-15107 +Signed-off-by: Sinan Kaya +--- + CHANGELOG | 44 +++++++++++++++++++ + src/dnssec.c | 117 +++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 147 insertions(+), 14 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 075fe1a6..5226dce8 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,47 @@ ++version 2.79 ++ Fix parsing of CNAME arguments, which are confused by extra spaces. ++ Thanks to Diego Aguirre for spotting the bug. ++ ++ Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind ++ upstream servers to an interface, rather than SO_BINDTODEVICE. ++ Thanks to Beniamino Galvani for the patch. ++ ++ Always return a SERVFAIL answer to DNS queries without the ++ recursion desired bit set, UNLESS acting as an authoritative ++ DNS server. This avoids a potential route to cache snooping. ++ ++ Add support for Ed25519 signatures in DNSSEC validation. ++ ++ No longer support RSA/MD5 signatures in DNSSEC validation, ++ since these are not secure. This behaviour is mandated in ++ RFC-6944. ++ ++ Fix incorrect error exit code from dhcp_release6 utility. ++ Thanks Gaudenz Steinlin for the bug report. ++ ++ Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC ++ time validation when --dnssec-no-timecheck is in use. ++ Note that this is an incompatible change from earlier releases. ++ ++ Allow more than one --bridge-interface option to refer to an ++ interface, so that we can use ++ --bridge-interface=int1,alias1 ++ --bridge-interface=int1,alias2 ++ as an alternative to ++ --bridge-interface=int1,alias1,alias2 ++ Thanks to Neil Jerram for work on this. ++ ++ Fix for DNSSEC with wildcard-derived NSEC records. ++ It's OK for NSEC records to be expanded from wildcards, ++ but in that case, the proof of non-existence is only valid ++ starting at the wildcard name, *. NOT the name expanded ++ from the wildcard. Without this check it's possible for an ++ attacker to craft an NSEC which wrongly proves non-existence. ++ Thanks to Ralph Dolmans for finding this, and co-ordinating ++ the vulnerability tracking and fix release. ++ CVE-2017-15107 applies. ++ ++ + version 2.78 + Fix logic of appending "." to PXE basename. Thanks to Chris + Novakovic for the patch. +diff --git a/src/dnssec.c b/src/dnssec.c +index a74d01ab..1417be56 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -424,15 +424,17 @@ static void from_wire(char *name) + static int count_labels(char *name) + { + int i; +- ++ char *p; ++ + if (*name == 0) + return 0; + +- for (i = 0; *name; name++) +- if (*name == '.') ++ for (p = name, i = 0; *p; p++) ++ if (*p == '.') + i++; + +- return i+1; ++ /* Don't count empty first label. */ ++ return *name == '.' ? i : i+1; + } + + /* Implement RFC1982 wrapped compare for 32-bit numbers */ +@@ -1405,8 +1407,8 @@ static int hostname_cmp(const char *a, const char *b) + } + } + +-static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, +- char *workspace1, char *workspace2, char *name, int type, int *nons) ++static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count, ++ char *workspace1_in, char *workspace2, char *name, int type, int *nons) + { + int i, rc, rdlen; + unsigned char *p, *psave; +@@ -1419,6 +1421,9 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + /* Find NSEC record that proves name doesn't exist */ + for (i = 0; i < nsec_count; i++) + { ++ char *workspace1 = workspace1_in; ++ int sig_labels, name_labels; ++ + p = nsecs[i]; + if (!extract_name(header, plen, &p, workspace1, 1, 10)) + return 0; +@@ -1427,7 +1432,27 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + psave = p; + if (!extract_name(header, plen, &p, workspace2, 1, 10)) + return 0; +- ++ ++ /* If NSEC comes from wildcard expansion, use original wildcard ++ as name for computation. */ ++ sig_labels = *labels[i]; ++ name_labels = count_labels(workspace1); ++ ++ if (sig_labels < name_labels) ++ { ++ int k; ++ for (k = name_labels - sig_labels; k != 0; k--) ++ { ++ while (*workspace1 != '.' && *workspace1 != 0) ++ workspace1++; ++ if (k != 1 && *workspace1 == '.') ++ workspace1++; ++ } ++ ++ workspace1--; ++ *workspace1 = '*'; ++ } ++ + rc = hostname_cmp(workspace1, name); + + if (rc == 0) +@@ -1825,24 +1850,26 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + + static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) + { +- static unsigned char **nsecset = NULL; +- static int nsecset_sz = 0; ++ static unsigned char **nsecset = NULL, **rrsig_labels = NULL; ++ static int nsecset_sz = 0, rrsig_labels_sz = 0; + + int type_found = 0; +- unsigned char *p = skip_questions(header, plen); ++ unsigned char *auth_start, *p = skip_questions(header, plen); + int type, class, rdlen, i, nsecs_found; + + /* Move to NS section */ + if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) + return 0; ++ ++ auth_start = p; + + for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) + { + unsigned char *pstart = p; + +- if (!(p = skip_name(p, header, plen, 10))) ++ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10)) + return 0; +- ++ + GETSHORT(type, p); + GETSHORT(class, p); + p += 4; /* TTL */ +@@ -1859,7 +1886,69 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) + return 0; + +- nsecset[nsecs_found++] = pstart; ++ if (type == T_NSEC) ++ { ++ /* If we're looking for NSECs, find the corresponding SIGs, to ++ extract the labels value, which we need in case the NSECs ++ are the result of wildcard expansion. ++ Note that the NSEC may not have been validated yet ++ so if there are multiple SIGs, make sure the label value ++ is the same in all, to avoid be duped by a rogue one. ++ If there are no SIGs, that's an error */ ++ unsigned char *p1 = auth_start; ++ int res, j, rdlen1, type1, class1; ++ ++ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found)) ++ return 0; ++ ++ rrsig_labels[nsecs_found] = NULL; ++ ++ for (j = ntohs(header->nscount); j != 0; j--) ++ { ++ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10))) ++ return 0; ++ ++ GETSHORT(type1, p1); ++ GETSHORT(class1, p1); ++ p1 += 4; /* TTL */ ++ GETSHORT(rdlen1, p1); ++ ++ if (!CHECK_LEN(header, p1, plen, rdlen1)) ++ return 0; ++ ++ if (res == 1 && class1 == qclass && type1 == T_RRSIG) ++ { ++ int type_covered; ++ unsigned char *psav = p1; ++ ++ if (rdlen < 18) ++ return 0; /* bad packet */ ++ ++ GETSHORT(type_covered, p1); ++ ++ if (type_covered == T_NSEC) ++ { ++ p1++; /* algo */ ++ ++ /* labels field must be the same in every SIG we find. */ ++ if (!rrsig_labels[nsecs_found]) ++ rrsig_labels[nsecs_found] = p1; ++ else if (*rrsig_labels[nsecs_found] != *p1) /* algo */ ++ return 0; ++ } ++ p1 = psav; ++ } ++ ++ if (!ADD_RDLEN(header, p1, plen, rdlen1)) ++ return 0; ++ } ++ ++ /* Must have found at least one sig. */ ++ if (!rrsig_labels[nsecs_found]) ++ return 0; ++ } ++ ++ nsecset[nsecs_found++] = pstart; + } + + if (!ADD_RDLEN(header, p, plen, rdlen)) +@@ -1867,7 +1956,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + } + + if (type_found == T_NSEC) +- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); ++ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); + else if (type_found == T_NSEC3) + return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); + else +-- +2.19.0 + -- cgit v1.2.3