mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-01-26 00:22:54 -05:00
use sigcrypt.
git-svn-id: file:///svn/unbound/trunk@500 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
7726691af9
commit
bdb519c5c1
3 changed files with 104 additions and 37 deletions
|
|
@ -62,13 +62,7 @@ rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata,
|
|||
*len = d->rr_len[idx];
|
||||
}
|
||||
|
||||
/**
|
||||
* Get DNSKEY RR signature algorithm
|
||||
* @param k: DNSKEY rrset.
|
||||
* @param idx: which DNSKEY RR.
|
||||
* @return algorithm or 0 if DNSKEY too short.
|
||||
*/
|
||||
static int
|
||||
int
|
||||
dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
|
||||
{
|
||||
uint8_t* rdata;
|
||||
|
|
@ -79,6 +73,17 @@ dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
|
|||
return (int)rdata[2+3];
|
||||
}
|
||||
|
||||
int
|
||||
ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx)
|
||||
{
|
||||
uint8_t* rdata;
|
||||
size_t len;
|
||||
rrset_get_rdata(k, idx, &rdata, &len);
|
||||
if(len < 2+3)
|
||||
return 0;
|
||||
return (int)rdata[2+2];
|
||||
}
|
||||
|
||||
/**
|
||||
* Get DS RR digest algorithm
|
||||
* @param k: DS rrset.
|
||||
|
|
@ -96,6 +101,19 @@ ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx)
|
|||
return (int)rdata[2+3];
|
||||
}
|
||||
|
||||
uint16_t
|
||||
ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
|
||||
{
|
||||
uint16_t t;
|
||||
uint8_t* rdata;
|
||||
size_t len;
|
||||
rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len);
|
||||
if(len < 2+2)
|
||||
return 0;
|
||||
memmove(&t, rdata+2, 2);
|
||||
return t;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return pointer to the digest in a DS RR.
|
||||
* @param k: DS rrset.
|
||||
|
|
@ -222,11 +240,35 @@ int ds_digest_match_dnskey(struct module_env* env,
|
|||
}
|
||||
|
||||
int
|
||||
ds_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
|
||||
ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
|
||||
size_t ds_idx)
|
||||
{
|
||||
return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
|
||||
}
|
||||
|
||||
/** return true if DNSKEY algorithm id is supported */
|
||||
static int
|
||||
dnskey_algo_id_is_supported(int id)
|
||||
{
|
||||
switch(id) {
|
||||
case LDNS_DSA:
|
||||
case LDNS_DSA_NSEC3:
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
case LDNS_RSAMD5:
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
|
||||
size_t ds_idx)
|
||||
{
|
||||
return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx));
|
||||
}
|
||||
|
||||
uint16_t
|
||||
dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
|
||||
{
|
||||
|
|
@ -240,14 +282,7 @@ dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
|
|||
int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
size_t dnskey_idx)
|
||||
{
|
||||
switch(dnskey_get_algo(dnskey_rrset, dnskey_idx)) {
|
||||
case LDNS_DSA:
|
||||
case LDNS_DSA_NSEC3:
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
case LDNS_RSAMD5:
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset,
|
||||
dnskey_idx));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -70,6 +70,14 @@ int ds_digest_match_dnskey(struct module_env* env,
|
|||
uint16_t dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
size_t dnskey_idx);
|
||||
|
||||
/**
|
||||
* Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
|
||||
* @param ds_rrset: DS rrset
|
||||
* @param ds_idx: index of RR in DS rrset.
|
||||
* @return the keytag or 0 for badly formatted DSs.
|
||||
*/
|
||||
uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
|
||||
|
||||
/**
|
||||
* See if DNSKEY algorithm is supported
|
||||
* @param dnskey_rrset: DNSKEY rrset.
|
||||
|
|
@ -80,12 +88,38 @@ int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
|
|||
size_t dnskey_idx);
|
||||
|
||||
/**
|
||||
* See if DS algorithm is supported
|
||||
* See if DS digest algorithm is supported
|
||||
* @param ds_rrset: DS rrset
|
||||
* @param ds_idx: index of RR in DS rrset.
|
||||
* @return true if supported.
|
||||
*/
|
||||
int ds_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
|
||||
int ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
|
||||
size_t ds_idx);
|
||||
|
||||
/**
|
||||
* See if DS key algorithm is supported
|
||||
* @param ds_rrset: DS rrset
|
||||
* @param ds_idx: index of RR in DS rrset.
|
||||
* @return true if supported.
|
||||
*/
|
||||
int ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
|
||||
size_t ds_idx);
|
||||
|
||||
/**
|
||||
* Get DS RR key algorithm. This value should match with the DNSKEY algo.
|
||||
* @param k: DS rrset.
|
||||
* @param idx: which DS.
|
||||
* @return algorithm or 0 if DS too short.
|
||||
*/
|
||||
int ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx);
|
||||
|
||||
/**
|
||||
* Get DNSKEY RR signature algorithm
|
||||
* @param k: DNSKEY rrset.
|
||||
* @param idx: which DNSKEY RR.
|
||||
* @return algorithm or 0 if DNSKEY too short.
|
||||
*/
|
||||
int dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx);
|
||||
|
||||
/** verify rrset against dnskey rrset. */
|
||||
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@
|
|||
#include "config.h"
|
||||
#include "validator/val_utils.h"
|
||||
#include "validator/val_kentry.h"
|
||||
#include "validator/val_sigcrypt.h"
|
||||
#include "util/data/msgreply.h"
|
||||
#include "util/data/packed_rrset.h"
|
||||
#include "util/data/dname.h"
|
||||
|
|
@ -213,19 +214,19 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
|||
num = rrset_get_count(dnskey_rrset);
|
||||
for(i=0; i<num; i++) {
|
||||
/* Skip DNSKEYs that don't match the basic criteria. */
|
||||
/* if (ds.getFootprint() != dnskey.getFootprint()
|
||||
* || ds.getAlgorithm() != dnskey.getAlgorithm())
|
||||
* {
|
||||
* continue;
|
||||
* }
|
||||
*/
|
||||
if(ds_get_key_algo(ds_rrset, ds_idx)
|
||||
!= dnskey_get_algo(dnskey_rrset, i)
|
||||
|| dnskey_calc_keytag(dnskey_rrset, i)
|
||||
!= ds_get_keytag(ds_rrset, ds_idx)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Convert the candidate DNSKEY into a hash using the
|
||||
* same DS hash algorithm. */
|
||||
/* byte[] key_hash = calculateDSHash(dnskey, ds.getDigestID());
|
||||
* byte[] ds_hash = ds.getDigest() */
|
||||
|
||||
/* if length or contents of the hash mismatch; continue */
|
||||
if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
|
||||
ds_idx)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Otherwise, we have a match! Make sure that the DNSKEY
|
||||
* verifies *with this key* */
|
||||
|
|
@ -263,14 +264,11 @@ val_verify_new_DNSKEYs(struct region* region, struct module_env* env,
|
|||
|
||||
num = rrset_get_count(ds_rrset);
|
||||
for(i=0; i<num; i++) {
|
||||
|
||||
/* Check to see if we can understand this DS. */
|
||||
/* if (!supportsDigestID(ds.getDigestID())
|
||||
* || !mVerifier.supportsAlgorithm(ds.getAlgorithm()))
|
||||
* {
|
||||
* continue;
|
||||
* }
|
||||
*/
|
||||
if(!ds_digest_algo_is_supported(ds_rrset, i) ||
|
||||
!ds_key_algo_is_supported(ds_rrset, i)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Once we see a single DS with a known digestID and
|
||||
* algorithm, we cannot return INSECURE (with a
|
||||
|
|
|
|||
Loading…
Reference in a new issue