picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

resolved: simplify MD algorithm initialization a bit

This commit is contained in:
Lennart Poettering 2015-12-27 13:07:36 +01:00
parent af22c65b27
commit fbf1a66d78
1 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
src/resolve/resolved-dns-dnssec.c
View File

@ -275,6 +275,27 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
return realtime < inception || realtime > expiration; return realtime < inception || realtime > expiration;
} }
static int algorithm_to_gcrypt(uint8_t algorithm) {
/* Translates a DNSSEC signature algorithm into a gcrypt digest identifier */
switch (algorithm) {
case DNSSEC_ALGORITHM_RSASHA1:
case DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1:
return GCRY_MD_SHA1;
case DNSSEC_ALGORITHM_RSASHA256:
return GCRY_MD_SHA256;
case DNSSEC_ALGORITHM_RSASHA512:
return GCRY_MD_SHA512;
default:
return -EOPNOTSUPP;
}
}
int dnssec_verify_rrset( int dnssec_verify_rrset(
DnsAnswer *a, DnsAnswer *a,
DnsResourceKey *key, DnsResourceKey *key,
@ -288,8 +309,8 @@ int dnssec_verify_rrset(
void *exponent, *modulus, *hash; void *exponent, *modulus, *hash;
DnsResourceRecord **list, *rr; DnsResourceRecord **list, *rr;
gcry_md_hd_t md = NULL; gcry_md_hd_t md = NULL;
int r, algorithm;
size_t k, n = 0; size_t k, n = 0;
int r;
assert(key); assert(key);
assert(rrsig); assert(rrsig);
@ -342,31 +363,17 @@ int dnssec_verify_rrset(
/* Bring the RRs into canonical order */ /* Bring the RRs into canonical order */
qsort_safe(list, n, sizeof(DnsResourceRecord*), rr_compare); qsort_safe(list, n, sizeof(DnsResourceRecord*), rr_compare);
/* OK, the RRs are now in canonical order. Let's calculate the digest */
initialize_libgcrypt(); initialize_libgcrypt();
/* OK, the RRs are now in canonical order. Let's calculate the digest */ algorithm = algorithm_to_gcrypt(rrsig->rrsig.algorithm);
switch (rrsig->rrsig.algorithm) { if (algorithm < 0)
return algorithm;
case DNSSEC_ALGORITHM_RSASHA1: hash_size = gcry_md_get_algo_dlen(algorithm);
case DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1: assert(hash_size > 0);
gcry_md_open(&md, GCRY_MD_SHA1, 0);
hash_size = 20;
break;
case DNSSEC_ALGORITHM_RSASHA256:
gcry_md_open(&md, GCRY_MD_SHA256, 0);
hash_size = 32;
break;
case DNSSEC_ALGORITHM_RSASHA512:
gcry_md_open(&md, GCRY_MD_SHA512, 0);
hash_size = 64;
break;
default:
assert_not_reached("Unknown digest");
}
gcry_md_open(&md, algorithm, 0);
if (!md) if (!md)
return -EIO; return -EIO;
@ -732,7 +739,7 @@ int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max) {
static int digest_to_gcrypt(uint8_t algorithm) { static int digest_to_gcrypt(uint8_t algorithm) {
/* Translates a DNSSEC digest algorithm into a gcrypt digest iedntifier */ /* Translates a DNSSEC digest algorithm into a gcrypt digest identifier */
switch (algorithm) { switch (algorithm) {
@ -754,9 +761,8 @@ int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) {
char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX]; char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX];
gcry_md_hd_t md = NULL; gcry_md_hd_t md = NULL;
size_t hash_size; size_t hash_size;
int algorithm; int algorithm, r;
void *result; void *result;
int r;
assert(dnskey); assert(dnskey);
assert(ds); assert(ds);