shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-25 06:03:40 +03:00
Code

resolved: fix DNSKEY validation against DS

Browse Source 
Let's use the wireformat name, not the text version.

Fixes: #8901
This commit is contained in:
Lennart Poettering 2018-06-08 15:37:49 +02:00
parent 89278d96dc
commit c910c520cf
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/resolve/resolved-dns-dnssec.c
View File

@ -1153,7 +1153,7 @@ static int digest_to_gcrypt_md(uint8_t algorithm) {
} }
int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) { int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX]; uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX];
_cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
size_t hash_size; size_t hash_size;
int md_algorithm, r; int md_algorithm, r;
@ -1192,7 +1192,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
if (ds->ds.digest_size != hash_size) if (ds->ds.digest_size != hash_size)
return 0; return 0;
r = dnssec_canonicalize(dns_resource_key_name(dnskey->key), owner_name, sizeof(owner_name)); r = dns_name_to_wire_format(dns_resource_key_name(dnskey->key), wire_format, sizeof(wire_format), true);
if (r < 0) if (r < 0)
return r; return r;
@ -1200,7 +1200,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
if (!md) if (!md)
return -EIO; return -EIO;
gcry_md_write(md, owner_name, r); gcry_md_write(md, wire_format, r);
if (mask_revoke) if (mask_revoke)
md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE); md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE);
else else
@ -1213,7 +1213,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
if (!result) if (!result)
return -EIO; return -EIO;
return memcmp(result, ds->ds.digest, ds->ds.digest_size) != 0; return memcmp(result, ds->ds.digest, ds->ds.digest_size) == 0;
} }
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) { int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {