diff options
author | Lennart Poettering <lennart@poettering.net> | 2018-06-08 15:37:49 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2018-06-08 15:40:32 +0200 |
commit | c910c520cf87519de9db6c481feecfac30ee7558 (patch) | |
tree | 417a889a8bda3bc5c5eb87290bba305af9a39771 /src/resolve/resolved-dns-dnssec.c | |
parent | 89278d96dcbb98ca219b233d454e18cd18501e3a (diff) | |
download | systemd-c910c520cf87519de9db6c481feecfac30ee7558.tar.gz |
resolved: fix DNSKEY validation against DS
Let's use the wireformat name, not the text version.
Fixes: #8901
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 3ad68c96fb..a7e157bf46 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -1153,7 +1153,7 @@ static int digest_to_gcrypt_md(uint8_t algorithm) { } int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) { - char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX]; + uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX]; _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; size_t hash_size; int md_algorithm, r; @@ -1192,7 +1192,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, if (ds->ds.digest_size != hash_size) return 0; - r = dnssec_canonicalize(dns_resource_key_name(dnskey->key), owner_name, sizeof(owner_name)); + r = dns_name_to_wire_format(dns_resource_key_name(dnskey->key), wire_format, sizeof(wire_format), true); if (r < 0) return r; @@ -1200,7 +1200,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, if (!md) return -EIO; - gcry_md_write(md, owner_name, r); + gcry_md_write(md, wire_format, r); if (mask_revoke) md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE); else @@ -1213,7 +1213,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, if (!result) return -EIO; - return memcmp(result, ds->ds.digest, ds->ds.digest_size) != 0; + return memcmp(result, ds->ds.digest, ds->ds.digest_size) == 0; } int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) { |