Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(47)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/certificate_transparency/log_dns_client.cc

Issue 2375693002: LogDnsClient now rejects responses unless they contain exactly one TXT RDATA string (Closed)
Patch Set: Use checked_cast Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | components/certificate_transparency/log_dns_client_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/certificate_transparency/log_dns_client.cc
diff --git a/components/certificate_transparency/log_dns_client.cc b/components/certificate_transparency/log_dns_client.cc
index 06844170cd5938a24c262fd6d0e2ccec1274216e..ce7e8627a703783416b2fae22ac764c74e236400 100644
--- a/components/certificate_transparency/log_dns_client.cc
+++ b/components/certificate_transparency/log_dns_client.cc
@@ -27,10 +27,14 @@
namespace certificate_transparency {
namespace {
+// Parses the DNS response and extracts a single string from the TXT RDATA.
+// If the response is malformed, not a TXT record, or contains any number of
+// strings other than 1, this returns false and extracts nothing.
+// Otherwise, it returns true and the extracted string is assigned to |*txt|.
bool ParseTxtResponse(const net::DnsResponse& response, std::string* txt) {
DCHECK(txt);
net::DnsRecordParser parser = response.Parser();
// We don't care about the creation time, since we're going to throw
@@ -42,24 +46,36 @@ bool ParseTxtResponse(const net::DnsResponse& response, std::string* txt) {
auto* txt_record = parsed_record->rdata<net::TxtRecordRdata>();
if (txt_record == nullptr)
return false;
- *txt = base::JoinString(txt_record->texts(), "");
+ // The draft CT-over-DNS RFC says that there MUST be exactly one string in the
+ // TXT record.
+ if (txt_record->texts().size() != 1)
+ return false;
+
+ *txt = txt_record->texts().front();
return true;
}
+// Extracts a leaf index value from a DNS response's TXT RDATA.
+// Returns true on success, false otherwise.
bool ParseLeafIndex(const net::DnsResponse& response, uint64_t* index) {
DCHECK(index);
std::string index_str;
if (!ParseTxtResponse(response, &index_str))
return false;
return base::StringToUint64(index_str, index);
}
+// Extracts audit proof nodes from a DNS response's TXT RDATA.
+// Returns true on success, false otherwise.
+// It will fail if there is not a whole number of nodes present > 0.
+// There must only be one string in the TXT RDATA.
+// The nodes will be appended to |proof->nodes|
bool ParseAuditPath(const net::DnsResponse& response,
net::ct::MerkleAuditProof* proof) {
DCHECK(proof);
std::string audit_path;
« no previous file with comments | « no previous file | components/certificate_transparency/log_dns_client_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698