From 4b688443f4ea658a002d6f707fc0bd9b26bbe5ae Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Mon, 3 Dec 2018 12:50:37 +0100 Subject: [PATCH] Sync with unbound --- src/gldns/compare.sh | 2 +- src/gldns/gbuffer.h | 4 +-- src/gldns/import.sh | 4 +-- src/gldns/parseutil.h | 2 +- src/gldns/rrdef.c | 7 ++--- src/gldns/rrdef.h | 4 +-- src/util/val_secalgo.c | 62 +++++++++++++++++++++++++++++++----------- 7 files changed, 55 insertions(+), 30 deletions(-) diff --git a/src/gldns/compare.sh b/src/gldns/compare.sh index 415c6bcc..86207bb9 100755 --- a/src/gldns/compare.sh +++ b/src/gldns/compare.sh @@ -3,7 +3,7 @@ # Meant to be run from this directory rm -fr gldns mkdir gldns -svn co http://unbound.net/svn/trunk/sldns/ +svn co https://nlnetlabs.nl/svn/unbound/trunk/sldns/ mv gbuffer.h sbuffer.h mv gbuffer.c sbuffer.c for f in sldns/*.[ch] diff --git a/src/gldns/gbuffer.h b/src/gldns/gbuffer.h index 7aa5a1b8..e04aa23a 100644 --- a/src/gldns/gbuffer.h +++ b/src/gldns/gbuffer.h @@ -130,7 +130,7 @@ struct gldns_buffer /** If the buffer is fixed it cannot be resized */ unsigned _fixed : 1; - /** If the buffer is vfixed, no more than capacity bytes willl be + /** If the buffer is vfixed, no more than capacity bytes will be * written to _data, however the _position counter will be updated * with the amount that would have been written in consecutive * writes. This allows for a modus operandi in which a sequence is @@ -160,7 +160,7 @@ gldns_buffer_invariant(gldns_buffer *buffer) assert(buffer != NULL); assert(buffer->_position <= buffer->_limit || buffer->_vfixed); assert(buffer->_limit <= buffer->_capacity); - assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0)); + assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0 && buffer->_limit == 0)); } #endif diff --git a/src/gldns/import.sh b/src/gldns/import.sh index 88fcfff4..b9f3cfdd 100755 --- a/src/gldns/import.sh +++ b/src/gldns/import.sh @@ -16,8 +16,8 @@ then mv sbuffer.h gbuffer.h mv sbuffer.c gbuffer.c else - svn co http://unbound.net/svn/trunk/sldns/ - for f in sldns/*.[ch] + svn co https://nlnetlabs.nl/svn/unbound/trunk/sldns/ + for f in ldns/*.[ch] do sed -e 's/sldns_/gldns_/g' \ -e 's/LDNS_/GLDNS_/g' \ diff --git a/src/gldns/parseutil.h b/src/gldns/parseutil.h index a044c4de..1546e8be 100644 --- a/src/gldns/parseutil.h +++ b/src/gldns/parseutil.h @@ -58,7 +58,7 @@ time_t gldns_mktime_from_utc(const struct tm *tm); * The function interprets time as the number of seconds since epoch * with respect to now using serial arithmetics (rfc1982). * That number of seconds is then converted to broken-out time information. - * This is especially useful when converting the inception and expiration + * This is especially usefull when converting the inception and expiration * fields of RRSIG records. * * \param[in] time number of seconds since epoch (midnight, January 1st, 1970) diff --git a/src/gldns/rrdef.c b/src/gldns/rrdef.c index 91739232..52e9cf3b 100644 --- a/src/gldns/rrdef.c +++ b/src/gldns/rrdef.c @@ -341,12 +341,9 @@ static gldns_rr_descriptor rdata_field_descriptors[] = { {GLDNS_RR_TYPE_NSEC3PARAM, "NSEC3PARAM", 4, 4, type_nsec3param_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, /* 52 */ {GLDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, - /*53 */ -#ifdef DRAFT_RRTYPES + /* 53 */ {GLDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, -#else -{GLDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, -#endif + /* 54 */ {GLDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }, /* 55 * Hip ends with 0 or more Rendezvous Servers represented as dname's. diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h index f7aaf866..ecbf0749 100644 --- a/src/gldns/rrdef.h +++ b/src/gldns/rrdef.h @@ -182,9 +182,7 @@ enum gldns_enum_rr_type GLDNS_RR_TYPE_NSEC3PARAM = 51, /* RFC 5155 */ GLDNS_RR_TYPE_NSEC3PARAMS = 51, GLDNS_RR_TYPE_TLSA = 52, /* RFC 6698 */ - GLDNS_RR_TYPE_SMIMEA = 53, /* draft-ietf-dane-smime, TLSA-like but may - be extended */ - + GLDNS_RR_TYPE_SMIMEA = 53, /* RFC 8162 */ GLDNS_RR_TYPE_HIP = 55, /* RFC 5205 */ /** draft-reid-dnsext-zs */ diff --git a/src/util/val_secalgo.c b/src/util/val_secalgo.c index 95200a48..0613316c 100644 --- a/src/util/val_secalgo.c +++ b/src/util/val_secalgo.c @@ -77,6 +77,22 @@ int fake_dsa = 0; /** fake SHA1 support for unit tests */ int fake_sha1 = 0; +/** + * Output a libcrypto openssl error to the logfile. + * @param str: string to add to it. + * @param e: the error to output, error number from ERR_get_error(). + */ +static void +log_crypto_error(const char* str, unsigned long e) +{ + char buf[128]; + /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ + ERR_error_string_n(e, buf, sizeof(buf)); + /* buf now contains */ + /* error:[error code]:[library name]:[function name]:[reason string] */ + log_err("%s crypto %s", str, buf); +} + /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) @@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, { switch(algo) { case NSEC3_HASH_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; default: return 0; @@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) { +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif } /** @@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, switch(algo) { #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) case LDNS_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; #endif #ifdef HAVE_EVP_SHA256 case LDNS_SHA256: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif return 1; #endif #ifdef USE_GOST @@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, #endif #ifdef USE_ECDSA case LDNS_SHA384: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha384())) + log_crypto_error("could not digest with EVP_sha384", + ERR_get_error()); +#else (void)SHA384(buf, len, res); +#endif return 1; #endif default: @@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id) } } -/** - * Output a libcrypto openssl error to the logfile. - * @param str: string to add to it. - * @param e: the error to output, error number from ERR_get_error(). - */ -static void -log_crypto_error(const char* str, unsigned long e) -{ - char buf[128]; - /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ - ERR_error_string_n(e, buf, sizeof(buf)); - /* buf now contains */ - /* error:[error code]:[library name]:[function name]:[reason string] */ - log_err("%s crypto %s", str, buf); -} - #ifdef USE_DSA /** * Setup DSA key digest in DER encoding ...