diff --git a/src/crypto.c b/src/crypto.c index 83372c7..140fb35 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -365,7 +365,7 @@ static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len #endif -int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, +static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, unsigned char *digest, size_t digest_len, int algo) { @@ -409,6 +409,11 @@ int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo); } +/* Note the ds_digest_name(), algo_digest_name() and nsec3_digest_name() + define which algo numbers we support. If algo_digest_name() returns + non-NULL for an algorithm number, we assume that algrorithm is + supported by verify(). */ + /* http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */ char *ds_digest_name(int digest) { @@ -427,18 +432,19 @@ char *algo_digest_name(int algo) { switch (algo) { - case 1: return "md5"; - case 3: return "sha1"; - case 5: return "sha1"; - case 6: return "sha1"; - case 7: return "sha1"; - case 8: return "sha256"; - case 10: return "sha512"; - case 12: return "gosthash94"; - case 13: return "sha256"; - case 14: return "sha384"; - case 15: return "null_hash"; /* Ed25519 */ - case 16: return NULL; /* Ed448 */ + case 1: return "md5"; /* RSA/MD5 */ + case 2: return NULL; /* Diffie-Hellman */ + case 3: return "sha1"; /* DSA/SHA1 */ + case 5: return "sha1"; /* RSA/SHA1 */ + case 6: return "sha1"; /* DSA-NSEC3-SHA1 */ + case 7: return "sha1"; /* RSASHA1-NSEC3-SHA1 */ + case 8: return "sha256"; /* RSA/SHA-256 */ + case 10: return "sha512"; /* RSA/SHA-512 */ + case 12: return NULL; /* ECC-GOST */ + case 13: return "sha256"; /* ECDSAP256SHA256 */ + case 14: return "sha384"; /* ECDSAP384SHA384 */ + case 15: return "null_hash"; /* ED25519 */ + case 16: return NULL; /* ED448 */ default: return NULL; } } diff --git a/src/dnsmasq.h b/src/dnsmasq.h index b4d836a..91b1f04 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -1186,8 +1186,6 @@ int setup_timestamp(void); /* crypto.c */ const struct nettle_hash *hash_find(char *name); int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); -int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, - unsigned char *digest, size_t digest_len, int algo); int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, unsigned char *digest, size_t digest_len, int algo); char *ds_digest_name(int digest); diff --git a/src/dnssec.c b/src/dnssec.c index cc79a23..5b6e095 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -799,7 +799,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch { a.addr.log.keytag = keytag; a.addr.log.algo = algo; - if (verify_func(algo)) + if (algo_digest_name(algo)) log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu"); else log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)"); @@ -926,7 +926,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char a.addr.log.keytag = keytag; a.addr.log.algo = algo; a.addr.log.digest = digest; - if (hash_find(ds_digest_name(digest)) && verify_func(algo)) + if (ds_digest_name(digest) && algo_digest_name(algo)) log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu"); else log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)"); @@ -1613,8 +1613,8 @@ static int zone_status(char *name, int class, char *keyname, time_t now) do { if (crecp->uid == (unsigned int)class && - hash_find(ds_digest_name(crecp->addr.ds.digest)) && - verify_func(crecp->addr.ds.algo)) + ds_digest_name(crecp->addr.ds.digest) && + algo_digest_name(crecp->addr.ds.algo)) break; } while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS)));