ldns_rr_push_rdf(ds, tmp);
/* copy the algorithm field */
- ldns_rr_push_rdf(ds, ldns_rdf_clone( ldns_rr_rdf(key, 2)));
+ if ((tmp = ldns_rr_rdf(key, 2)) == NULL) {
+ LDNS_FREE(digest);
+ ldns_buffer_free(data_buf);
+ ldns_rr_free(ds);
+ return NULL;
+ } else {
+ ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp ));
+ }
/* digest hash type */
sha1hash = (uint8_t)h;
if (nsec3_rr &&
(ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
- && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0
- ) {
+ && (ldns_rr_rdf(nsec3_rr, 0) != NULL)
+ && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) {
return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0));
}
return 0;
if (nsec3_rr &&
(ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
- && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0
- ) {
+ && (ldns_rr_rdf(nsec3_rr, 1) != NULL)
+ && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) {
return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1));
}
return 0;
if (nsec3_rr &&
(ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
- && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0
- ) {
+ && (ldns_rr_rdf(nsec3_rr, 2) != NULL)
+ && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) {
return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2));
}
return 0;
bool result;
if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
- nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
+ if (ldns_rr_rdf(nsec, 0) != NULL) {
+ nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
+ } else {
+ return false;
+ }
} else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
hash_next = ldns_nsec3_next_owner(nsec);
next_hash_str = ldns_rdf2str(hash_next);
/* did the caller actually set it? if not,
* fall back to default ttl
*/
- if (soa && soa->rrs && soa->rrs->rr) {
- nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(
- soa->rrs->rr, 6));
+ if (soa && soa->rrs && soa->rrs->rr
+ && (ldns_rr_rdf(soa->rrs->rr, 6) != NULL)) {
+ nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
} else {
nsec_ttl = LDNS_DEFAULT_TTL;
}
/* did the caller actually set it? if not,
* fall back to default ttl
*/
- if (soa && soa->rrs && soa->rrs->rr) {
- nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(
- soa->rrs->rr, 6));
+ if (soa && soa->rrs && soa->rrs->rr
+ && ldns_rr_rdf(soa->rrs->rr, 6) != NULL) {
+ nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
} else {
nsec_ttl = LDNS_DEFAULT_TTL;
}
}
}
- if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
+ if (signatures && ldns_rr_list_rr_count(signatures) > 0
+ && ldns_rr_rd_count(ldns_rr_list_rr(signatures, 0))
+ > 7) {
key_name = ldns_rr_rdf(ldns_rr_list_rr(signatures, 0), 7);
}
ldns_rdf *wildcard_name;
ldns_rdf *wildcard_chopped;
ldns_rdf *wildcard_chopped_tmp;
+
+ if ((rrsig == NULL) || ldns_rr_rd_count(rrsig) < 4) {
+ return;
+ }
orig_ttl = ldns_rdf2native_int32( ldns_rr_rdf(rrsig, 3));
label_count = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 2));
static ldns_status
ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
{
- uint8_t sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
+ uint8_t sig_algo;
+
+ if (rrsig == NULL) {
+ return LDNS_STATUS_CRYPTO_NO_RRSIG;
+ }
+ if (ldns_rr_rdf(rrsig, 1) == NULL) {
+ return LDNS_STATUS_MALFORMED_RRSIG;
+ }
+ sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
/* check for known and implemented algo's now (otherwise
* the function could return a wrong error
*/
#ifdef USE_GOST
case LDNS_ECC_GOST:
#endif
- if (ldns_rdf2buffer_wire(rawsig_buf,
- ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
+ if (ldns_rr_rdf(rrsig, 8) == NULL) {
+ return LDNS_STATUS_MALFORMED_RRSIG;
+ }
+ if (ldns_rdf2buffer_wire(rawsig_buf, ldns_rr_rdf(rrsig, 8))
+ != LDNS_STATUS_OK) {
return LDNS_STATUS_MEM_ERR;
}
break;
case LDNS_DSA:
case LDNS_DSA_NSEC3:
/* EVP takes rfc2459 format, which is a tad longer than dns format */
- if (ldns_convert_dsa_rrsig_rdf2asn1(rawsig_buf,
- ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
+ if (ldns_rr_rdf(rrsig, 8) == NULL) {
+ return LDNS_STATUS_MALFORMED_RRSIG;
+ }
+ if (ldns_convert_dsa_rrsig_rdf2asn1(
+ rawsig_buf, ldns_rr_rdf(rrsig, 8))
+ != LDNS_STATUS_OK) {
/*
if (ldns_rdf2buffer_wire(rawsig_buf,
ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
case LDNS_ECDSAP384SHA384:
/* EVP produces an ASN prefix on the signature, which is
* not used in the DNS */
- if (ldns_convert_ecdsa_rrsig_rdf2asn1(rawsig_buf,
- ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
+ if (ldns_rr_rdf(rrsig, 8) == NULL) {
+ return LDNS_STATUS_MALFORMED_RRSIG;
+ }
+ if (ldns_convert_ecdsa_rrsig_rdf2asn1(
+ rawsig_buf, ldns_rr_rdf(rrsig, 8))
+ != LDNS_STATUS_OK) {
return LDNS_STATUS_MEM_ERR;
}
break;
ldns_verify_test_sig_key(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf,
ldns_rr* rrsig, ldns_rr* key)
{
- uint8_t sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
+ uint8_t sig_algo;
+
+ if (rrsig == NULL) {
+ return LDNS_STATUS_CRYPTO_NO_RRSIG;
+ }
+ if (ldns_rr_rdf(rrsig, 1) == NULL) {
+ return LDNS_STATUS_MALFORMED_RRSIG;
+ }
+ sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
/* before anything, check if the keytags match */
if (ldns_calc_keytag(key)
/* put the key-data in a buffer, that's the third rdf, with
* the base64 encoded key data */
- if (ldns_rdf2buffer_wire(key_buf, ldns_rr_rdf(key, 3))
- != LDNS_STATUS_OK) {
+ if (ldns_rr_rdf(rrsig, 3) == NULL) {
+ ldns_buffer_free(key_buf);
+ return LDNS_STATUS_MALFORMED_RRSIG;
+ }
+ if (ldns_rdf2buffer_wire(key_buf, ldns_rr_rdf(rrsig, 3))
+ != LDNS_STATUS_OK) {
ldns_buffer_free(key_buf);
/* returning is bad might screw up
good keys later in the list
return LDNS_STATUS_ERR;
}
- if (sig_algo == ldns_rdf2native_int8(ldns_rr_rdf(key, 2))) {
+ if (ldns_rr_rdf(rrsig, 2) == NULL) {
+ result = LDNS_STATUS_MALFORMED_RRSIG;
+ }
+ else if (sig_algo == ldns_rdf2native_int8(
+ ldns_rr_rdf(rrsig, 2))) {
result = ldns_verify_rrsig_buffers(rawsig_buf,
verify_buf, key_buf, sig_algo);
} else {
{ LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED, "RR not covered by the given NSEC RRs" },
{ LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED, "wildcard not covered by the given NSEC RRs" },
{ LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND, "original of NSEC3 hashed name could not be found" },
+ { LDNS_STATUS_MALFORMED_RRSIG, "Some of the fields of the RRSIG were missing or malformed" },
{ 0, NULL }
};
uint16_t pos = 0;
uint16_t bit_pos;
ldns_rdf *nsec_type_list = ldns_rr_rdf(nsec, 1);
- uint8_t *data = ldns_rdf_data(nsec_type_list);
+ uint8_t *data;
+
+ if (nsec_type_list == NULL) {
+ return false;
+ }
+ data = ldns_rdf_data(nsec_type_list);
while(pos < ldns_rdf_size(nsec_type_list)) {
window_block_nr = data[pos];
{
uint16_t i, flags;
ldns_status status = LDNS_STATUS_OK;
+
if (!rr) {
ldns_buffer_printf(output, "(null)\n");
} else {
}
for (i = 0; i < ldns_rr_rd_count(rr); i++) {
+ /* ldns_rdf2buffer_str handles NULL input fine! */
status = ldns_rdf2buffer_str(output, ldns_rr_rdf(rr, i));
if(status != LDNS_STATUS_OK)
return status;
if (ldns_rr_rd_count(rr) > 0) {
switch (ldns_rr_get_type(rr)) {
case LDNS_RR_TYPE_DNSKEY:
- if (ldns_rr_rdf(rr, 0)) {
- flags = ldns_rdf2native_int16(ldns_rr_rdf(rr, 0));
- if (flags == 256 || flags == 384) {
- ldns_buffer_printf(output,
- " ;{id = %u (zsk), size = %db}",
- (unsigned int) ldns_calc_keytag(rr),
- ldns_rr_dnskey_key_size(rr));
- break;
- }
- if (flags == 257 || flags == 385) {
- ldns_buffer_printf(output,
- " ;{id = %u (ksk), size = %db}",
- (unsigned int) ldns_calc_keytag(rr),
- ldns_rr_dnskey_key_size(rr));
- break;
- }
- ldns_buffer_printf(output, " ;{id = %u, size = %db}",
+ /* if ldns_rr_rd_count(rr) > 0
+ then ldns_rr_rdf(rr, 0) exists! */
+ flags = ldns_rdf2native_int16(ldns_rr_rdf(rr, 0));
+ if (flags == 256 || flags == 384) {
+ ldns_buffer_printf(output,
+ " ;{id = %u (zsk), size = %db}",
(unsigned int) ldns_calc_keytag(rr),
ldns_rr_dnskey_key_size(rr));
+ break;
}
+ if (flags == 257 || flags == 385) {
+ ldns_buffer_printf(output,
+ " ;{id = %u (ksk), size = %db}",
+ (unsigned int) ldns_calc_keytag(rr),
+ ldns_rr_dnskey_key_size(rr));
+ break;
+ }
+ ldns_buffer_printf(output, " ;{id = %u, size = %db}",
+ (unsigned int) ldns_calc_keytag(rr),
+ ldns_rr_dnskey_key_size(rr));
break;
case LDNS_RR_TYPE_RRSIG:
- ldns_buffer_printf(output, " ;{id = %d}",
- ldns_rdf2native_int16(ldns_rr_rdf(rr, 6)));
+ if (ldns_rr_rdf(rr, 6) != NULL) {
+ ldns_buffer_printf(output, " ;{id = %d}",
+ ldns_rdf2native_int16(ldns_rr_rdf(rr, 6)));
+ }
break;
case LDNS_RR_TYPE_DS:
- {
+ if (ldns_rr_rdf(rr, 3) != NULL) {
uint8_t *data = ldns_rdf_data(ldns_rr_rdf(rr, 3));
size_t len = ldns_rdf_size(ldns_rr_rdf(rr, 3));
char *babble = ldns_bubblebabble(data, len);
for (i = 0; i < ldns_rr_rd_count(rr); i++) {
if (pre_rfc3597) {
- (void) ldns_rdf2buffer_wire_canonical(buffer,
- ldns_rr_rdf(rr, i));
+ (void) ldns_rdf2buffer_wire_canonical(
+ buffer, ldns_rr_rdf(rr, i));
} else {
- (void) ldns_rdf2buffer_wire(buffer, ldns_rr_rdf(rr, i));
+ (void) ldns_rdf2buffer_wire(
+ buffer, ldns_rr_rdf(rr, i));
}
}
}
for (i = 0; i < ldns_rr_rd_count(rr); i++) {
- (void) ldns_rdf2buffer_wire(buffer, ldns_rr_rdf(rr, i));
+ (void) ldns_rdf2buffer_wire(
+ buffer, ldns_rr_rdf(rr, i));
}
if (rdl_pos != 0) {
/* Convert all the rdfs, except the actual signature data
* rdf number 8 - the last, hence: -1 */
for (i = 0; i < ldns_rr_rd_count(rr) - 1; i++) {
- if (ldns_rr_rdf(rr, i)) {
- (void) ldns_rdf2buffer_wire(buffer, ldns_rr_rdf(rr, i));
- }
+ (void) ldns_rdf2buffer_wire(buffer, ldns_rr_rdf(rr, i));
}
return ldns_buffer_status(buffer);
LDNS_STATUS_DNSSEC_EXISTENCE_DENIED,
LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED,
LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED,
- LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND
+ LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND,
+ LDNS_STATUS_MALFORMED_RRSIG
};
typedef enum ldns_enum_status ldns_status;
ldns_rdf *
ldns_rr_rdf(const ldns_rr *rr, size_t nr)
{
- if (nr < ldns_rr_rd_count(rr)) {
+ if (rr && nr < ldns_rr_rd_count(rr)) {
return rr->_rdata_fields[nr];
} else {
return NULL;
return false;
}
-algo = ldns_rdf2native_int8(ldns_rr_rdf(ds, 2));
+ if (ldns_rr_rdf(ds, 2) == NULL) {
+ return false;
+ }
+ algo = ldns_rdf2native_int8(ldns_rr_rdf(ds, 2));
ds_gen = ldns_key_rr2ds(dnskey, algo);
if (ds_gen) {
size_t
ldns_rr_dnskey_key_size(const ldns_rr *key)
{
- if (!key) {
+ if (!key || !ldns_rr_dnskey_key(key)
+ || !ldns_rr_dnskey_algorithm(key)) {
return 0;
}
return ldns_rr_dnskey_key_size_raw((unsigned char*)ldns_rdf_data(ldns_rr_dnskey_key(key)),
ldns_rr *orig_tsig = ldns_pkt_tsig(pkt);
- if (!orig_tsig) {
+ if (!orig_tsig || ldns_rr_rd_count(orig_tsig) <= 6) {
ldns_rdf_deep_free(key_name_rdf);
return false;
}
/* Expect a SOA answer. */
*mname = NULL;
while ((soa_rr = ldns_rr_list_pop_rr(ldns_pkt_answer(resp)))) {
- if (ldns_rr_get_type(soa_rr) != LDNS_RR_TYPE_SOA)
+ if (ldns_rr_get_type(soa_rr) != LDNS_RR_TYPE_SOA
+ || ldns_rr_rdf(soa_rr, 0) == NULL)
continue;
/* [RFC1035 3.3.13] */
*mname = ldns_rdf_clone(ldns_rr_rdf(soa_rr, 0));
/* XXX Is it safe to only look in authority section here? */
while ((soa_rr = ldns_rr_list_pop_rr(ldns_pkt_authority(resp)))) {
- if (ldns_rr_get_type(soa_rr) != LDNS_RR_TYPE_SOA)
+ if (ldns_rr_get_type(soa_rr) != LDNS_RR_TYPE_SOA
+ || ldns_rr_rdf(soa_rr, 0) == NULL)
continue;
/* [RFC1035 3.3.13] */
soa_mname = ldns_rdf_clone(ldns_rr_rdf(soa_rr, 0));
/* XXX Is it safe to only look in authority section here, too? */
while ((soa_rr = ldns_rr_list_pop_rr(ldns_pkt_authority(resp)))) {
- if (ldns_rr_get_type(soa_rr) != LDNS_RR_TYPE_SOA)
+ if (ldns_rr_get_type(soa_rr) != LDNS_RR_TYPE_SOA
+ || ldns_rr_rdf(soa_rr, 0) == NULL)
continue;
/* [RFC1035 3.3.13] */
soa_mname = ldns_rdf_clone(ldns_rr_rdf(soa_rr, 0));
projects / thirdparty / ldns.git / commitdiff
