/* Various basic sanity-checking. */
if (lua_gettop(L) != 1 || !lua_istable(L, 1))
lua_error_maybe(L, EINVAL);
+ /* check that only allowed keys are present */
{
const char *bad_key = lua_table_checkindices(L, (const char *[])
{ "1", "hostname", "ca_file", "pin_sha256", "insecure", NULL });
err = gnutls_pubkey_export2(key, GNUTLS_X509_FMT_DER, &datum);
if (err != GNUTLS_E_SUCCESS) goto leave;
- {
- char raw_pin[TLS_SHA256_RAW_LEN]; /* TMP buffer if raw == false */
- err = gnutls_hash_fast(GNUTLS_DIG_SHA256, datum.data, datum.size,
- (raw ? outchar : raw_pin));
- if (err != GNUTLS_E_SUCCESS || raw/*success*/)
- goto leave;
- /* Convert to non-raw. */
- err = base64_encode((uint8_t *)raw_pin, sizeof(raw_pin),
- (uint8_t *)outchar, outchar_len);
- if (err >= 0 && err < outchar_len) {
- err = GNUTLS_E_SUCCESS;
- outchar[err] = '\0'; /* base64_decode() doesn't do it */
- } else if (err >= 0) {
- assert(false);
- err = kr_error(ENOSPC); /* base64 fits but '\0' doesn't */
- outchar[outchar_len - 1] = '\0';
- }
+ char raw_pin[TLS_SHA256_RAW_LEN]; /* TMP buffer if raw == false */
+ err = gnutls_hash_fast(GNUTLS_DIG_SHA256, datum.data, datum.size,
+ (raw ? outchar : raw_pin));
+ if (err != GNUTLS_E_SUCCESS || raw/*success*/)
+ goto leave;
+ /* Convert to non-raw. */
+ err = base64_encode((uint8_t *)raw_pin, sizeof(raw_pin),
+ (uint8_t *)outchar, outchar_len);
+ if (err >= 0 && err < outchar_len) {
+ err = GNUTLS_E_SUCCESS;
+ outchar[err] = '\0'; /* base64_encode() doesn't do it */
+ } else if (err >= 0) {
+ assert(false);
+ err = kr_error(ENOSPC); /* base64 fits but '\0' doesn't */
+ outchar[outchar_len - 1] = '\0';
}
leave:
gnutls_free(datum.data);
/* TODO if there are multiple addresses (task->addrlist_count > 1)
* check all of them. */
struct network *net = &worker->engine->net;
+ /* task->addrlist has to contain TLS port before tls_client_param_get() call */
kr_inaddr_set_port(task->addrlist, KR_DNS_TLS_PORT);
tls_client_param_t *tls_entry =
tls_client_param_get(net->tls_client_params, task->addrlist);
local nslist = {} -- to persist in closure of the returned function
for idx, target in pairs(targets) do
if type(target) ~= 'table' or type(target[1]) ~= 'string' then
- error('TLS_FORWARD argument number %1 must be a table starting with an address',
- idx)
+ error(string.format('TLS_FORWARD configuration at position ' ..
+ '%d must be a table starting with an IP address', idx))
end
-- Note: some functions have checks with error() calls inside.
local sockaddr_c = addr2sock(target[1], 853)
projects / thirdparty / knot-resolver.git / commitdiff
