resolved: NSEC3 hash algorithms are distinct from DS digest algorithms
Previously, we'd use the same set of identifiers for both, but that's actually incorrect. It didn't matter much since the only NSEC3 hash algorithm defined (SHA-1) is mapped to code 1 which is also what it is encoded as in DS digests, but we really should make sure to use two distinct enumerations.
This commit is contained in:
parent
0a9a2ac3d3
commit
d15ad74251
|
@ -1057,6 +1057,20 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int nsec3_hash_to_gcrypt_md(uint8_t algorithm) {
|
||||||
|
|
||||||
|
/* Translates a DNSSEC NSEC3 hash algorithm into a gcrypt digest identifier */
|
||||||
|
|
||||||
|
switch (algorithm) {
|
||||||
|
|
||||||
|
case NSEC3_ALGORITHM_SHA1:
|
||||||
|
return GCRY_MD_SHA1;
|
||||||
|
|
||||||
|
default:
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
|
int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
|
||||||
uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX];
|
uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX];
|
||||||
gcry_md_hd_t md = NULL;
|
gcry_md_hd_t md = NULL;
|
||||||
|
@ -1073,7 +1087,7 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
|
||||||
if (nsec3->key->type != DNS_TYPE_NSEC3)
|
if (nsec3->key->type != DNS_TYPE_NSEC3)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
algorithm = digest_to_gcrypt_md(nsec3->nsec3.algorithm);
|
algorithm = nsec3_hash_to_gcrypt_md(nsec3->nsec3.algorithm);
|
||||||
if (algorithm < 0)
|
if (algorithm < 0)
|
||||||
return algorithm;
|
return algorithm;
|
||||||
|
|
||||||
|
@ -1138,6 +1152,10 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsAnswerFlags flags, DnsResourc
|
||||||
if (!IN_SET(rr->nsec3.flags, 0, 1))
|
if (!IN_SET(rr->nsec3.flags, 0, 1))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
/* Ignore NSEC3 RRs whose algorithm we don't know */
|
||||||
|
if (nsec3_hash_to_gcrypt_md(rr->nsec3.algorithm) < 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
if (!nsec3)
|
if (!nsec3)
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
|
|
|
@ -72,6 +72,13 @@ enum {
|
||||||
_DNSSEC_DIGEST_MAX_DEFINED
|
_DNSSEC_DIGEST_MAX_DEFINED
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/* DNSSEC NSEC3 hash algorithms, see
|
||||||
|
* https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml */
|
||||||
|
enum {
|
||||||
|
NSEC3_ALGORITHM_SHA1 = 1,
|
||||||
|
_NSEC3_ALGORITHM_MAX_DEFINED
|
||||||
|
};
|
||||||
|
|
||||||
struct DnsResourceKey {
|
struct DnsResourceKey {
|
||||||
unsigned n_ref;
|
unsigned n_ref;
|
||||||
uint16_t class, type;
|
uint16_t class, type;
|
||||||
|
|
Loading…
Reference in a new issue