diff options
Diffstat (limited to 'validator')
| -rw-r--r-- | validator/autotrust.c | 1 | ||||
| -rw-r--r-- | validator/val_nsec3.c | 12 | ||||
| -rw-r--r-- | validator/val_secalgo.c | 62 |
3 files changed, 55 insertions, 20 deletions
diff --git a/validator/autotrust.c b/validator/autotrust.c index a34a7c96c814..a72967302df1 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -718,6 +718,7 @@ packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*, list_i = list; i = 0; while(iter(&list_i, &rr, &rr_len, &dname_len)) { + log_assert(data->rr_data[i]); memmove(data->rr_data[i], sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), data->rr_len[i]); diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index 773ed30cde5d..763b5ab7c767 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -520,6 +520,10 @@ nsec3_hash_cmp(const void* c1, const void* c2) } (void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len); (void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len); + if(s1len == 0 && s2len == 0) + return 0; + if(!s1) return -1; + if(!s2) return 1; if(s1len != s2len) { if(s1len < s2len) return -1; @@ -736,7 +740,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt, size_t i_rs; int i_rr; struct ub_packed_rrset_key* s; - struct nsec3_cached_hash* hash; + struct nsec3_cached_hash* hash = NULL; int r; /* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */ @@ -748,7 +752,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt, if(r == 0) { log_err("nsec3: malloc failure"); break; /* alloc failure */ - } else if(r < 0) + } else if(r != 1) continue; /* malformed NSEC3 */ else if(nsec3_hash_matches_owner(flt, hash, s)) { *rrset = s; /* rrset with this name */ @@ -829,7 +833,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt, size_t i_rs; int i_rr; struct ub_packed_rrset_key* s; - struct nsec3_cached_hash* hash; + struct nsec3_cached_hash* hash = NULL; int r; /* this loop skips other-zone and unknown NSEC3s, also non-NSEC3 RRs */ @@ -841,7 +845,7 @@ find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt, if(r == 0) { log_err("nsec3: malloc failure"); break; /* alloc failure */ - } else if(r < 0) + } else if(r != 1) continue; /* malformed NSEC3 */ else if(nsec3_covers(flt->zone, hash, s, i_rr, env->scratch_buffer)) { diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 95200a48b61b..0613316c9088 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -77,6 +77,22 @@ int fake_dsa = 0; /** fake SHA1 support for unit tests */ int fake_sha1 = 0; +/** + * Output a libcrypto openssl error to the logfile. + * @param str: string to add to it. + * @param e: the error to output, error number from ERR_get_error(). + */ +static void +log_crypto_error(const char* str, unsigned long e) +{ + char buf[128]; + /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ + ERR_error_string_n(e, buf, sizeof(buf)); + /* buf now contains */ + /* error:[error code]:[library name]:[function name]:[reason string] */ + log_err("%s crypto %s", str, buf); +} + /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) @@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, { switch(algo) { case NSEC3_HASH_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; default: return 0; @@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) { +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif } /** @@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, switch(algo) { #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) case LDNS_SHA1: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha1())) + log_crypto_error("could not digest with EVP_sha1", + ERR_get_error()); +#else (void)SHA1(buf, len, res); +#endif return 1; #endif #ifdef HAVE_EVP_SHA256 case LDNS_SHA256: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha256())) + log_crypto_error("could not digest with EVP_sha256", + ERR_get_error()); +#else (void)SHA256(buf, len, res); +#endif return 1; #endif #ifdef USE_GOST @@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, #endif #ifdef USE_ECDSA case LDNS_SHA384: +#ifdef OPENSSL_FIPS + if(!sldns_digest_evp(buf, len, res, EVP_sha384())) + log_crypto_error("could not digest with EVP_sha384", + ERR_get_error()); +#else (void)SHA384(buf, len, res); +#endif return 1; #endif default: @@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id) } } -/** - * Output a libcrypto openssl error to the logfile. - * @param str: string to add to it. - * @param e: the error to output, error number from ERR_get_error(). - */ -static void -log_crypto_error(const char* str, unsigned long e) -{ - char buf[128]; - /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ - ERR_error_string_n(e, buf, sizeof(buf)); - /* buf now contains */ - /* error:[error code]:[library name]:[function name]:[reason string] */ - log_err("%s crypto %s", str, buf); -} - #ifdef USE_DSA /** * Setup DSA key digest in DER encoding ... |