Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Tidy DNSSEC algorithm table use.

Browse Source
This commit is contained in:
Simon Kelley
2017-10-27 23:23:53 +01:00
parent 3b0cb34710
commit b77efc1948
3 changed files with 23 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/crypto.c
View File

@@ -365,7 +365,7 @@ static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len
#endif #endif
int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
unsigned char *digest, size_t digest_len, int algo) unsigned char *digest, size_t digest_len, int algo)
{ {
@@ -409,6 +409,11 @@ int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig,
return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo); return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo);
} }
/* Note the ds_digest_name(), algo_digest_name() and nsec3_digest_name()
define which algo numbers we support. If algo_digest_name() returns
non-NULL for an algorithm number, we assume that algrorithm is
supported by verify(). */
/* http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */ /* http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
char *ds_digest_name(int digest) char *ds_digest_name(int digest)
{ {
@@ -427,18 +432,19 @@ char *algo_digest_name(int algo)
{ {
switch (algo) switch (algo)
{ {
case 1: return "md5"; case 1: return "md5"; /* RSA/MD5 */
case 3: return "sha1"; case 2: return NULL; /* Diffie-Hellman */
case 5: return "sha1"; case 3: return "sha1"; /* DSA/SHA1 */
case 6: return "sha1"; case 5: return "sha1"; /* RSA/SHA1 */
case 7: return "sha1"; case 6: return "sha1"; /* DSA-NSEC3-SHA1 */
case 8: return "sha256"; case 7: return "sha1"; /* RSASHA1-NSEC3-SHA1 */
case 10: return "sha512"; case 8: return "sha256"; /* RSA/SHA-256 */
case 12: return "gosthash94"; case 10: return "sha512"; /* RSA/SHA-512 */
case 13: return "sha256"; case 12: return NULL; /* ECC-GOST */
case 14: return "sha384"; case 13: return "sha256"; /* ECDSAP256SHA256 */
case 15: return "null_hash"; /* Ed25519 */ case 14: return "sha384"; /* ECDSAP384SHA384 */
case 16: return NULL; /* Ed448 */ case 15: return "null_hash"; /* ED25519 */
case 16: return NULL; /* ED448 */
default: return NULL; default: return NULL;
} }
} }

2
src/dnsmasq.h
View File

@@ -1186,8 +1186,6 @@ int setup_timestamp(void);
/* crypto.c */ /* crypto.c */
const struct nettle_hash *hash_find(char *name); const struct nettle_hash *hash_find(char *name);
int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp);
int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
unsigned char *digest, size_t digest_len, int algo);
int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
unsigned char *digest, size_t digest_len, int algo); unsigned char *digest, size_t digest_len, int algo);
char *ds_digest_name(int digest); char *ds_digest_name(int digest);

8
src/dnssec.c
View File

@@ -799,7 +799,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
{ {
a.addr.log.keytag = keytag; a.addr.log.keytag = keytag;
a.addr.log.algo = algo; a.addr.log.algo = algo;
if (verify_func(algo)) if (algo_digest_name(algo))
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu"); log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
else else
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)"); log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
@@ -926,7 +926,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
a.addr.log.keytag = keytag; a.addr.log.keytag = keytag;
a.addr.log.algo = algo; a.addr.log.algo = algo;
a.addr.log.digest = digest; a.addr.log.digest = digest;
if (hash_find(ds_digest_name(digest)) && verify_func(algo)) if (ds_digest_name(digest) && algo_digest_name(algo))
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu"); log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu");
else else
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)"); log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)");
@@ -1613,8 +1613,8 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
do do
{ {
if (crecp->uid == (unsigned int)class && if (crecp->uid == (unsigned int)class &&
hash_find(ds_digest_name(crecp->addr.ds.digest)) && ds_digest_name(crecp->addr.ds.digest) &&
verify_func(crecp->addr.ds.algo)) algo_digest_name(crecp->addr.ds.algo))
break; break;
} }
while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS)));