diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:42 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:42 +0000 |
| commit | 78e9bb837c258ac0ec7712b3d612cc2f407e731e (patch) | |
| tree | f515d16b6efd858a9aeb5b0ef5d6f90bf288283d /src/resolve/resolved-dns-dnssec.c | |
| parent | Adding debian version 255.5-1. (diff) | |
| download | systemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.tar.xz systemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.zip | |
Merging upstream version 256.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
| -rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index a192d82..233418a 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -890,8 +890,11 @@ static int dnssec_rrset_verify_sig( _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; void *hash; size_t hash_size; + int r; - initialize_libgcrypt(false); + r = initialize_libgcrypt(false); + if (r < 0) + return r; #endif switch (rrsig->rrsig.algorithm) { @@ -1334,6 +1337,7 @@ static hash_md_t digest_to_hash_md(uint8_t algorithm) { int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) { uint8_t wire_format[DNS_WIRE_FORMAT_HOSTNAME_MAX]; + size_t encoded_length; int r; assert(dnskey); @@ -1360,6 +1364,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, r = dns_name_to_wire_format(dns_resource_key_name(dnskey->key), wire_format, sizeof wire_format, true); if (r < 0) return r; + encoded_length = r; hash_md_t md_algorithm = digest_to_hash_md(ds->ds.digest_type); @@ -1383,7 +1388,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, if (EVP_DigestInit_ex(ctx, md_algorithm, NULL) <= 0) return -EIO; - if (EVP_DigestUpdate(ctx, wire_format, r) <= 0) + if (EVP_DigestUpdate(ctx, wire_format, encoded_length) <= 0) return -EIO; if (mask_revoke) @@ -1407,7 +1412,9 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, if (md_algorithm < 0) return -EOPNOTSUPP; - initialize_libgcrypt(false); + r = initialize_libgcrypt(false); + if (r < 0) + return r; _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; @@ -1421,7 +1428,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md) return -EIO; - gcry_md_write(md, wire_format, r); + gcry_md_write(md, wire_format, encoded_length); if (mask_revoke) md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE); else @@ -1552,8 +1559,11 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) { if (algorithm < 0) return algorithm; - initialize_libgcrypt(false); + r = initialize_libgcrypt(false); + if (r < 0) + return r; + size_t encoded_length; unsigned hash_size = gcry_md_get_algo_dlen(algorithm); assert(hash_size > 0); @@ -1563,13 +1573,14 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) { r = dns_name_to_wire_format(name, wire_format, sizeof(wire_format), true); if (r < 0) return r; + encoded_length = r; _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; gcry_error_t err = gcry_md_open(&md, algorithm, 0); if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md) return -EIO; - gcry_md_write(md, wire_format, r); + gcry_md_write(md, wire_format, encoded_length); gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size); void *result = gcry_md_read(md, 0); @@ -1963,7 +1974,7 @@ found_closest_encloser: } static int dnssec_nsec_wildcard_equal(DnsResourceRecord *rr, const char *name) { - char label[DNS_LABEL_MAX]; + char label[DNS_LABEL_MAX+1]; const char *n; int r; @@ -2576,6 +2587,7 @@ static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = { [DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary", [DNSSEC_NSEC_MISMATCH] = "nsec-mismatch", [DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server", + [DNSSEC_UPSTREAM_FAILURE] = "upstream-failure", [DNSSEC_TOO_MANY_VALIDATIONS] = "too-many-validations", }; DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult); |