From 74b57d4679abe9d1d7deaad175229f3036c61b25 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 13:33:11 +0200 Subject: [PATCH 1/8] Resync utils with unbound source --- src/util/import.sh | 4 ++ src/util/val_secalgo.c | 96 +++++++++++++++++++++++++----------------- src/util/val_secalgo.h | 12 +++++- 3 files changed, 72 insertions(+), 40 deletions(-) diff --git a/src/util/import.sh b/src/util/import.sh index ee903681..82f03921 100755 --- a/src/util/import.sh +++ b/src/util/import.sh @@ -44,6 +44,10 @@ do -e 's/secalgo_ds_digest/_getdns_secalgo_ds_digest/g' \ -e 's/dnskey_algo_id_is_supported/_getdns_dnskey_algo_id_is_supported/g' \ -e 's/verify_canonrrset/_getdns_verify_canonrrset/g' \ + -e 's/nsec3_hash_algo_size_supported/_getdns_nsec3_hash_algo_size_supported/g' \ + -e 's/secalgo_nsec3_hash/_getdns_secalgo_nsec3_hash/g' \ + -e 's/secalgo_hash_sha256/_getdns_secalgo_hash_sha256/g' \ + -e 's/ecdsa_evp_workaround_init/_getdns_ecdsa_evp_workaround_init/g' \ -e 's/LDNS_/GLDNS_/g' \ -e 's/enum sec_status/int/g' \ -e 's/sec_status_bogus/0/g' \ diff --git a/src/util/val_secalgo.c b/src/util/val_secalgo.c index b04400cc..edbf538b 100644 --- a/src/util/val_secalgo.c +++ b/src/util/val_secalgo.c @@ -72,7 +72,7 @@ /* return size of digest if supported, or 0 otherwise */ size_t -nsec3_hash_algo_size_supported(int id) +_getdns_nsec3_hash_algo_size_supported(int id) { switch(id) { case NSEC3_HASH_SHA1: @@ -84,7 +84,7 @@ nsec3_hash_algo_size_supported(int id) /* perform nsec3 hash. return false on failure */ int -secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, +_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { @@ -96,6 +96,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, } } +void +_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) +{ + (void)SHA256(buf, len, res); +} + /** * Return size of DS digest according to its hash algorithm. * @param algo: DS digest algo. @@ -342,6 +348,23 @@ i * the '44' is the total remaining length. } #endif /* USE_ECDSA */ +#ifdef USE_ECDSA_EVP_WORKAROUND +static EVP_MD ecdsa_evp_256_md; +static EVP_MD ecdsa_evp_384_md; +void _getdns_ecdsa_evp_workaround_init(void) +{ + /* openssl before 1.0.0 fixes RSA with the SHA256 + * hash in EVP. We create one for ecdsa_sha256 */ + ecdsa_evp_256_md = *EVP_sha256(); + ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; + ecdsa_evp_256_md.verify = (void*)ECDSA_verify; + + ecdsa_evp_384_md = *EVP_sha384(); + ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; + ecdsa_evp_384_md.verify = (void*)ECDSA_verify; +} +#endif /* USE_ECDSA_EVP_WORKAROUND */ + /** * Setup key and digest for verification. Adjust sig if necessary. * @@ -470,20 +493,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND - /* openssl before 1.0.0 fixes RSA with the SHA256 - * hash in EVP. We create one for ecdsa_sha256 */ - { - static int md_ecdsa_256_done = 0; - static EVP_MD md; - if(!md_ecdsa_256_done) { - EVP_MD m = *EVP_sha256(); - md_ecdsa_256_done = 1; - m.required_pkey_type[0] = (*evp_key)->type; - m.verify = (void*)ECDSA_verify; - md = m; - } - *digest_type = &md; - } + *digest_type = &ecdsa_evp_256_md; #else *digest_type = EVP_sha256(); #endif @@ -497,20 +507,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND - /* openssl before 1.0.0 fixes RSA with the SHA384 - * hash in EVP. We create one for ecdsa_sha384 */ - { - static int md_ecdsa_384_done = 0; - static EVP_MD md; - if(!md_ecdsa_384_done) { - EVP_MD m = *EVP_sha384(); - md_ecdsa_384_done = 1; - m.required_pkey_type[0] = (*evp_key)->type; - m.verify = (void*)ECDSA_verify; - md = m; - } - *digest_type = &md; - } + *digest_type = &ecdsa_evp_384_md; #else *digest_type = EVP_sha384(); #endif @@ -544,7 +541,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock, { const EVP_MD *digest_type; EVP_MD_CTX* ctx; - int res, dofree = 0; + int res, dofree = 0, docrypto_free = 0; EVP_PKEY *evp_key = NULL; if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { @@ -563,7 +560,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock, EVP_PKEY_free(evp_key); return 0; } - dofree = 1; + docrypto_free = 1; } #endif #if defined(USE_ECDSA) && defined(USE_DSA) @@ -593,6 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock, log_err("EVP_MD_CTX_new: malloc failure"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); + else if(docrypto_free) CRYPTO_free(sigblock); return 0; } if(EVP_VerifyInit(ctx, digest_type) == 0) { @@ -600,6 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock, EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); + else if(docrypto_free) CRYPTO_free(sigblock); return 0; } if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf), @@ -608,15 +607,21 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock, EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); + else if(docrypto_free) CRYPTO_free(sigblock); return 0; } res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); +#ifdef HAVE_EVP_MD_CTX_NEW EVP_MD_CTX_destroy(ctx); +#else + EVP_MD_CTX_cleanup(ctx); + free(ctx); +#endif EVP_PKEY_free(evp_key); - if(dofree) - free(sigblock); + if(dofree) free(sigblock); + else if(docrypto_free) CRYPTO_free(sigblock); if(res == 1) { return 1; @@ -644,7 +649,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock, /* return size of digest if supported, or 0 otherwise */ size_t -nsec3_hash_algo_size_supported(int id) +_getdns_nsec3_hash_algo_size_supported(int id) { switch(id) { case NSEC3_HASH_SHA1: @@ -656,7 +661,7 @@ nsec3_hash_algo_size_supported(int id) /* perform nsec3 hash. return false on failure */ int -secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, +_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { @@ -668,6 +673,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, } } +void +_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) +{ + (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); +} + size_t _getdns_ds_digest_size_supported(int algo) { @@ -1185,6 +1196,9 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock, #include "macros.h" #include "rsa.h" #include "dsa.h" +#ifdef HAVE_NETTLE_DSA_COMPAT_H +#include "dsa-compat.h" +#endif #include "asn1.h" #ifdef USE_ECDSA #include "ecdsa.h" @@ -1236,7 +1250,7 @@ _digest_nettle(int algo, uint8_t* buf, size_t len, /* return size of digest if supported, or 0 otherwise */ size_t -nsec3_hash_algo_size_supported(int id) +_getdns_nsec3_hash_algo_size_supported(int id) { switch(id) { case NSEC3_HASH_SHA1: @@ -1248,7 +1262,7 @@ nsec3_hash_algo_size_supported(int id) /* perform nsec3 hash. return false on failure */ int -secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, +_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { @@ -1260,6 +1274,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, } } +void +_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) +{ + _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); +} + /** * Return size of DS digest according to its hash algorithm. * @param algo: DS digest algo. diff --git a/src/util/val_secalgo.h b/src/util/val_secalgo.h index 917ebc00..704449ec 100644 --- a/src/util/val_secalgo.h +++ b/src/util/val_secalgo.h @@ -45,7 +45,7 @@ struct gldns_buffer; /** Return size of nsec3 hash algorithm, 0 if not supported */ -size_t nsec3_hash_algo_size_supported(int id); +size_t _getdns_nsec3_hash_algo_size_supported(int id); /** * Hash a single hash call of an NSEC3 hash algorithm. @@ -56,9 +56,17 @@ size_t nsec3_hash_algo_size_supported(int id); * @param res: result stored here (must have sufficient space). * @return false on failure. */ -int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, +int _getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, unsigned char* res); +/** + * Calculate the sha256 hash for the data buffer into the result. + * @param buf: buffer to digest. + * @param len: length of the buffer to digest. + * @param res: result is stored here (space 256/8 bytes). + */ +void _getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res); + /** * Return size of DS digest according to its hash algorithm. * @param algo: DS digest algo. From b4e7a82e11d644e7309d9de1fa9989feaf81635b Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 13:40:49 +0200 Subject: [PATCH 2/8] EDNS0 padding is RFC --- src/gldns/rrdef.h | 3 ++- src/gldns/wire2str.c | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/gldns/rrdef.h b/src/gldns/rrdef.h index 703ee31e..b13580ea 100644 --- a/src/gldns/rrdef.h +++ b/src/gldns/rrdef.h @@ -421,7 +421,8 @@ enum gldns_enum_edns_option GLDNS_EDNS_DHU = 6, /* RFC6975 */ GLDNS_EDNS_N3U = 7, /* RFC6975 */ GLDNS_EDNS_CLIENT_SUBNET = 8, /* draft-vandergaast-edns-client-subnet */ - GLDNS_EDNS_KEEPALIVE = 11 /* draft-ietf-dnsop-edns-tcp-keepalive*/ + GLDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/ + GLDNS_EDNS_PADDING = 12 /* RFC7830 */ }; typedef enum gldns_enum_edns_option gldns_edns_option; diff --git a/src/gldns/wire2str.c b/src/gldns/wire2str.c index b9a979eb..abc055d7 100644 --- a/src/gldns/wire2str.c +++ b/src/gldns/wire2str.c @@ -166,6 +166,7 @@ static gldns_lookup_table gldns_edns_options_data[] = { { 7, "N3U" }, { 8, "edns-client-subnet" }, { 11, "edns-tcp-keepalive"}, + { 12, "Padding" }, { 0, NULL} }; gldns_lookup_table* gldns_edns_options = gldns_edns_options_data; @@ -1886,7 +1887,10 @@ int gldns_wire2str_edns_option_print(char** s, size_t* sl, break; case GLDNS_EDNS_KEEPALIVE: w += gldns_wire2str_edns_keepalive_print(s, sl, optdata, optlen); - break; + break; + case GLDNS_EDNS_PADDING: + w += print_hex_buf(s, sl, optdata, optlen); + break; default: /* unknown option code */ w += print_hex_buf(s, sl, optdata, optlen); From af706716412503707267b3fa8eacf2155fe15126 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 13:46:12 +0200 Subject: [PATCH 3/8] =?UTF-8?q?parentheses=20around=20comparison=20in=20op?= =?UTF-8?q?erand=20of=20=E2=80=98&=E2=80=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/context.c b/src/context.c index b0c9a198..edea6aef 100644 --- a/src/context.c +++ b/src/context.c @@ -1297,7 +1297,7 @@ getdns_context_create_with_extended_memory_functions( /* Unbound needs SSL to be init'ed this early when TLS is used. However we * don't know that till later so we will have to do this every time. */ - if (set_from_os & 2 == 0) + if ((set_from_os & 2) == 0) SSL_library_init(); #ifdef HAVE_LIBUNBOUND From 2485c11e32d7b617b9dc8bb7eadf9ac38b62f309 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 14:02:29 +0200 Subject: [PATCH 4/8] Include jsmn in dist tarball --- Makefile.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile.in b/Makefile.in index 331c889e..3f727468 100644 --- a/Makefile.in +++ b/Makefile.in @@ -178,6 +178,7 @@ $(distdir): mkdir -p $(distdir)/src mkdir -p $(distdir)/src/getdns mkdir -p $(distdir)/src/test + mkdir -p $(distdir)/src/test/jsmn mkdir -p $(distdir)/src/extension mkdir -p $(distdir)/src/compat mkdir -p $(distdir)/src/util @@ -224,6 +225,9 @@ $(distdir): cp $(srcdir)/spec/*.tgz $(distdir)/spec || true cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example + cp $(srcdir)/src/test/jsmn/*.[ch] $(distdir)/src/test/jsmn + cp $(srcdir)/src/test/jsmn/LICENSE $(distdir)/src/test/jsmn + cp $(srcdir)/src/test/jsmn/README.md $(distdir)/src/test/jsmn rm -f $(distdir)/Makefile $(distdir)/src/Makefile $(distdir)/src/getdns/getdns.h $(distdir)/spec/example/Makefile $(distdir)/src/test/Makefile $(distdir)/doc/Makefile $(distdir)/src/config.h distcheck: $(distdir).tar.gz From 906a8d68c241c15b9d4812e4340a8af53603cc52 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 14:06:00 +0200 Subject: [PATCH 5/8] fix for converting empty lists and dicts --- src/test/getdns_str2dict.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/test/getdns_str2dict.c b/src/test/getdns_str2dict.c index ae5fb1d9..28323d9d 100644 --- a/src/test/getdns_str2dict.c +++ b/src/test/getdns_str2dict.c @@ -410,7 +410,10 @@ static int _jsmn_get_dict(struct mem_funcs *mf, const char *js, jsmntok_t *t, char key_spc[1024], *key = NULL; getdns_item child_item; - for (i = 0; i < t->size; i++) { + if (t->size <= 0) + *r = GETDNS_RETURN_GOOD; + + else for (i = 0; i < t->size; i++) { if (t[j].type != JSMN_STRING && t[j].type != JSMN_PRIMITIVE) { @@ -484,7 +487,10 @@ static int _jsmn_get_list(struct mem_funcs *mf, const char *js, jsmntok_t *t, size_t i, j = 1, index = 0; getdns_item child_item; - for (i = 0; i < t->size; i++) { + if (t->size <= 0) + *r = GETDNS_RETURN_GOOD; + + else for (i = 0; i < t->size; i++) { j += _jsmn_get_item(mf, js, t + j, count - j, &child_item, r); if (*r) break; From bae426a0e224c3ac54ac672431493261bb054e58 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 14:09:08 +0200 Subject: [PATCH 6/8] Unread assignment --- src/test/getdns_query.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/test/getdns_query.c b/src/test/getdns_query.c index 6ff6097c..05645a5f 100644 --- a/src/test/getdns_query.c +++ b/src/test/getdns_query.c @@ -442,12 +442,11 @@ static void parse_config(const char *config_str) * will get destroyed. */ if (!listen_dict && - !(listen_dict = getdns_dict_create())) { + !(listen_dict = getdns_dict_create())) fprintf(stderr, "Could not create " "listen_dict"); - r = GETDNS_RETURN_MEMORY_ERROR; - } else if ((r = getdns_dict_set_list( + else if ((r = getdns_dict_set_list( listen_dict, "listen_list", list))) fprintf(stderr, "Could not set listen_list"); From 689fc02fd2fe37a29301ad9d4ee2b664f0a76f02 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 14:14:15 +0200 Subject: [PATCH 7/8] Allow errors while setting up listeners --- src/test/getdns_context_set_listen_addresses.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/test/getdns_context_set_listen_addresses.c b/src/test/getdns_context_set_listen_addresses.c index 3b05e803..9246b640 100644 --- a/src/test/getdns_context_set_listen_addresses.c +++ b/src/test/getdns_context_set_listen_addresses.c @@ -804,6 +804,8 @@ getdns_return_t getdns_context_set_listen_addresses(getdns_context *context, new_set->count = new_set_count * n_transports; (void) memset(new_set->items, 0, sizeof(listener) * new_set_count * n_transports); + for (i = 0; i < new_set->count; i++) + new_set->items[i].fd = -1; (void) memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; @@ -906,7 +908,7 @@ getdns_return_t getdns_context_set_listen_addresses(getdns_context *context, /* So the event can be rescheduled */ } } - if ((r = add_listeners(new_set))) { + if (r || (r = add_listeners(new_set))) { for (i = 0; i < new_set->count; i++) new_set->items[i].action = to_remove; From 99d8672bee82ad5358be501dd3c66e98f8b200ed Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 14 Jul 2016 14:24:32 +0200 Subject: [PATCH 8/8] Fix few possible NULL dereference issues --- src/dnssec.c | 6 ++++-- src/rr-iter.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/dnssec.c b/src/dnssec.c index b46be44b..f567b96b 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -2049,7 +2049,8 @@ static int find_nsec_covering_name( , SECTION_NO_ADDITIONAL) ; i ; i = _getdns_rrset_iter_next(i)) { - if ((n = _getdns_rrset_iter_value(i))->rr_type == GETDNS_RRTYPE_NSEC3 + if ((n = _getdns_rrset_iter_value(i)) + && n->rr_type == GETDNS_RRTYPE_NSEC3 /* Get the bitmap rdata field */ && (nsec_rr = _getdns_rrtype_iter_init(&nsec_spc, n)) @@ -2085,7 +2086,8 @@ static int find_nsec_covering_name( return keytag; } - if ((n = _getdns_rrset_iter_value(i))->rr_type == GETDNS_RRTYPE_NSEC + if ((n = _getdns_rrset_iter_value(i)) + && n->rr_type == GETDNS_RRTYPE_NSEC && nsec_covers_name(n, name, NULL) /* Get the bitmap rdata field */ diff --git a/src/rr-iter.c b/src/rr-iter.c index e6a711de..9b332603 100644 --- a/src/rr-iter.c +++ b/src/rr-iter.c @@ -306,7 +306,7 @@ static int rr_owner_equal(_getdns_rr_iter *rr, const uint8_t *name) return (owner = _getdns_owner_if_or_as_decompressed(rr, owner_spc ,&owner_len)) - && _getdns_dname_equal(owner, name); + && name && _getdns_dname_equal(owner, name); } /* First a few filter functions that filter a RR iterator to point only