interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'develop' into devel/getdns_rrset

This commit is contained in:
Willem Toorop 2016-06-09 14:13:11 +02:00
parent 8679633cd9 27110e0943
commit e27bfcedb6
1 changed files with 37 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/dnssec.c
View File

@ -1350,7 +1350,7 @@ static int _getdns_verify_rrsig(struct mem_funcs *mf,
_getdns_rdf_iter *signer, signer_spc, *rdf, rdf_spc; _getdns_rdf_iter *signer, signer_spc, *rdf, rdf_spc;
uint8_t valbuf_spc[4096], *valbuf_buf = valbuf_spc; uint8_t valbuf_spc[4096], *valbuf_buf = valbuf_spc;
uint8_t cdname_spc[256], owner[256]; uint8_t cdname_spc[256], owner[256];
const uint8_t *cdname; const uint8_t *cdname, *owner_offset;
size_t cdname_len, pos; size_t cdname_len, pos;
uint32_t orig_ttl; uint32_t orig_ttl;
gldns_buffer valbuf; gldns_buffer valbuf;
@ -1364,9 +1364,40 @@ static int _getdns_verify_rrsig(struct mem_funcs *mf,
return 0; return 0;
valbuf_sz = signer->nxt - rrsig->rr_i.rr_type - 10; valbuf_sz = signer->nxt - rrsig->rr_i.rr_type - 10;
if ((owner_len = _dname_len(rrset->name)) > 255) /* We were able to get the signer,
* so the labels rdata field is definitely readable
*/
assert(rrsig->rr_i.rr_type + 14 <= rrsig->rr_i.nxt);
/* If the number of labels in the owner is larger than "labels" rdata
* field, then this is a wildcard expansion.
*/
if (_dname_label_count(rrset->name) > (size_t)rrsig->rr_i.rr_type[13]) {
/* This is a valid wildcard expansion. Calculate and return the
* "Next closer" name, because we need another NSEC to cover it.
* (except for rrsigs for NSECs, but those are dealt with later)
*/
to_skip = (int)_dname_label_count(rrset->name)
- (int)rrsig->rr_i.rr_type[13];
for ( owner_offset = rrset->name
; to_skip > 0
; owner_offset += *owner_offset + 1, to_skip--);
if ((owner_len = _dname_len(owner_offset) + 2) > 255)
return 0; return 0;
owner[0] = 1; owner[1] = '*';
(void) memcpy(owner + 2, owner_offset, owner_len - 2);
} else if ((owner_len = _dname_len(rrset->name)) > 255)
return 0;
else
(void) memcpy(owner, rrset->name, owner_len);
_dname_canonicalize2(owner);
for (;;) { for (;;) {
for ( rr = _getdns_rrtype_iter_init(&rr_spc, rrset), n_rrs = 0 for ( rr = _getdns_rrtype_iter_init(&rr_spc, rrset), n_rrs = 0
; rr ; rr
@ -1406,9 +1437,6 @@ static int _getdns_verify_rrsig(struct mem_funcs *mf,
orig_ttl = gldns_read_uint32(rrsig->rr_i.rr_type + 14); orig_ttl = gldns_read_uint32(rrsig->rr_i.rr_type + 14);
(void) memcpy(owner, rrset->name, owner_len);
_dname_canonicalize2(owner);
if (!_dnssec_rdata_to_canonicalize(rrset->rr_type)) if (!_dnssec_rdata_to_canonicalize(rrset->rr_type))
for (i = 0; i < n_rrs; i++) { for (i = 0; i < n_rrs; i++) {
/* Get rid of doubles */ /* Get rid of doubles */
@ -1465,9 +1493,10 @@ static int _getdns_verify_rrsig(struct mem_funcs *mf,
#if defined(SEC_DEBUG) && SEC_DEBUG #if defined(SEC_DEBUG) && SEC_DEBUG
if (r == 0) { if (r == 0) {
DEBUG_SEC("verification failed: %s\n", reason); DEBUG_SEC("verification failed: %s\n", reason);
debug_sec_print_rrset("verification failed: ", rrset); debug_sec_print_dname("verification failed for: ", owner);
debug_sec_print_rr("verification failed: ", &rrsig->rr_i); debug_sec_print_rrset("verification failed for rrset: ", rrset);
debug_sec_print_rr("verification failed: ", &key->rr_i); debug_sec_print_rr("verification failed sig: ", &rrsig->rr_i);
debug_sec_print_rr("verification failed key: ", &key->rr_i);
} }
#endif #endif
if (val_rrset != val_rrset_spc) if (val_rrset != val_rrset_spc)