diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2014-05-14 18:43:20 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2014-05-14 18:43:20 +0000 |
| commit | f61d78fb42d2662643e7f0dbdcb97adbc2589dbc (patch) | |
| tree | 9b915379eafaa12682f45d6cb1f41e94fcb12a36 /validator | |
| parent | 697291b66c481c617cf9875497e2189bc4a4b096 (diff) | |
| download | src-test2-f61d78fb42d2662643e7f0dbdcb97adbc2589dbc.tar.gz src-test2-f61d78fb42d2662643e7f0dbdcb97adbc2589dbc.zip | |
Notes
Diffstat (limited to 'validator')
| -rw-r--r-- | validator/autotrust.c | 84 | ||||
| -rw-r--r-- | validator/autotrust.h | 6 | ||||
| -rw-r--r-- | validator/val_anchor.c | 4 | ||||
| -rw-r--r-- | validator/val_kcache.c | 2 | ||||
| -rw-r--r-- | validator/val_kcache.h | 2 | ||||
| -rw-r--r-- | validator/val_kentry.c | 10 | ||||
| -rw-r--r-- | validator/val_kentry.h | 12 | ||||
| -rw-r--r-- | validator/val_neg.c | 16 | ||||
| -rw-r--r-- | validator/val_neg.h | 4 | ||||
| -rw-r--r-- | validator/val_nsec.c | 2 | ||||
| -rw-r--r-- | validator/val_nsec.h | 2 | ||||
| -rw-r--r-- | validator/val_nsec3.c | 2 | ||||
| -rw-r--r-- | validator/val_secalgo.c | 14 | ||||
| -rw-r--r-- | validator/val_sigcrypt.c | 15 | ||||
| -rw-r--r-- | validator/val_sigcrypt.h | 4 | ||||
| -rw-r--r-- | validator/val_utils.c | 8 | ||||
| -rw-r--r-- | validator/validator.c | 2 |
17 files changed, 103 insertions, 86 deletions
diff --git a/validator/autotrust.c b/validator/autotrust.c index 99537d18aeeb..3d22637b8c2e 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -242,7 +242,7 @@ parse_comments(char* str, struct autr_ta* ta) if (pos < 0 || !timestamp) ta->last_change = 0; else - ta->last_change = (uint32_t)timestamp; + ta->last_change = (time_t)timestamp; free(comment); return 1; @@ -677,12 +677,12 @@ parse_var_line(char* line, struct val_anchors* anchors, } else if(strncmp(line, ";;query_interval: ", 18) == 0) { if(!tp) return -1; lock_basic_lock(&tp->lock); - tp->autr->query_interval = (uint32_t)parse_int(line+18, &r); + tp->autr->query_interval = (time_t)parse_int(line+18, &r); lock_basic_unlock(&tp->lock); } else if(strncmp(line, ";;retry_time: ", 14) == 0) { if(!tp) return -1; lock_basic_lock(&tp->lock); - tp->autr->retry_time = (uint32_t)parse_int(line+14, &r); + tp->autr->retry_time = (time_t)parse_int(line+14, &r); lock_basic_unlock(&tp->lock); } return r; @@ -881,6 +881,8 @@ print_id(FILE* out, char* fname, struct module_env* env, ldns_buffer_clear(env->scratch_buffer); #ifdef UNBOUND_DEBUG s = +#else + (void) #endif ldns_rdf2buffer_str_dname(env->scratch_buffer, &rdf); log_assert(s == LDNS_STATUS_OK); @@ -976,9 +978,13 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp) char* fname = tp->autr->file; char tempf[2048]; log_assert(tp->autr); + if(!env) { + log_err("autr_write_file: Module environment is NULL."); + return; + } /* unique name with pid number and thread number */ snprintf(tempf, sizeof(tempf), "%s.%d-%d", fname, (int)getpid(), - env&&env->worker?*(int*)env->worker:0); + env->worker?*(int*)env->worker:0); verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf); out = fopen(tempf, "w"); if(!out) { @@ -1031,23 +1037,23 @@ verify_dnskey(struct module_env* env, struct val_env* ve, } /** Find minimum expiration interval from signatures */ -static uint32_t +static time_t min_expiry(struct module_env* env, ldns_rr_list* rrset) { size_t i; - uint32_t t, r = 15 * 24 * 3600; /* 15 days max */ + int32_t t, r = 15 * 24 * 3600; /* 15 days max */ for(i=0; i<ldns_rr_list_rr_count(rrset); i++) { ldns_rr* rr = ldns_rr_list_rr(rrset, i); if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_RRSIG) continue; t = ldns_rdf2native_int32(ldns_rr_rrsig_expiration(rr)); - if(t - *env->now > 0) { + if((int32_t)t - (int32_t)*env->now > 0) { t -= *env->now; if(t < r) r = t; } } - return r; + return (time_t)r; } /** Is rr self-signed revoked key */ @@ -1239,7 +1245,7 @@ add_key(struct trust_anchor* tp, ldns_rr* rr) } /** get TTL from DNSKEY rrset */ -static uint32_t +static time_t key_ttl(struct ub_packed_rrset_key* k) { struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; @@ -1248,10 +1254,10 @@ key_ttl(struct ub_packed_rrset_key* k) /** update the time values for the trustpoint */ static void -set_tp_times(struct trust_anchor* tp, uint32_t rrsig_exp_interval, - uint32_t origttl, int* changed) +set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval, + time_t origttl, int* changed) { - uint32_t x, qi = tp->autr->query_interval, rt = tp->autr->retry_time; + time_t x, qi = tp->autr->query_interval, rt = tp->autr->retry_time; /* x = MIN(15days, ttl/2, expire/2) */ x = 15 * 24 * 3600; @@ -1444,21 +1450,21 @@ update_events(struct module_env* env, struct val_env* ve, * @param holddown: the timer value * @return number of seconds the holddown has passed. */ -static int -check_holddown(struct module_env* env, struct autr_ta* ta, +static time_t +check_holddown(struct module_env* env, struct autr_ta* ta, unsigned int holddown) { - unsigned int elapsed; - if((unsigned)*env->now < (unsigned)ta->last_change) { + time_t elapsed; + if(*env->now < ta->last_change) { log_warn("time goes backwards. delaying key holddown"); return 0; } - elapsed = (unsigned)*env->now - (unsigned)ta->last_change; - if (elapsed > holddown) { - return (int) (elapsed-holddown); + elapsed = *env->now - ta->last_change; + if (elapsed > (time_t)holddown) { + return elapsed-(time_t)holddown; } - verbose_key(ta, VERB_ALGO, "holddown time %d seconds to go", - (int) (holddown-elapsed)); + verbose_key(ta, VERB_ALGO, "holddown time %lld seconds to go", + (long long) ((time_t)holddown-elapsed)); return 0; } @@ -1498,11 +1504,11 @@ do_addtime(struct module_env* env, struct autr_ta* anchor, int* c) /* This not according to RFC, this is 30 days, but the RFC demands * MAX(30days, TTL expire time of first DNSKEY set with this key), * The value may be too small if a very large TTL was used. */ - int exceeded = check_holddown(env, anchor, env->cfg->add_holddown); + time_t exceeded = check_holddown(env, anchor, env->cfg->add_holddown); if (exceeded && anchor->s == AUTR_STATE_ADDPEND) { verbose_key(anchor, VERB_ALGO, "add-holddown time exceeded " - "%d seconds ago, and pending-count %d", exceeded, - anchor->pending_count); + "%lld seconds ago, and pending-count %d", + (long long)exceeded, anchor->pending_count); if(anchor->pending_count >= MIN_PENDINGCOUNT) { set_trustanchor_state(env, anchor, c, AUTR_STATE_VALID); anchor->pending_count = 0; @@ -1517,10 +1523,10 @@ do_addtime(struct module_env* env, struct autr_ta* anchor, int* c) static void do_remtime(struct module_env* env, struct autr_ta* anchor, int* c) { - int exceeded = check_holddown(env, anchor, env->cfg->del_holddown); + time_t exceeded = check_holddown(env, anchor, env->cfg->del_holddown); if(exceeded && anchor->s == AUTR_STATE_REVOKED) { verbose_key(anchor, VERB_ALGO, "del-holddown time exceeded " - "%d seconds ago", exceeded); + "%lld seconds ago", (long long)exceeded); set_trustanchor_state(env, anchor, c, AUTR_STATE_REMOVED); } } @@ -1649,7 +1655,7 @@ remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp, int* changed) { struct autr_ta* anchor; - int exceeded; + time_t exceeded; int valid = 0; /* see if we have anchors that are valid */ for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { @@ -1697,8 +1703,8 @@ remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp, * one valid KSK: remove missing trust anchor */ if (exceeded && valid > 0) { verbose_key(anchor, VERB_ALGO, "keep-missing time " - "exceeded %d seconds ago, [%d key(s) VALID]", - exceeded, valid); + "exceeded %lld seconds ago, [%d key(s) VALID]", + (long long)exceeded, valid); set_trustanchor_state(env, anchor, changed, AUTR_STATE_REMOVED); } @@ -1762,15 +1768,15 @@ autr_cleanup_keys(struct trust_anchor* tp) /** calculate next probe time */ static time_t -calc_next_probe(struct module_env* env, uint32_t wait) +calc_next_probe(struct module_env* env, time_t wait) { /* make it random, 90-100% */ - uint32_t rnd, rest; + time_t rnd, rest; if(wait < 3600) wait = 3600; rnd = wait/10; rest = wait-rnd; - rnd = (uint32_t)ub_random_max(env->rnd, (long int)rnd); + rnd = (time_t)ub_random_max(env->rnd, (long int)rnd); return (time_t)(*env->now + rest + rnd); } @@ -1790,7 +1796,7 @@ reset_worker_timer(struct module_env* env) { struct timeval tv; #ifndef S_SPLINT_S - uint32_t next = (uint32_t)wait_probe_time(env->anchors); + time_t next = (time_t)wait_probe_time(env->anchors); /* in case this is libunbound, no timer */ if(!env->probe_timer) return; @@ -1800,7 +1806,7 @@ reset_worker_timer(struct module_env* env) #endif tv.tv_usec = 0; comm_timer_set(env->probe_timer, &tv); - verbose(VERB_ALGO, "scheduled next probe in %d sec", (int)tv.tv_sec); + verbose(VERB_ALGO, "scheduled next probe in %lld sec", (long long)tv.tv_sec); } /** set next probe for trust anchor */ @@ -2156,7 +2162,7 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp) /** fetch first to-probe trust-anchor and lock it and set retrytime */ static struct trust_anchor* -todo_probe(struct module_env* env, uint32_t* next) +todo_probe(struct module_env* env, time_t* next) { struct trust_anchor* tp; rbnode_t* el; @@ -2171,9 +2177,9 @@ todo_probe(struct module_env* env, uint32_t* next) lock_basic_lock(&tp->lock); /* is it eligible? */ - if((uint32_t)tp->autr->next_probe_time > *env->now) { + if((time_t)tp->autr->next_probe_time > *env->now) { /* no more to probe */ - *next = (uint32_t)tp->autr->next_probe_time - *env->now; + *next = (time_t)tp->autr->next_probe_time - *env->now; lock_basic_unlock(&tp->lock); lock_basic_unlock(&env->anchors->lock); return NULL; @@ -2188,11 +2194,11 @@ todo_probe(struct module_env* env, uint32_t* next) return tp; } -uint32_t +time_t autr_probe_timer(struct module_env* env) { struct trust_anchor* tp; - uint32_t next_probe = 3600; + time_t next_probe = 3600; int num = 0; verbose(VERB_ALGO, "autotrust probe timer callback"); /* while there are still anchors to probe */ diff --git a/validator/autotrust.h b/validator/autotrust.h index 4e88ed32042a..193135cb66e6 100644 --- a/validator/autotrust.h +++ b/validator/autotrust.h @@ -104,9 +104,9 @@ struct autr_point_data { time_t next_probe_time; /** when to query if !failed */ - uint32_t query_interval; + time_t query_interval; /** when to retry if failed */ - uint32_t retry_time; + time_t retry_time; /** * How many times did it fail. diagnostic only (has no effect). @@ -151,7 +151,7 @@ size_t autr_get_num_anchors(struct val_anchors* anchors); * @return time of next probe (in seconds from now). * If 0, then there is no next probe anymore (trust points deleted). */ -uint32_t autr_probe_timer(struct module_env* env); +time_t autr_probe_timer(struct module_env* env); /** probe tree compare function */ int probetree_cmp(const void* x, const void* y); diff --git a/validator/val_anchor.c b/validator/val_anchor.c index cc551f83320f..e710f2f24083 100644 --- a/validator/val_anchor.c +++ b/validator/val_anchor.c @@ -242,6 +242,8 @@ anchor_new_ta(struct val_anchors* anchors, uint8_t* name, int namelabs, } #ifdef UNBOUND_DEBUG r = +#else + (void) #endif rbtree_insert(anchors->tree, &ta->node); if(lockit) { @@ -900,7 +902,7 @@ assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) free(pkey); return NULL; } - pd->rr_ttl = (uint32_t*)malloc(num*sizeof(uint32_t)); + pd->rr_ttl = (time_t*)malloc(num*sizeof(time_t)); if(!pd->rr_ttl) { free(pd->rr_len); free(pd); diff --git a/validator/val_kcache.c b/validator/val_kcache.c index 68e8c3f619b6..6d4ad8f32a14 100644 --- a/validator/val_kcache.c +++ b/validator/val_kcache.c @@ -126,7 +126,7 @@ key_cache_search(struct key_cache* kcache, uint8_t* name, size_t namelen, struct key_entry_key* key_cache_obtain(struct key_cache* kcache, uint8_t* name, size_t namelen, - uint16_t key_class, struct regional* region, uint32_t now) + uint16_t key_class, struct regional* region, time_t now) { /* keep looking until we find a nonexpired entry */ while(1) { diff --git a/validator/val_kcache.h b/validator/val_kcache.h index c37cf1ecbafc..8f562109621a 100644 --- a/validator/val_kcache.h +++ b/validator/val_kcache.h @@ -106,7 +106,7 @@ void key_cache_remove(struct key_cache* kcache, */ struct key_entry_key* key_cache_obtain(struct key_cache* kcache, uint8_t* name, size_t namelen, uint16_t key_class, - struct regional* region, uint32_t now); + struct regional* region, time_t now); /** * Get memory in use by the key cache. diff --git a/validator/val_kentry.c b/validator/val_kentry.c index ddac140d316f..e9144838feb8 100644 --- a/validator/val_kentry.c +++ b/validator/val_kentry.c @@ -275,8 +275,8 @@ key_entry_setup(struct regional* region, struct key_entry_key* key_entry_create_null(struct regional* region, - uint8_t* name, size_t namelen, uint16_t dclass, uint32_t ttl, - uint32_t now) + uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl, + time_t now) { struct key_entry_key* k; struct key_entry_data* d; @@ -294,7 +294,7 @@ key_entry_create_null(struct regional* region, struct key_entry_key* key_entry_create_rrset(struct regional* region, uint8_t* name, size_t namelen, uint16_t dclass, - struct ub_packed_rrset_key* rrset, uint8_t* sigalg, uint32_t now) + struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now) { struct key_entry_key* k; struct key_entry_data* d; @@ -321,8 +321,8 @@ key_entry_create_rrset(struct regional* region, struct key_entry_key* key_entry_create_bad(struct regional* region, - uint8_t* name, size_t namelen, uint16_t dclass, uint32_t ttl, - uint32_t now) + uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl, + time_t now) { struct key_entry_key* k; struct key_entry_data* d; diff --git a/validator/val_kentry.h b/validator/val_kentry.h index d14ffe588016..6a308f160f24 100644 --- a/validator/val_kentry.h +++ b/validator/val_kentry.h @@ -75,7 +75,7 @@ struct key_entry_key { */ struct key_entry_data { /** the TTL of this entry (absolute time) */ - uint32_t ttl; + time_t ttl; /** the key rrdata. can be NULL to signal keyless name. */ struct packed_rrset_data* rrset_data; /** not NULL sometimes to give reason why bogus */ @@ -169,8 +169,8 @@ char* key_entry_get_reason(struct key_entry_key* kkey); * @return new key entry or NULL on alloc failure */ struct key_entry_key* key_entry_create_null(struct regional* region, - uint8_t* name, size_t namelen, uint16_t dclass, uint32_t ttl, - uint32_t now); + uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl, + time_t now); /** * Create a key entry from an rrset, in the given region. @@ -185,7 +185,7 @@ struct key_entry_key* key_entry_create_null(struct regional* region, */ struct key_entry_key* key_entry_create_rrset(struct regional* region, uint8_t* name, size_t namelen, uint16_t dclass, - struct ub_packed_rrset_key* rrset, uint8_t* sigalg, uint32_t now); + struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now); /** * Create a bad entry, in the given region. @@ -198,8 +198,8 @@ struct key_entry_key* key_entry_create_rrset(struct regional* region, * @return new key entry or NULL on alloc failure */ struct key_entry_key* key_entry_create_bad(struct regional* region, - uint8_t* name, size_t namelen, uint16_t dclass, uint32_t ttl, - uint32_t now); + uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl, + time_t now); /** * Obtain rrset from a key entry, allocated in region. diff --git a/validator/val_neg.c b/validator/val_neg.c index eec2eb1b6bb7..e8d9d56ad6fa 100644 --- a/validator/val_neg.c +++ b/validator/val_neg.c @@ -494,8 +494,8 @@ static struct val_neg_zone* neg_zone_chain( struct val_neg_zone* p=first, *np; while(p) { np = p->parent; - free(p); free(p->name); + free(p); p = np; } return NULL; @@ -640,8 +640,8 @@ static struct val_neg_data* neg_data_chain( struct val_neg_data* p = first, *np; while(p) { np = p->parent; - free(p); free(p->name); + free(p); p = np; } return NULL; @@ -917,7 +917,7 @@ static int neg_closest_data(struct val_neg_zone* zone, } int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len, - uint16_t qclass, struct rrset_cache* rrset_cache, uint32_t now) + uint16_t qclass, struct rrset_cache* rrset_cache, time_t now) { /* lookup closest zone */ struct val_neg_zone* zone; @@ -1138,7 +1138,7 @@ static struct ub_packed_rrset_key* grab_nsec(struct rrset_cache* rrset_cache, uint8_t* qname, size_t qname_len, uint16_t qtype, uint16_t qclass, uint32_t flags, struct regional* region, int checkbit, uint16_t checktype, - uint32_t now) + time_t now) { struct ub_packed_rrset_key* r, *k = rrset_cache_lookup(rrset_cache, qname, qname_len, qtype, qclass, flags, now, 0); @@ -1225,7 +1225,7 @@ neg_params_ok(struct val_neg_zone* zone, struct ub_packed_rrset_key* rrset) static struct ub_packed_rrset_key* neg_nsec3_getnc(struct val_neg_zone* zone, uint8_t* hashnc, size_t nclen, struct rrset_cache* rrset_cache, struct regional* region, - uint32_t now, uint8_t* b32, size_t maxb32) + time_t now, uint8_t* b32, size_t maxb32) { struct ub_packed_rrset_key* nc_rrset; struct val_neg_data* data; @@ -1258,7 +1258,7 @@ neg_nsec3_getnc(struct val_neg_zone* zone, uint8_t* hashnc, size_t nclen, static struct dns_msg* neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, int qlabs, ldns_buffer* buf, struct rrset_cache* rrset_cache, - struct regional* region, uint32_t now, uint8_t* topname) + struct regional* region, time_t now, uint8_t* topname) { struct dns_msg* msg; struct val_neg_data* data; @@ -1356,7 +1356,7 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, * @param zone: val_neg_zone if we have one. * @return false on lookup or alloc failure. */ -static int add_soa(struct rrset_cache* rrset_cache, uint32_t now, +static int add_soa(struct rrset_cache* rrset_cache, time_t now, struct regional* region, struct dns_msg* msg, struct val_neg_zone* zone) { struct ub_packed_rrset_key* soa; @@ -1388,7 +1388,7 @@ static int add_soa(struct rrset_cache* rrset_cache, uint32_t now, struct dns_msg* val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo, struct regional* region, struct rrset_cache* rrset_cache, - ldns_buffer* buf, uint32_t now, int addsoa, uint8_t* topname) + ldns_buffer* buf, time_t now, int addsoa, uint8_t* topname) { struct dns_msg* msg; struct ub_packed_rrset_key* rrset; diff --git a/validator/val_neg.h b/validator/val_neg.h index 01b423e1afb3..ec4f42f6ab7d 100644 --- a/validator/val_neg.h +++ b/validator/val_neg.h @@ -229,7 +229,7 @@ void val_neg_addreferral(struct val_neg_cache* neg, struct reply_info* rep, * thus, qname DLV qclass does not exist. */ int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len, - uint16_t qclass, struct rrset_cache* rrset_cache, uint32_t now); + uint16_t qclass, struct rrset_cache* rrset_cache, time_t now); /** * For the given query, try to get a reply out of the negative cache. @@ -255,7 +255,7 @@ int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len, */ struct dns_msg* val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo, struct regional* region, - struct rrset_cache* rrset_cache, ldns_buffer* buf, uint32_t now, + struct rrset_cache* rrset_cache, ldns_buffer* buf, time_t now, int addsoa, uint8_t* topname); diff --git a/validator/val_nsec.c b/validator/val_nsec.c index 8bda8dabc937..e377ca4b9401 100644 --- a/validator/val_nsec.c +++ b/validator/val_nsec.c @@ -197,7 +197,7 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve, enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, struct query_info* qinfo, struct reply_info* rep, - struct key_entry_key* kkey, uint32_t* proof_ttl, char** reason) + struct key_entry_key* kkey, time_t* proof_ttl, char** reason) { struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns( rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC, diff --git a/validator/val_nsec.h b/validator/val_nsec.h index 34f7f63b40ef..2e86fa978f74 100644 --- a/validator/val_nsec.h +++ b/validator/val_nsec.h @@ -73,7 +73,7 @@ struct key_entry_key; enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, struct query_info* qinfo, struct reply_info* rep, struct key_entry_key* kkey, - uint32_t* proof_ttl, char** reason); + time_t* proof_ttl, char** reason); /** * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index 4b48e7beed60..20580c0d755f 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -713,6 +713,8 @@ nsec3_hash_name(rbtree_t* table, struct regional* region, ldns_buffer* buf, return r; #ifdef UNBOUND_DEBUG n = +#else + (void) #endif rbtree_insert(table, &c->node); log_assert(n); /* cannot be duplicate, just did lookup */ diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 5cca578b1be1..92fd0cc4c8c2 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -669,12 +669,12 @@ static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) SECKEYPublicKey* pk; SECItem pub = {siBuffer, NULL, 0}; SECItem params = {siBuffer, NULL, 0}; - unsigned char param256[] = { + static unsigned char param256[] = { /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; - unsigned char param384[] = { + static unsigned char param384[] = { /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 @@ -845,19 +845,19 @@ nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, /* uses libNSS */ /* hash prefix for md5, RFC2537 */ - unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, + static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; /* hash prefix to prepend to hash output, from RFC3110 */ - unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, + static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; /* from RFC5702 */ - unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, + static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; - unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, + static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; /* from RFC6234 */ /* for future RSASHA384 .. - unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, + static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; */ diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 79d5e45a2379..37e1ce14e21a 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -579,7 +579,7 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve, enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, - uint32_t now, struct ub_packed_rrset_key* rrset, + time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t sig_idx, struct rbtree_t** sortree, char** reason) { @@ -808,7 +808,12 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) case LDNS_RR_TYPE_MR: case LDNS_RR_TYPE_PTR: case LDNS_RR_TYPE_DNAME: - return query_dname_compare(d->rr_data[i]+2, + /* the wireread function has already checked these + * dname's for correctness, and this double checks */ + if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) || + !dname_valid(d->rr_data[j]+2, d->rr_len[j]-2)) + return 0; + return query_dname_compare(d->rr_data[i]+2, d->rr_data[j]+2); /* These RR types have STR and fixed size rdata fields @@ -1215,12 +1220,12 @@ adjust_ttl(struct val_env* ve, uint32_t unow, * * Use the smallest of these. */ - if(d->ttl > (uint32_t)origttl) { + if(d->ttl > (time_t)origttl) { verbose(VERB_QUERY, "rrset TTL larger than original TTL," " adjusting TTL downwards"); d->ttl = origttl; } - if(expittl > 0 && d->ttl > (uint32_t)expittl) { + if(expittl > 0 && d->ttl > (time_t)expittl) { verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl," " adjusting TTL downwards"); d->ttl = expittl; @@ -1229,7 +1234,7 @@ adjust_ttl(struct val_env* ve, uint32_t unow, enum sec_status dnskey_verify_rrset_sig(struct regional* region, ldns_buffer* buf, - struct val_env* ve, uint32_t now, + struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t** sortree, int* buf_canon, char** reason) diff --git a/validator/val_sigcrypt.h b/validator/val_sigcrypt.h index c220b0083ac3..9859d3c39087 100644 --- a/validator/val_sigcrypt.h +++ b/validator/val_sigcrypt.h @@ -274,7 +274,7 @@ enum sec_status dnskey_verify_rrset(struct module_env* env, * or unchecked on error. */ enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, - struct val_env* ve, uint32_t now, struct ub_packed_rrset_key* rrset, + struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t sig_idx, struct rbtree_t** sortree, char** reason); @@ -298,7 +298,7 @@ enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, * bogus if it did not validate. */ enum sec_status dnskey_verify_rrset_sig(struct regional* region, - ldns_buffer* buf, struct val_env* ve, uint32_t now, + ldns_buffer* buf, struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t** sortree, int* buf_canon, char** reason); diff --git a/validator/val_utils.c b/validator/val_utils.c index d4a64464d808..73e7dbd9020f 100644 --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -486,7 +486,7 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, /* Once we see a single DS with a known digestID and * algorithm, we cannot return INSECURE (with a * "null" KeyEntry). */ - has_useful_ds = true; + has_useful_ds = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, ds_rrset, i, reason); @@ -596,7 +596,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, /* Once we see a single DS with a known digestID and * algorithm, we cannot return INSECURE (with a * "null" KeyEntry). */ - has_useful_ta = true; + has_useful_ta = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, ta_ds, i, reason); @@ -622,7 +622,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, continue; /* we saw a useful TA */ - has_useful_ta = true; + has_useful_ta = 1; sec = dnskey_verify_rrset(env, ve, dnskey_rrset, ta_dnskey, i, reason); @@ -773,6 +773,8 @@ rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len) for(i = d->count; i< d->count+d->rrsig_count; i++) { if(d->rr_len[i] > 2+18+len) { /* at least rdatalen + signature + signame (+1 sig)*/ + if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18)) + continue; if(query_dname_compare(name, d->rr_data[i]+2+18) == 0) { return 1; diff --git a/validator/validator.c b/validator/validator.c index 10b0a243cdf0..ad472cc6a953 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -2398,7 +2398,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, subtype == VAL_CLASS_NAMEERROR) { /* NODATA means that the qname exists, but that there was * no DS. This is a pretty normal case. */ - uint32_t proof_ttl = 0; + time_t proof_ttl = 0; enum sec_status sec; /* make sure there are NSECs or NSEC3s with signatures */ |