summaryrefslogtreecommitdiffstats
path: root/contrib/ldns/dnssec_verify.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ldns/dnssec_verify.c')
-rw-r--r--contrib/ldns/dnssec_verify.c61
1 files changed, 29 insertions, 32 deletions
diff --git a/contrib/ldns/dnssec_verify.c b/contrib/ldns/dnssec_verify.c
index f8e8ead..40f7889 100644
--- a/contrib/ldns/dnssec_verify.c
+++ b/contrib/ldns/dnssec_verify.c
@@ -285,9 +285,11 @@ ldns_dnssec_build_data_chain(ldns_resolver *res,
ldns_rr_class c = 0;
bool other_rrset = false;
-
+
ldns_dnssec_data_chain *new_chain = ldns_dnssec_data_chain_new();
+ assert(pkt != NULL);
+
if (!ldns_dnssec_pkt_has_rrsigs(pkt)) {
/* hmm. no dnssec data in the packet. go up to try and deny
* DS? */
@@ -402,15 +404,16 @@ ldns_dnssec_build_data_chain(ldns_resolver *res,
if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
key_name = ldns_rr_rdf(ldns_rr_list_rr(signatures, 0), 7);
}
-
if (!key_name) {
+ if (signatures) {
+ ldns_rr_list_deep_free(signatures);
+ }
return ldns_dnssec_build_data_chain_nokeyname(res,
qflags,
orig_rr,
rrset,
new_chain);
}
-
if (type != LDNS_RR_TYPE_DNSKEY) {
ldns_dnssec_build_data_chain_dnskey(res,
qflags,
@@ -419,7 +422,7 @@ ldns_dnssec_build_data_chain(ldns_resolver *res,
new_chain,
key_name,
c
- );
+ );
} else {
ldns_dnssec_build_data_chain_other(res,
qflags,
@@ -427,13 +430,11 @@ ldns_dnssec_build_data_chain(ldns_resolver *res,
key_name,
c,
dss
-
- );
+ );
}
if (signatures) {
ldns_rr_list_deep_free(signatures);
}
-
return new_chain;
}
@@ -826,10 +827,7 @@ ldns_dnssec_derive_trust_tree_normal_rrset_time(
/* might contain different names!
sort and split */
ldns_rr_list_sort(cur_rrset);
- if (tmp_rrset && tmp_rrset != cur_rrset) {
- ldns_rr_list_deep_free(tmp_rrset);
- tmp_rrset = NULL;
- }
+ assert(tmp_rrset == cur_rrset);
tmp_rrset = ldns_rr_list_pop_rrset(cur_rrset);
/* with nsecs, this might be the wrong one */
@@ -849,6 +847,12 @@ ldns_dnssec_derive_trust_tree_normal_rrset_time(
cur_sig_rr,
cur_parent_rr,
check_time);
+ if (tmp_rrset && tmp_rrset != cur_rrset
+ ) {
+ ldns_rr_list_deep_free(
+ tmp_rrset);
+ tmp_rrset = NULL;
+ }
/* avoid dupes */
for (i = 0; i < new_tree->parent_count; i++) {
if (cur_parent_rr == new_tree->parents[i]->rr) {
@@ -870,9 +874,6 @@ ldns_dnssec_derive_trust_tree_normal_rrset_time(
}
}
done:
- if (tmp_rrset && tmp_rrset != cur_rrset) {
- ldns_rr_list_deep_free(tmp_rrset);
- }
ldns_rr_list_deep_free(cur_rrset);
}
@@ -1077,7 +1078,8 @@ ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree,
if (tree->parent_status[i] != LDNS_STATUS_OK) {
result = tree->parent_status[i];
} else {
- if (ldns_rr_get_type(tree->rr)
+ if (tree->rr &&
+ ldns_rr_get_type(tree->rr)
== LDNS_RR_TYPE_NSEC &&
parent_result == LDNS_STATUS_OK
) {
@@ -1210,8 +1212,8 @@ ldns_fetch_valid_domain_keys_time(const ldns_resolver *res,
*status = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
parent_domain = ldns_dname_left_chop(domain);
- while (ldns_rdf_size(parent_domain) > 0) {
- /* Fail if we are at the root */
+ while (parent_domain && /* Fail if we are at the root*/
+ ldns_rdf_size(parent_domain) > 0) {
if ((parent_keys =
ldns_fetch_valid_domain_keys_time(res,
@@ -1247,7 +1249,9 @@ ldns_fetch_valid_domain_keys_time(const ldns_resolver *res,
ldns_rdf_deep_free(prev_parent_domain);
}
}
- ldns_rdf_deep_free(parent_domain);
+ if (parent_domain) {
+ ldns_rdf_deep_free(parent_domain);
+ }
}
}
return trusted_keys;
@@ -1519,12 +1523,11 @@ ldns_dnssec_verify_denial(ldns_rr *rr,
rr_name = ldns_rr_owner(rr);
chopped_dname = ldns_dname_left_chop(rr_name);
result = ldns_dname_cat(wildcard_name, chopped_dname);
+ ldns_rdf_deep_free(chopped_dname);
if (result != LDNS_STATUS_OK) {
return result;
}
- ldns_rdf_deep_free(chopped_dname);
-
for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
cur_nsec = ldns_rr_list_rr(nsecs, i);
if (ldns_dname_compare(rr_name, ldns_rr_owner(cur_nsec)) == 0) {
@@ -1576,7 +1579,6 @@ ldns_dnssec_verify_denial(ldns_rr *rr,
return LDNS_STATUS_OK;
}
-#ifdef HAVE_SSL
ldns_status
ldns_dnssec_verify_denial_nsec3_match( ldns_rr *rr
, ldns_rr_list *nsecs
@@ -1612,7 +1614,7 @@ ldns_dnssec_verify_denial_nsec3_match( ldns_rr *rr
ldns_rr_get_type(rr),
nsecs);
if(!closest_encloser) {
- result = LDNS_STATUS_NSEC3_ERR;
+ result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
goto done;
}
@@ -1636,16 +1638,14 @@ ldns_dnssec_verify_denial_nsec3_match( ldns_rr *rr
ldns_rdf_deep_free(hashed_wildcard_name);
}
- ldns_rdf_deep_free(closest_encloser);
- ldns_rdf_deep_free(wildcard);
-
- if (!wildcard_covered) {
+ if (! wildcard_covered) {
result = LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED;
- } else if (closest_encloser && wildcard_covered) {
- result = LDNS_STATUS_OK;
} else {
- result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
+ result = LDNS_STATUS_OK;
}
+ ldns_rdf_deep_free(closest_encloser);
+ ldns_rdf_deep_free(wildcard);
+
} else if (packet_nodata && packet_qtype != LDNS_RR_TYPE_DS) {
/* section 8.5 */
hashed_name = ldns_nsec3_hash_name_frm_nsec3(
@@ -1819,9 +1819,6 @@ ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
);
}
-
-#endif /* HAVE_SSL */
-
#ifdef USE_GOST
EVP_PKEY*
ldns_gost2pkey_raw(unsigned char* key, size_t keylen)
OpenPOWER on IntegriCloud