Handle known DNSSEC signature algorithms which are not supported.

This fixes a confusion if certain algorithms are not supported because the version is the crypto library is too old. The validation should be treated the same as for a completely unknown algorithm, (ie return unverified answer) and not as a validation failure (ie return SERVFAIL). The algorithems affected are GOST and ED448.
2025-12-19 18:28:25 +00:00 · 2022-11-13 15:55:09 +00:00
parent 2fc904111d
commit f52cfdd8c3
1 changed files with 12 additions and 1 deletions
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -390,7 +390,12 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key
      return dnsmasq_ecdsa_verify;
      
 #if MIN_VERSION(3, 1)
-    case 15: case 16:
+    case 15:
+      return dnsmasq_eddsa_verify;
+#endif
+
+#if MIN_VERSION(3, 6)
+    case 16:
      return dnsmasq_eddsa_verify;
 #endif
    }
@@ -444,11 +449,17 @@ char *algo_digest_name(int algo)
    case 7: return "sha1";        /* RSASHA1-NSEC3-SHA1 */
    case 8: return "sha256";      /* RSA/SHA-256 */
    case 10: return "sha512";     /* RSA/SHA-512 */
+#if MIN_VERSION(3, 6)
    case 12: return "gosthash94"; /* ECC-GOST */
+#endif
    case 13: return "sha256";     /* ECDSAP256SHA256 */
    case 14: return "sha384";     /* ECDSAP384SHA384 */ 	
+#if MIN_VERSION(3, 1)
    case 15: return "null_hash";  /* ED25519 */
+#  if MIN_VERSION(3, 6)
    case 16: return "null_hash";  /* ED448 */
+#  endif
+#endif
    default: return NULL;
    }
 }