From: Petr Špaček Date: Fri, 15 Feb 2019 12:25:37 +0000 (+0100) Subject: nitpicks X-Git-Tag: v4.0.0~34^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6bd23d70b4327078a35ddb3a901759dcf8960984;p=thirdparty%2Fknot-resolver.git nitpicks --- diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c index f8cbc3201..79b98a149 100644 --- a/daemon/bindings/net.c +++ b/daemon/bindings/net.c @@ -377,6 +377,7 @@ static int net_tls_client(lua_State *L) /* Various basic sanity-checking. */ if (lua_gettop(L) != 1 || !lua_istable(L, 1)) lua_error_maybe(L, EINVAL); + /* check that only allowed keys are present */ { const char *bad_key = lua_table_checkindices(L, (const char *[]) { "1", "hostname", "ca_file", "pin_sha256", "insecure", NULL }); diff --git a/daemon/tls.c b/daemon/tls.c index 75fcd6d47..5f3de0ec1 100644 --- a/daemon/tls.c +++ b/daemon/tls.c @@ -572,23 +572,21 @@ static int get_oob_key_pin(gnutls_x509_crt_t crt, char *outchar, ssize_t outchar err = gnutls_pubkey_export2(key, GNUTLS_X509_FMT_DER, &datum); if (err != GNUTLS_E_SUCCESS) goto leave; - { - char raw_pin[TLS_SHA256_RAW_LEN]; /* TMP buffer if raw == false */ - err = gnutls_hash_fast(GNUTLS_DIG_SHA256, datum.data, datum.size, - (raw ? outchar : raw_pin)); - if (err != GNUTLS_E_SUCCESS || raw/*success*/) - goto leave; - /* Convert to non-raw. */ - err = base64_encode((uint8_t *)raw_pin, sizeof(raw_pin), - (uint8_t *)outchar, outchar_len); - if (err >= 0 && err < outchar_len) { - err = GNUTLS_E_SUCCESS; - outchar[err] = '\0'; /* base64_decode() doesn't do it */ - } else if (err >= 0) { - assert(false); - err = kr_error(ENOSPC); /* base64 fits but '\0' doesn't */ - outchar[outchar_len - 1] = '\0'; - } + char raw_pin[TLS_SHA256_RAW_LEN]; /* TMP buffer if raw == false */ + err = gnutls_hash_fast(GNUTLS_DIG_SHA256, datum.data, datum.size, + (raw ? outchar : raw_pin)); + if (err != GNUTLS_E_SUCCESS || raw/*success*/) + goto leave; + /* Convert to non-raw. */ + err = base64_encode((uint8_t *)raw_pin, sizeof(raw_pin), + (uint8_t *)outchar, outchar_len); + if (err >= 0 && err < outchar_len) { + err = GNUTLS_E_SUCCESS; + outchar[err] = '\0'; /* base64_encode() doesn't do it */ + } else if (err >= 0) { + assert(false); + err = kr_error(ENOSPC); /* base64 fits but '\0' doesn't */ + outchar[outchar_len - 1] = '\0'; } leave: gnutls_free(datum.data); diff --git a/daemon/worker.c b/daemon/worker.c index 0c9001434..c508b0de8 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -1508,6 +1508,7 @@ static int qr_task_step(struct qr_task *task, /* TODO if there are multiple addresses (task->addrlist_count > 1) * check all of them. */ struct network *net = &worker->engine->net; + /* task->addrlist has to contain TLS port before tls_client_param_get() call */ kr_inaddr_set_port(task->addrlist, KR_DNS_TLS_PORT); tls_client_param_t *tls_entry = tls_client_param_get(net->tls_client_params, task->addrlist); diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua index be6a69ba9..3ec51a404 100644 --- a/modules/policy/policy.lua +++ b/modules/policy/policy.lua @@ -156,8 +156,8 @@ function policy.TLS_FORWARD(targets) local nslist = {} -- to persist in closure of the returned function for idx, target in pairs(targets) do if type(target) ~= 'table' or type(target[1]) ~= 'string' then - error('TLS_FORWARD argument number %1 must be a table starting with an address', - idx) + error(string.format('TLS_FORWARD configuration at position ' .. + '%d must be a table starting with an IP address', idx)) end -- Note: some functions have checks with error() calls inside. local sockaddr_c = addr2sock(target[1], 853)