Merge branch 'release/v1.0.0b2' into release/v1.1.0a1

2016-07-14 14:45:16 +02:00 · 2016-07-14 14:45:16 +02:00 · ebba1d4cce
parent ea69d31dba 99d8672bee
commit ebba1d4cce
11 changed files with 97 additions and 49 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -178,6 +178,7 @@ $(distdir):
 	mkdir -p $(distdir)/src
 	mkdir -p $(distdir)/src/getdns
 	mkdir -p $(distdir)/src/test
+	mkdir -p $(distdir)/src/test/jsmn
 	mkdir -p $(distdir)/src/extension
 	mkdir -p $(distdir)/src/compat
 	mkdir -p $(distdir)/src/util
--- a/src/context.c
+++ b/src/context.c
@ -1349,7 +1349,7 @@ getdns_context_create_with_extended_memory_functions(
 	/* Unbound needs SSL to be init'ed this early when TLS is used. However we
 	 * don't know that till later so we will have to do this every time. */

-	if (set_from_os & 2 == 0)
+	if ((set_from_os & 2) == 0)
 		SSL_library_init();

 #ifdef HAVE_LIBUNBOUND
--- a/src/convert.c
+++ b/src/convert.c
@ -1372,7 +1372,10 @@ static int _jsmn_get_dict(struct mem_funcs *mf, const char *js, jsmntok_t *t,
 	char key_spc[1024], *key = NULL;
 	getdns_item child_item;

-	for (i = 0; i < t->size; i++) {
+	if (t->size <= 0)
+		*r = GETDNS_RETURN_GOOD;
+
+	else for (i = 0; i < t->size; i++) {
 		if (t[j].type != JSMN_STRING &&
 		    t[j].type != JSMN_PRIMITIVE) {

@ -1446,7 +1449,10 @@ static int _jsmn_get_list(struct mem_funcs *mf, const char *js, jsmntok_t *t,
 	size_t i, j = 1, index = 0;
 	getdns_item child_item;

-	for (i = 0; i < t->size; i++) {
+	if (t->size <= 0)
+		*r = GETDNS_RETURN_GOOD;
+
+	else for (i = 0; i < t->size; i++) {
 		j += _jsmn_get_item(mf, js, t + j, count - j, &child_item, r);
 		if (*r) break;

--- a/src/dnssec.c
+++ b/src/dnssec.c
@ -2049,7 +2049,8 @@ static int find_nsec_covering_name(
 	                                        , SECTION_NO_ADDITIONAL)
 	    ; i ; i = _getdns_rrset_iter_next(i)) {

-		if ((n = _getdns_rrset_iter_value(i))->rr_type == GETDNS_RRTYPE_NSEC3
+		if ((n = _getdns_rrset_iter_value(i))
+		    && n->rr_type == GETDNS_RRTYPE_NSEC3

 		    /* Get the bitmap rdata field */
 		    && (nsec_rr = _getdns_rrtype_iter_init(&nsec_spc, n))
@ -2085,7 +2086,8 @@ static int find_nsec_covering_name(

 			return keytag;
 		}
-		if ((n = _getdns_rrset_iter_value(i))->rr_type == GETDNS_RRTYPE_NSEC
+		if ((n = _getdns_rrset_iter_value(i))
+		    && n->rr_type == GETDNS_RRTYPE_NSEC
 		    && nsec_covers_name(n, name, NULL)

 		    /* Get the bitmap rdata field */
--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@ -421,7 +421,8 @@ enum gldns_enum_edns_option
 	GLDNS_EDNS_DHU = 6, /* RFC6975 */
 	GLDNS_EDNS_N3U = 7, /* RFC6975 */
 	GLDNS_EDNS_CLIENT_SUBNET = 8, /* draft-vandergaast-edns-client-subnet */
-	GLDNS_EDNS_KEEPALIVE = 11 /* draft-ietf-dnsop-edns-tcp-keepalive*/
+	GLDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
+	GLDNS_EDNS_PADDING = 12 /* RFC7830 */
 };
 typedef enum gldns_enum_edns_option gldns_edns_option;

--- a/src/gldns/wire2str.c
+++ b/src/gldns/wire2str.c
@ -166,6 +166,7 @@ static gldns_lookup_table gldns_edns_options_data[] = {
 	{ 7, "N3U" },
 	{ 8, "edns-client-subnet" },
 	{ 11, "edns-tcp-keepalive"},
+	{ 12, "Padding" },
 	{ 0, NULL}
 };
 gldns_lookup_table* gldns_edns_options = gldns_edns_options_data;
@ -1886,7 +1887,10 @@ int gldns_wire2str_edns_option_print(char** s, size_t* sl,
 		break;
 	 case GLDNS_EDNS_KEEPALIVE:
 		w += gldns_wire2str_edns_keepalive_print(s, sl, optdata, optlen);
-		break; 
+		break;
+	case GLDNS_EDNS_PADDING:
+		w += print_hex_buf(s, sl, optdata, optlen);
+		break;
 	default:
 		/* unknown option code */
 		w += print_hex_buf(s, sl, optdata, optlen);
--- a/src/rr-iter.c
+++ b/src/rr-iter.c
@ -306,7 +306,7 @@ static int rr_owner_equal(_getdns_rr_iter *rr, const uint8_t *name)

 	return (owner = _getdns_owner_if_or_as_decompressed(rr, owner_spc
 	                                                      ,&owner_len))
-	    && _getdns_dname_equal(owner, name);
+	    && name && _getdns_dname_equal(owner, name);
 }

 /* First a few filter functions that filter a RR iterator to point only
--- a/src/server.c
+++ b/src/server.c
@ -833,6 +833,8 @@ getdns_return_t getdns_context_set_listen_addresses(getdns_context *context,
 	new_set->count = new_set_count * n_transports;
 	(void) memset(new_set->items, 0,
 	    sizeof(listener) * new_set_count * n_transports);
+	for (i = 0; i < new_set->count; i++)
+		new_set->items[i].fd = -1;

 	(void) memset(&hints, 0, sizeof(struct addrinfo));
 	hints.ai_family    = AF_UNSPEC;
@ -935,7 +937,7 @@ getdns_return_t getdns_context_set_listen_addresses(getdns_context *context,
 			/* So the event can be rescheduled */
 		}
 	}
-	if ((r = add_listeners(new_set))) {
+	if (r || (r = add_listeners(new_set))) {
 		for (i = 0; i < new_set->count; i++)
 			new_set->items[i].action = to_remove;

--- a/src/util/import.sh
+++ b/src/util/import.sh
@ -44,6 +44,10 @@ do
 	    -e 's/secalgo_ds_digest/_getdns_secalgo_ds_digest/g' \
 	    -e 's/dnskey_algo_id_is_supported/_getdns_dnskey_algo_id_is_supported/g' \
 	    -e 's/verify_canonrrset/_getdns_verify_canonrrset/g' \
+	    -e 's/nsec3_hash_algo_size_supported/_getdns_nsec3_hash_algo_size_supported/g' \
+	    -e 's/secalgo_nsec3_hash/_getdns_secalgo_nsec3_hash/g' \
+	    -e 's/secalgo_hash_sha256/_getdns_secalgo_hash_sha256/g' \
+	    -e 's/ecdsa_evp_workaround_init/_getdns_ecdsa_evp_workaround_init/g' \
 	    -e 's/LDNS_/GLDNS_/g' \
 	    -e 's/enum sec_status/int/g' \
 	    -e 's/sec_status_bogus/0/g' \
--- a/src/util/val_secalgo.c
+++ b/src/util/val_secalgo.c
@ -72,7 +72,7 @@

 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@ -84,7 +84,7 @@ nsec3_hash_algo_size_supported(int id)

 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res)
 {
 	switch(algo) {
@ -96,6 +96,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }

+void
+_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
+{
+	(void)SHA256(buf, len, res);
+}
+
 /**
 * Return size of DS digest according to its hash algorithm.
 * @param algo: DS digest algo.
@ -342,6 +348,23 @@ i	 * the '44' is the total remaining length.
 }
 #endif /* USE_ECDSA */

+#ifdef USE_ECDSA_EVP_WORKAROUND
+static EVP_MD ecdsa_evp_256_md;
+static EVP_MD ecdsa_evp_384_md;
+void _getdns_ecdsa_evp_workaround_init(void)
+{
+	/* openssl before 1.0.0 fixes RSA with the SHA256
+	 * hash in EVP.  We create one for ecdsa_sha256 */
+	ecdsa_evp_256_md = *EVP_sha256();
+	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
+	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
+
+	ecdsa_evp_384_md = *EVP_sha384();
+	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
+	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
+}
+#endif /* USE_ECDSA_EVP_WORKAROUND */
+
 /**
 * Setup key and digest for verification. Adjust sig if necessary.
 *
@ -470,20 +493,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 				return 0;
 			}
 #ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA256
-			 * hash in EVP.  We create one for ecdsa_sha256 */
-			{
-				static int md_ecdsa_256_done = 0;
-				static EVP_MD md;
-				if(!md_ecdsa_256_done) {
-					EVP_MD m = *EVP_sha256();
-					md_ecdsa_256_done = 1;
-					m.required_pkey_type[0] = (*evp_key)->type;
-					m.verify = (void*)ECDSA_verify;
-					md = m;
-				}
-				*digest_type = &md;
-			}
+			*digest_type = &ecdsa_evp_256_md;
 #else
 			*digest_type = EVP_sha256();
 #endif
@ -497,20 +507,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 				return 0;
 			}
 #ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA384
-			 * hash in EVP.  We create one for ecdsa_sha384 */
-			{
-				static int md_ecdsa_384_done = 0;
-				static EVP_MD md;
-				if(!md_ecdsa_384_done) {
-					EVP_MD m = *EVP_sha384();
-					md_ecdsa_384_done = 1;
-					m.required_pkey_type[0] = (*evp_key)->type;
-					m.verify = (void*)ECDSA_verify;
-					md = m;
-				}
-				*digest_type = &md;
-			}
+			*digest_type = &ecdsa_evp_384_md;
 #else
 			*digest_type = EVP_sha384();
 #endif
@ -544,7 +541,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 {
 	const EVP_MD *digest_type;
 	EVP_MD_CTX* ctx;
-	int res, dofree = 0;
+	int res, dofree = 0, docrypto_free = 0;
 	EVP_PKEY *evp_key = NULL;
 	
 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
@ -563,7 +560,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 			EVP_PKEY_free(evp_key);
 			return 0;
 		}
-		dofree = 1;
+		docrypto_free = 1;
 	}
 #endif
 #if defined(USE_ECDSA) && defined(USE_DSA)
@ -593,6 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		log_err("EVP_MD_CTX_new: malloc failure");
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
+		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyInit(ctx, digest_type) == 0) {
@ -600,6 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
+		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf), 
@ -608,15 +607,21 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
+		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}

 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
+#ifdef HAVE_EVP_MD_CTX_NEW
 	EVP_MD_CTX_destroy(ctx);
+#else
+	EVP_MD_CTX_cleanup(ctx);
+	free(ctx);
+#endif
 	EVP_PKEY_free(evp_key);

-	if(dofree)
-		free(sigblock);
+	if(dofree) free(sigblock);
+	else if(docrypto_free) CRYPTO_free(sigblock);

 	if(res == 1) {
 		return 1;
@ -644,7 +649,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,

 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@ -656,7 +661,7 @@ nsec3_hash_algo_size_supported(int id)

 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res)
 {
 	switch(algo) {
@ -668,6 +673,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }

+void
+_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
+{
+	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
+}
+
 size_t
 _getdns_ds_digest_size_supported(int algo)
 {
@ -1185,6 +1196,9 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 #include "macros.h"
 #include "rsa.h"
 #include "dsa.h"
+#ifdef HAVE_NETTLE_DSA_COMPAT_H
+#include "dsa-compat.h"
+#endif
 #include "asn1.h"
 #ifdef USE_ECDSA
 #include "ecdsa.h"
@ -1236,7 +1250,7 @@ _digest_nettle(int algo, uint8_t* buf, size_t len,

 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@ -1248,7 +1262,7 @@ nsec3_hash_algo_size_supported(int id)

 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res)
 {
 	switch(algo) {
@ -1260,6 +1274,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }

+void
+_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
+{
+	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
+}
+
 /**
 * Return size of DS digest according to its hash algorithm.
 * @param algo: DS digest algo.
--- a/src/util/val_secalgo.h
+++ b/src/util/val_secalgo.h
@ -45,7 +45,7 @@
 struct gldns_buffer;

 /** Return size of nsec3 hash algorithm, 0 if not supported */
-size_t nsec3_hash_algo_size_supported(int id);
+size_t _getdns_nsec3_hash_algo_size_supported(int id);

 /**
 * Hash a single hash call of an NSEC3 hash algorithm.
@ -56,9 +56,17 @@ size_t nsec3_hash_algo_size_supported(int id);
 * @param res: result stored here (must have sufficient space).
 * @return false on failure.
 */
-int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+int _getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
        unsigned char* res);

+/**
+ * Calculate the sha256 hash for the data buffer into the result.
+ * @param buf: buffer to digest.
+ * @param len: length of the buffer to digest.
+ * @param res: result is stored here (space 256/8 bytes).
+ */
+void _getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res);
+
 /**
 * Return size of DS digest according to its hash algorithm.
 * @param algo: DS digest algo.