Remove DSA signature verification from DNSSEC, as specified in RFC 8624.

2025-12-19 10:18:25 +00:00 · 2020-02-26 18:28:32 +00:00
parent dea53e6658
commit 425e2405aa
2 changed files with 6 additions and 53 deletions
--- a/3
+++ b/3
@@ -83,6 +83,9 @@ version 2.81
 	Allow empty server spec in --rev-server, to match --server.
 	Remove DSA signature verification from DNSSEC, as specified in
 	RFC 8624. Thanks to Loganaden Velvindron for the original patch.
 version 2.80
 	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -19,7 +19,6 @@
 #ifdef HAVE_DNSSEC
 #include <nettle/rsa.h>
 #include <nettle/dsa.h>
 #include <nettle/ecdsa.h>
 #include <nettle/ecc-curve.h>
 #include <nettle/eddsa.h>
@@ -207,8 +206,6 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len,
  switch (algo)
    {
    case 1:
      return nettle_rsa_md5_verify_digest(key, digest, sig_mpz);
    case 5: case 7:
      return nettle_rsa_sha1_verify_digest(key, digest, sig_mpz);
    case 8:
@@ -220,50 +217,6 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len,
  return 0;
 }  
 static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
 			      unsigned char *digest, size_t digest_len, int algo)
 {
  unsigned char *p;
  unsigned int t;
  static mpz_t y;
  static struct dsa_params *params = NULL;
  static struct dsa_signature *sig_struct;
  (void)digest_len;
  if (params == NULL)
    {
      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) || 
 	  !(params = whine_malloc(sizeof(struct dsa_params)))) 
 	return 0;
      mpz_init(y);
      nettle_dsa_params_init(params);
      nettle_dsa_signature_init(sig_struct);
    }
  if ((sig_len < 41) || !(p = blockdata_retrieve(key_data, key_len, NULL)))
    return 0;
  t = *p++;
  if (key_len < (213 + (t * 24)))
    return 0;
  mpz_import(params->q, 20, 1, 1, 0, 0, p); p += 20;
  mpz_import(params->p, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
  mpz_import(params->g, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
  mpz_import(y, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
  mpz_import(sig_struct->r, 20, 1, 1, 0, 0, sig+1);
  mpz_import(sig_struct->s, 20, 1, 1, 0, 0, sig+21);
  (void)algo;
  return nettle_dsa_verify(params, y, digest_len, digest, sig_struct);
 } 
 static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len, 
 				unsigned char *sig, size_t sig_len,
 				unsigned char *digest, size_t digest_len, int algo)
@@ -380,12 +333,9 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key
  /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */
  switch (algo)
    {
-    case 1: case 5: case 7: case 8: case 10:
+    case 5: case 7: case 8: case 10:
      return dnsmasq_rsa_verify;
    case 3: case 6: 
      return dnsmasq_dsa_verify;
    case 13: case 14:
      return dnsmasq_ecdsa_verify;
@@ -436,9 +386,9 @@ char *algo_digest_name(int algo)
    {
    case 1: return NULL;          /* RSA/MD5 - Must Not Implement.  RFC 6944 para 2.3. */
    case 2: return NULL;          /* Diffie-Hellman */
-    case 3: return "sha1";        /* DSA/SHA1 */ 
+    case 3: return NULL; ;        /* DSA/SHA1 - Must Not Implement. RFC 8624 section 3.1 */ 
    case 5: return "sha1";        /* RSA/SHA1 */
-    case 6: return "sha1";        /* DSA-NSEC3-SHA1 */
+    case 6: return NULL;          /* DSA-NSEC3-SHA1 - Must Not Implement. RFC 8624 section 3.1 */
    case 7: return "sha1";        /* RSASHA1-NSEC3-SHA1 */
    case 8: return "sha256";      /* RSA/SHA-256 */
    case 10: return "sha512";     /* RSA/SHA-512 */