Resync utils with unbound source

2016-07-14 13:33:11 +02:00 · 2016-07-14 13:33:11 +02:00 · 74b57d4679
parent b26d69384f
commit 74b57d4679
3 changed files with 72 additions and 40 deletions
--- a/src/util/import.sh
+++ b/src/util/import.sh
@ -44,6 +44,10 @@ do
 	    -e 's/secalgo_ds_digest/_getdns_secalgo_ds_digest/g' \
 	    -e 's/dnskey_algo_id_is_supported/_getdns_dnskey_algo_id_is_supported/g' \
 	    -e 's/verify_canonrrset/_getdns_verify_canonrrset/g' \
 	    -e 's/nsec3_hash_algo_size_supported/_getdns_nsec3_hash_algo_size_supported/g' \
 	    -e 's/secalgo_nsec3_hash/_getdns_secalgo_nsec3_hash/g' \
 	    -e 's/secalgo_hash_sha256/_getdns_secalgo_hash_sha256/g' \
 	    -e 's/ecdsa_evp_workaround_init/_getdns_ecdsa_evp_workaround_init/g' \
 	    -e 's/LDNS_/GLDNS_/g' \
 	    -e 's/enum sec_status/int/g' \
 	    -e 's/sec_status_bogus/0/g' \
--- a/src/util/val_secalgo.c
+++ b/src/util/val_secalgo.c
@ -72,7 +72,7 @@
 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@ -84,7 +84,7 @@ nsec3_hash_algo_size_supported(int id)
 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res)
 {
 	switch(algo) {
@ -96,6 +96,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }
 void
 _getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 {
 	(void)SHA256(buf, len, res);
 }
 /**
 * Return size of DS digest according to its hash algorithm.
 * @param algo: DS digest algo.
@ -342,6 +348,23 @@ i	 * the '44' is the total remaining length.
 }
 #endif /* USE_ECDSA */
 #ifdef USE_ECDSA_EVP_WORKAROUND
 static EVP_MD ecdsa_evp_256_md;
 static EVP_MD ecdsa_evp_384_md;
 void _getdns_ecdsa_evp_workaround_init(void)
 {
 	/* openssl before 1.0.0 fixes RSA with the SHA256
 	 * hash in EVP.  We create one for ecdsa_sha256 */
 	ecdsa_evp_256_md = *EVP_sha256();
 	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
 	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
 	ecdsa_evp_384_md = *EVP_sha384();
 	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
 	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
 }
 #endif /* USE_ECDSA_EVP_WORKAROUND */
 /**
 * Setup key and digest for verification. Adjust sig if necessary.
 *
@ -470,20 +493,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 				return 0;
 			}
 #ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA256
+			*digest_type = &ecdsa_evp_256_md;
 			 * hash in EVP.  We create one for ecdsa_sha256 */
 			{
 				static int md_ecdsa_256_done = 0;
 				static EVP_MD md;
 				if(!md_ecdsa_256_done) {
 					EVP_MD m = *EVP_sha256();
 					md_ecdsa_256_done = 1;
 					m.required_pkey_type[0] = (*evp_key)->type;
 					m.verify = (void*)ECDSA_verify;
 					md = m;
 				}
 				*digest_type = &md;
 			}
 #else
 			*digest_type = EVP_sha256();
 #endif
@ -497,20 +507,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 				return 0;
 			}
 #ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA384
+			*digest_type = &ecdsa_evp_384_md;
 			 * hash in EVP.  We create one for ecdsa_sha384 */
 			{
 				static int md_ecdsa_384_done = 0;
 				static EVP_MD md;
 				if(!md_ecdsa_384_done) {
 					EVP_MD m = *EVP_sha384();
 					md_ecdsa_384_done = 1;
 					m.required_pkey_type[0] = (*evp_key)->type;
 					m.verify = (void*)ECDSA_verify;
 					md = m;
 				}
 				*digest_type = &md;
 			}
 #else
 			*digest_type = EVP_sha384();
 #endif
@ -544,7 +541,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 {
 	const EVP_MD *digest_type;
 	EVP_MD_CTX* ctx;
-	int res, dofree = 0;
+	int res, dofree = 0, docrypto_free = 0;
 	EVP_PKEY *evp_key = NULL;
 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
@ -563,7 +560,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 			EVP_PKEY_free(evp_key);
 			return 0;
 		}
-		dofree = 1;
+		docrypto_free = 1;
 	}
 #endif
 #if defined(USE_ECDSA) && defined(USE_DSA)
@ -593,6 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		log_err("EVP_MD_CTX_new: malloc failure");
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
 		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyInit(ctx, digest_type) == 0) {
@ -600,6 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
 		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf), 
@ -608,15 +607,21 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
 		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
 #ifdef HAVE_EVP_MD_CTX_NEW
 	EVP_MD_CTX_destroy(ctx);
 #else
 	EVP_MD_CTX_cleanup(ctx);
 	free(ctx);
 #endif
 	EVP_PKEY_free(evp_key);
-	if(dofree)
+	if(dofree) free(sigblock);
-		free(sigblock);
+	else if(docrypto_free) CRYPTO_free(sigblock);
 	if(res == 1) {
 		return 1;
@ -644,7 +649,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@ -656,7 +661,7 @@ nsec3_hash_algo_size_supported(int id)
 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res)
 {
 	switch(algo) {
@ -668,6 +673,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }
 void
 _getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 {
 	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
 }
 size_t
 _getdns_ds_digest_size_supported(int algo)
 {
@ -1185,6 +1196,9 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 #include "macros.h"
 #include "rsa.h"
 #include "dsa.h"
 #ifdef HAVE_NETTLE_DSA_COMPAT_H
 #include "dsa-compat.h"
 #endif
 #include "asn1.h"
 #ifdef USE_ECDSA
 #include "ecdsa.h"
@ -1236,7 +1250,7 @@ _digest_nettle(int algo, uint8_t* buf, size_t len,
 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@ -1248,7 +1262,7 @@ nsec3_hash_algo_size_supported(int id)
 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res)
 {
 	switch(algo) {
@ -1260,6 +1274,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }
 void
 _getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 {
 	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
 }
 /**
 * Return size of DS digest according to its hash algorithm.
 * @param algo: DS digest algo.
--- a/src/util/val_secalgo.h
+++ b/src/util/val_secalgo.h
@ -45,7 +45,7 @@
 struct gldns_buffer;
 /** Return size of nsec3 hash algorithm, 0 if not supported */
-size_t nsec3_hash_algo_size_supported(int id);
+size_t _getdns_nsec3_hash_algo_size_supported(int id);
 /**
 * Hash a single hash call of an NSEC3 hash algorithm.
@ -56,9 +56,17 @@ size_t nsec3_hash_algo_size_supported(int id);
 * @param res: result stored here (must have sufficient space).
 * @return false on failure.
 */
-int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+int _getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res);
 /**
 * Calculate the sha256 hash for the data buffer into the result.
 * @param buf: buffer to digest.
 * @param len: length of the buffer to digest.
 * @param res: result is stored here (space 256/8 bytes).
 */
 void _getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res);
 /**
 * Return size of DS digest according to its hash algorithm.
 * @param algo: DS digest algo.