Release 2.5.3

ChangeLog

@@ -29,6 +29,11 @@
 # 
 ################################################################################
 
+20211025:
+    YADIFA 2.5.3-public
+
+    Fixes a critical issue that could cause yadifad to crash handling certain DNS packet with privileged access.
+
 20210929:
     YADIFA 2.5.2-public
 

Makefile.in

@@ -368,7 +368,6 @@ HAS_YADIFA = @HAS_YADIFA@
 HAS_ZALLOC_DEBUG_SUPPORT = @HAS_ZALLOC_DEBUG_SUPPORT@
 HAS_ZALLOC_STATISTICS_SUPPORT = @HAS_ZALLOC_STATISTICS_SUPPORT@
 HAS_ZALLOC_SUPPORT = @HAS_ZALLOC_SUPPORT@
-HAS_ZONESIGN = @HAS_ZONESIGN@
 HAVE_RECVMMSG = @HAVE_RECVMMSG@
 HAVE_SENDMMSG = @HAVE_SENDMMSG@
 INSTALL = @INSTALL@

README

@@ -29,9 +29,7 @@
 # 
 ################################################################################
 
-20210929:
-    YADIFA 2.5.2-public
+20211025:
+    YADIFA 2.5.3-public
 
     Fixes a critical issue that could cause yadifad to crash handling certain DNS packet with privileged access.
-
-    Fixes an issue where a corrupted configuration file could lead to a crash while starting-up.

VERSION

@@ -1 +1 @@
-2.5.2
+2.5.3

autogen.sh

@@ -30,64 +30,135 @@
 #
 ################################################################################        
 
+if [ "x$DEBUG" = "x" ]; then
+    DEBUG=0
+fi
+
+debug()
+{
+    if [ $DEBUG -ne 0 ]; then
+        echo $*
+    fi
+}
+
 doe()
 {
     err=$?
-    if [ $err -ne 0 ]
-    then
+    if [ $err -ne 0 ]; then
       echo $*
       exit $err
     fi
 }
 
 OS=$(uname -s)
-SED=sed
-if [ ! "$OS" = "Darwin" ]
-then
-    libtoolize
-    doe "libtoolize failed"
+
+if [ ! "$OS" = "Darwin" ]; then
+    SED=sed
 else
-    glibtoolize
-    doe "glibtoolize failed"
     SED=gsed
 fi
 
+debug "autogen starting with OS='$OS'"
+
 AM_VER_HI=''
 AM_VER_LO=''
 AM_VER=$(automake --version|grep ^automake|$SED -e 's/.* //' -e 's/\./ /g')
 
-if [ "x$AM_VER" = "x" ]
-then
+if [ "x$AM_VER" = "x" ]; then
   echo "could not get automake version"
   exit 1
 fi
 
 for i in $AM_VER
 do
-    if [ "x$AM_VER_HI" = "x" ]
-    then
+    if [ "x$AM_VER_HI" = "x" ]; then
         AM_VER_HI=$i
     else
 	AM_VER_LO=$i
         break
+    fi
+done
+
+debug "automake version <$AM_VER_HI . $AM_VER_LO>"
+
+AC_VER_HI=''
+AC_VER_LO=''
+AC_VER=$(autoconf --version|grep ^autoconf|$SED -e 's/.* //' -e 's/\./ /g')
+
+if [ "x$AC_VER" = "x" ]; then
+  echo "could not get autoconf version"
+  exit 1
+fi
+
+for i in $AC_VER
+do
+    if [ "x$AC_VER_HI" = "x" ]
+    then
+        AC_VER_HI=$i
+    else
+	AC_VER_LO=$i
+        break
    fi
 done
 
-if [ $AM_VER_HI -eq 1 ]
-then
-	if [ $AM_VER_LO -lt 14 ]
-	then
+debug "autoconf version <$AC_VER_HI . $AC_VER_LO>"
+
+####
+
+if [ $AM_VER_HI -eq 1 ]; then
+	if [ $AM_VER_LO -lt 14 ]; then
 		echo 'patching configure.ac for automake < 1.14'
 		$SED -i 's/^#.*AM_PROG_CC_C_O/AM_PROG_CC_C_O/' configure.ac
 	fi
 fi
 
+if [ $AC_VER_HI -eq 2 ]
+then
+	echo "patching prerequisites"
+	$SED -i "s/^AC_PREREQ.*/AC_PREREQ([$AC_VER_HI.$AC_VER_LO])/" configure.ac
+
+	if [ $AC_VER_LO -lt 60 ]; then
+		for f in $(find -name \*.m4)
+		do
+			grep AS_HELP_STRING $f > /dev/null 2>&1
+			if [ $? -eq 0 ]; then debug "patching $f for AC_HELP_STRING usage";fi
+			$SED -i 's/AS_HELP_STRING/AC_HELP_STRING/' $f
+		done
+	else
+		for f in $(find -name \*.m4)
+		do
+			grep AC_HELP_STRING $f > /dev/null 2>&1
+			if [ $? -eq 0 ]; then debug "patching $f for AS_HELP_STRING usage";fi
+			$SED -i 's/AC_HELP_STRING/AS_HELP_STRING/' $f
+		done
+	fi
+fi
+
+if [ ! "$OS" = "Darwin" ]; then
+    debug "libtoolize"
+    libtoolize --force
+    doe "libtoolize failed"
+else
+    debug "glibtoolize (OSX)"
+    glibtoolize
+    doe "glibtoolize failed"
+fi
+
+debug "aclocal"
 aclocal
 doe "aclocal failed"
+
+debug "autoheader"
 autoheader -Wall
 doe "autoheader failed"
+
+debug "automake"
 automake --add-missing -Wall
 doe "automake failed"
+
+debug "autoconf"
 autoconf -i -Wall
 doe "autoconf failed"
-#echo "autogen done"
+
+debug "autogen done"
+

bin/yadifa/ChangeLog

@@ -29,6 +29,11 @@
 # 
 ################################################################################
 
+20211025:
+    YADIFA 2.5.3-public
+
+    Fixes a critical issue that could cause yadifad to crash handling certain DNS packet with privileged access.
+
 20210929:
     YADIFA 2.5.2-public
 

bin/yadifa/Makefile.in

@@ -504,7 +504,6 @@ HAS_YADIFA = @HAS_YADIFA@
 HAS_ZALLOC_DEBUG_SUPPORT = @HAS_ZALLOC_DEBUG_SUPPORT@
 HAS_ZALLOC_STATISTICS_SUPPORT = @HAS_ZALLOC_STATISTICS_SUPPORT@
 HAS_ZALLOC_SUPPORT = @HAS_ZALLOC_SUPPORT@
-HAS_ZONESIGN = @HAS_ZONESIGN@
 HAVE_RECVMMSG = @HAVE_RECVMMSG@
 HAVE_SENDMMSG = @HAVE_SENDMMSG@
 INSTALL = @INSTALL@

bin/yadifa/README

@@ -29,9 +29,7 @@
 # 
 ################################################################################
 
-20210929:
-    YADIFA 2.5.2-public
+20211025:
+    YADIFA 2.5.3-public
 
     Fixes a critical issue that could cause yadifad to crash handling certain DNS packet with privileged access.
-
-    Fixes an issue where a corrupted configuration file could lead to a crash while starting-up.

bin/yadifa/VERSION

@@ -1 +1 @@
-2.5.2
+2.5.3

bin/yadifa/module/keygen.c

@@ -270,15 +270,15 @@ CMDLINE_HELP("<algorithm>","one of the supported key algorithms")
 CMDLINE_CALLBACK(keygen_print_algorithm_help, NULL)
 CMDLINE_OPT(      "key-flag",                'f', "key_flag"                   )
 CMDLINE_HELP("KSK", "flag(s) to apply to the key")
-CMDLINE_OPT(      "publication-date",        'P', "publication_date"           )
+CMDLINE_OPT(      "publication-date",        'P', "publication_date_text"      )
 CMDLINE_HELP("date/[+-]offset/none","set key publication date (default: now)")
-CMDLINE_OPT(      "activation-date",         'A', "activation_date"            )
+CMDLINE_OPT(      "activation-date",         'A', "activation_date_text"       )
 CMDLINE_HELP("date/[+-]offset/none","set key activation date (default: now)")
-CMDLINE_OPT(      "revocation-date",         'R', "revocation_date"            )
+CMDLINE_OPT(      "revocation-date",         'R', "revocation_date_text"       )
 CMDLINE_HELP("date/[+-]offset/none","set key revocation date")
-CMDLINE_OPT(      "inactivation-date",       'I', "inactivation_date"          )
+CMDLINE_OPT(      "inactivation-date",       'I', "inactivation_date_text"     )
 CMDLINE_HELP("date/[+-]offset/none","set key inactivation date")
-CMDLINE_OPT(      "deletion-date",           'D', "deletion_date"              )
+CMDLINE_OPT(      "deletion-date",           'D', "deletion_date_text"         )
 CMDLINE_HELP("date/[+-]offset/none","set key inactivation date")
 CMDLINE_OPT(      "key-size",                'b', "key_size"                   )
 CMDLINE_HELP("<key size in bits>","key size in bits, when applicable")
@@ -604,40 +604,71 @@ keygen_run(const module_s *m)
 
     dnskey_set_created_epoch(generated_key, time(NULL));
 
-    if(g_keygen_settings.publication_date_text != NULL)
+    if((g_keygen_settings.publication_date_text != NULL) && (strlen(g_keygen_settings.publication_date_text) > 0))
     {
         s64 epochus = timeus_from_smarttime(g_keygen_settings.publication_date_text);
         if(epochus >= 0)
         {
             dnskey_set_publish_epoch(generated_key, epochus / ONE_SECOND_US);
         }
+        else
+        {
+            osformatln(termerr, "failed to parse publication date '%s': %r", g_keygen_settings.publication_date_text, (ya_result)epochus);
+            return (ya_result)epochus;
+        }
     }
 
-    if(g_keygen_settings.activation_date_text != NULL)
+    if((g_keygen_settings.activation_date_text != NULL) && (strlen(g_keygen_settings.activation_date_text) > 0))
     {
         s64 epochus = timeus_from_smarttime(g_keygen_settings.activation_date_text);
         if(epochus >= 0)
         {
             dnskey_set_activate_epoch(generated_key, epochus / ONE_SECOND_US);
         }
+        else
+        {
+            osformatln(termerr, "failed to parse activation date '%s': %r", g_keygen_settings.activation_date_text, (ya_result)epochus);
+            return (ya_result)epochus;
+        }
     }
 
-    if(g_keygen_settings.inactivation_date_text != NULL)
+    if((g_keygen_settings.inactivation_date_text != NULL) && (strlen(g_keygen_settings.inactivation_date_text) > 0))
     {
         s64 epochus = timeus_from_smarttime(g_keygen_settings.inactivation_date_text);
         if(epochus >= 0)
         {
             dnskey_set_inactive_epoch(generated_key, epochus / ONE_SECOND_US);
         }
+        else
+        {
+            osformatln(termerr, "failed to parse inactivation date '%s': %r", g_keygen_settings.inactivation_date_text, (ya_result)epochus);
+            return (ya_result)epochus;
+        }
     }
 
-    if(g_keygen_settings.deletion_date_text != NULL)
+    if((g_keygen_settings.deletion_date_text != NULL) && (strlen(g_keygen_settings.deletion_date_text) > 0))
     {
         s64 epochus = timeus_from_smarttime(g_keygen_settings.deletion_date_text);
         if(epochus >= 0)
         {
             dnskey_set_delete_epoch(generated_key, epochus / ONE_SECOND_US);
         }
+        else
+        {
+            osformatln(termerr, "failed to parse deletion date '%s': %r", g_keygen_settings.deletion_date_text, (ya_result)epochus);
+            return (ya_result)epochus;
+        }
+    }
+
+    time_t epoch_publish = dnskey_get_publish_epoch(generated_key);
+    time_t epoch_activate = dnskey_get_activate_epoch(generated_key);
+    time_t epoch_inactive = dnskey_get_inactive_epoch(generated_key);
+    time_t epoch_delete = dnskey_get_delete_epoch(generated_key);
+
+    if((epoch_publish > epoch_activate) || (epoch_activate > epoch_inactive) || (epoch_inactive > epoch_delete))
+    {
+        osformatln(termerr, "times are out of order");
+        return INVALID_ARGUMENT_ERROR;
     }
 
     // 8. write the files *.key and *.private

bin/yadifa/module/zonesign.c

@@ -748,7 +748,7 @@ zonesign_nsec3_chain_update(zdb_zone *zone, nsec3_zone* n3, ptr_vector *zsks, bo
 static ya_result
 zonesign_update_nsec3_chain(zdb_zone *zone, ptr_vector *zsks, bool opt_out)
 {
-    ya_result ret;
+    ya_result ret = SUCCESS;
     for(int chain_index = 0; ; ++chain_index)
     {
         nsec3_zone* n3 = zdb_zone_get_nsec3chain(zone, chain_index);
@@ -1290,7 +1290,7 @@ zonesign_run()
             if(FAIL(ret = dnssec_keystore_reload_domain(zone->origin)))
             {
                 formatln("error: failed to load keys for domain %{dnsname}: %r", zone->origin, ret);
-                return ret;
+                goto zonesign_run_exit;
             }
 
             bool remove_dnskey_rrsig = FALSE;
@@ -1363,7 +1363,7 @@ zonesign_run()
                 if(FAIL(ret))
                 {
                     formatln("%s key K%{dnsname}+%03i+%05i : failed to load public key: %r", flags_name, zone->origin, dnskey_get_algorithm_from_rdata(rdata), dnskey_get_tag_from_rdata(rdata, rdata_size), ret);
-                    return ret;
+                    goto zonesign_run_exit;
                 }
             }
             else
@@ -1427,14 +1427,16 @@ zonesign_run()
             else
             {
                 println("error: no KSK private key available");
-                return INVALID_STATE_ERROR;
+                ret = INVALID_STATE_ERROR;
+                goto zonesign_run_exit;
             }
         }
 
         if(!has_one_zsk)
         {
             println("error: no ZSK private key available");
-            return INVALID_STATE_ERROR;
+            ret = INVALID_STATE_ERROR;
+            goto zonesign_run_exit;
         }
 
         if(!auto_serial)
@@ -1578,10 +1580,22 @@ zonesign_run()
 
             ret = zonesign_update_signatures(zone, &ksks, &zsks);
 
+            if(FAIL(ret))
+            {
+                formatln("failed to update signatures: %r", ret);
+                goto zonesign_run_exit;
+            }
+
             if(g_yadifa_zonesign_settings.dnssec_mode >= ZDB_ZONE_MAINTAIN_NSEC3)
             {
                 ret = zonesign_update_nsec3_chain(zone, &zsks, optout);
                 nsec3_zone_update_chain0_links(zone);
+
+                if(FAIL(ret))
+                {
+                    formatln("failed to update nsec3 chains: %r", ret);
+                    goto zonesign_run_exit;
+                }
             }
 
             //ret = zdb_zone_sign(zone);
@@ -1613,6 +1627,7 @@ zonesign_run()
         formatln("failed to load zone file: %r", ret);
     }
 
+zonesign_run_exit:
     zdb_zone_load_parms_finalize(&parms);
     zone_reader_close(&zr);