picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #8100 from keszybz/free-gcrypt-context

Browse source 
Free gcrypt contexts properly
This commit is contained in:
Lennart Poettering 2018-02-05 13:47:29 +01:00 committed by GitHub
parent 82cb27cf33 15c533103a
commit da4ec1411e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 63 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/basic/gcrypt-util.c
View file

@ -42,7 +42,7 @@ void initialize_libgcrypt(bool secmem) {
}
int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
gcry_md_hd_t md = NULL;
_cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
size_t hash_size;
void *hash;
char *enc;

6
src/basic/gcrypt-util.h
View file

@ -20,6 +20,8 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#pragma once
#include <errno.h>
#include <stdbool.h>
#include <stddef.h>
@ -27,8 +29,12 @@
#if HAVE_GCRYPT
#include <gcrypt.h>
#include "macro.h"
void initialize_libgcrypt(bool secmem);
int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
DEFINE_TRIVIAL_CLEANUP_FUNC(gcry_md_hd_t, gcry_md_close);
#endif
static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {

55
src/resolve/resolved-dns-dnssec.c
View file

@ -716,7 +716,7 @@ int dnssec_verify_rrset(
uint8_t wire_format_name[DNS_WIRE_FOMAT_HOSTNAME_MAX];
DnsResourceRecord **list, *rr;
const char *source, *name;
gcry_md_hd_t md = NULL;
_cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
int r, md_algorithm;
size_t k, n = 0;
size_t sig_size = 0;
@ -841,13 +841,13 @@ int dnssec_verify_rrset(
r = dns_name_to_wire_format(rrsig->rrsig.signer, wire_format_name, sizeof(wire_format_name), true);
if (r < 0)
goto finish;
return r;
fwrite(wire_format_name, 1, r, f);
/* Convert the source of synthesis into wire format */
r = dns_name_to_wire_format(source, wire_format_name, sizeof(wire_format_name), true);
if (r < 0)
goto finish;
return r;
for (k = 0; k < n; k++) {
size_t l;
@ -885,26 +885,20 @@ int dnssec_verify_rrset(
#endif
case DNSSEC_ALGORITHM_ED448:
*result = DNSSEC_UNSUPPORTED_ALGORITHM;
r = 0;
goto finish;
return 0;
default:
/* OK, the RRs are now in canonical order. Let's calculate the digest */
md_algorithm = algorithm_to_gcrypt_md(rrsig->rrsig.algorithm);
if (md_algorithm == -EOPNOTSUPP) {
*result = DNSSEC_UNSUPPORTED_ALGORITHM;
r = 0;
goto finish;
}
if (md_algorithm < 0) {
r = md_algorithm;
goto finish;
return 0;
}
if (md_algorithm < 0)
return md_algorithm;
gcry_md_open(&md, md_algorithm, 0);
if (!md) {
r = -EIO;
goto finish;
}
if (!md)
return -EIO;
hash_size = gcry_md_get_algo_dlen(md_algorithm);
assert(hash_size > 0);
@ -912,10 +906,8 @@ int dnssec_verify_rrset(
gcry_md_write(md, sig_data, sig_size);
hash = gcry_md_read(md, 0);
if (!hash) {
r = -EIO;
goto finish;
}
if (!hash)
return -EIO;
}
switch (rrsig->rrsig.algorithm) {
@ -950,9 +942,8 @@ int dnssec_verify_rrset(
break;
#endif
}
if (r < 0)
goto finish;
return r;
/* Now, fix the ttl, expiry, and remember the synthesizing source and the signer */
if (r > 0)
@ -965,13 +956,7 @@ int dnssec_verify_rrset(
else
*result = DNSSEC_VALIDATED;
r = 0;
finish:
if (md)
gcry_md_close(md);
return r;
return 0;
}
int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok) {
@ -1182,7 +1167,7 @@ static int digest_to_gcrypt_md(uint8_t algorithm) {
int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX];
gcry_md_hd_t md = NULL;
_cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
size_t hash_size;
int md_algorithm, r;
void *result;
@ -1238,16 +1223,10 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
gcry_md_write(md, dnskey->dnskey.key, dnskey->dnskey.key_size);
result = gcry_md_read(md, 0);
if (!result) {
r = -EIO;
goto finish;
}
if (!result)
return -EIO;
r = memcmp(result, ds->ds.digest, ds->ds.digest_size) != 0;
finish:
gcry_md_close(md);
return r;
return memcmp(result, ds->ds.digest, ds->ds.digest_size) != 0;
}
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {

5
src/test/meson.build
View file

@ -643,6 +643,11 @@ tests += [
[],
[]],
[['src/test/test-gcrypt-util.c'],
[],
[],
'HAVE_GCRYPT'],
[['src/test/test-nss.c'],
[],
[libdl],

34
src/test/test-gcrypt-util.c Normal file
View file

@ -0,0 +1,34 @@
/* SPDX-License-Identifier: LGPL-2.1+
* Copyright 2018 Zbigniew Jędrzejewski-Szmek
*/
#include "alloc-util.h"
#include "gcrypt-util.h"
#include "macro.h"
#include "string-util.h"
static void test_string_hashsum(void) {
_cleanup_free_ char *out1 = NULL, *out2 = NULL, *out3 = NULL, *out4 = NULL;
assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA224, &out1) == 0);
/* echo -n 'asdf' | sha224sum - */
assert_se(streq(out1, "7872a74bcbf298a1e77d507cd95d4f8d96131cbbd4cdfc571e776c8a"));
assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA256, &out2) == 0);
/* echo -n 'asdf' | sha256sum - */
assert_se(streq(out2, "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"));
assert_se(string_hashsum("", 0, GCRY_MD_SHA224, &out3) == 0);
/* echo -n '' | sha224sum - */
assert_se(streq(out3, "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"));
assert_se(string_hashsum("", 0, GCRY_MD_SHA256, &out4) == 0);
/* echo -n '' | sha256sum - */
assert_se(streq(out4, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
}
int main(int argc, char **argv) {
test_string_hashsum();
return 0;
}