[ipfire-2.x.git] / src / patches / dnsmasq / 024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch

From 14a4ae883d51130d33da7133287e8867c64bab65 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 17 Dec 2015 17:23:03 +0000
Subject: [PATCH] Do a better job of determining which DNSSEC sig algos are
 supported.

---
 src/dnssec.c |   52 +++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 15 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 1f8c954..82394ee 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -65,10 +65,9 @@ static char *algo_digest_name(int algo)
     case 8: return "sha256";
     case 10: return "sha512";
     case 12: return "gosthash94";
-#ifndef NO_NETTLE_ECC
     case 13: return "sha256";
     case 14: return "sha384";
-#endif
+
     default: return NULL;
     }
 }
@@ -129,13 +128,15 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char
 }
   
 static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-			      unsigned char *digest, int algo)
+			      unsigned char *digest, size_t digest_len, int algo)
 {
   unsigned char *p;
   size_t exp_len;
   
   static struct rsa_public_key *key = NULL;
   static mpz_t sig_mpz;
+
+  (void)digest_len;
   
   if (key == NULL)
     {
@@ -181,7 +182,7 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len,
 }  
 
 static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-			      unsigned char *digest, int algo)
+			      unsigned char *digest, size_t digest_len, int algo)
 {
   unsigned char *p;
   unsigned int t;
@@ -189,6 +190,8 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len,
   static struct dsa_public_key *key = NULL;
   static struct dsa_signature *sig_struct;
   
+  (void)digest_len;
+
   if (key == NULL)
     {
       if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) || 
@@ -292,26 +295,45 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
 } 
 #endif 
 
-static int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-		  unsigned char *digest, size_t digest_len, int algo)
+static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+				    unsigned char *digest, size_t digest_len, int algo)
 {
-  (void)digest_len;
-
+    
+  /* Enure at runtime that we have support for this digest */
+  if (!hash_find(algo_digest_name(algo)))
+    return NULL;
+  
+  /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */
   switch (algo)
     {
     case 1: case 5: case 7: case 8: case 10:
-      return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, algo);
+      return dnsmasq_rsa_verify;
       
     case 3: case 6: 
-      return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, algo);
+      return dnsmasq_dsa_verify;
  
 #ifndef NO_NETTLE_ECC   
     case 13: case 14:
-      return dnsmasq_ecdsa_verify(key_data, key_len, sig, sig_len, digest, digest_len, algo);
+      return dnsmasq_ecdsa_verify;
 #endif
     }
   
-  return 0;
+  return NULL;
+}
+
+static int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+		  unsigned char *digest, size_t digest_len, int algo)
+{
+
+  int (*func)(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+	      unsigned char *digest, size_t digest_len, int algo);
+  
+  func = verify_func(algo);
+  
+  if (!func)
+    return 0;
+
+  return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo);
 }
 
 /* Convert from presentation format to wire format, in place.
@@ -732,7 +754,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
 	      if (check_date_range(sig_inception, sig_expiration) &&
 		  labels <= name_labels &&
 		  type_covered == type && 
-		  algo_digest_name(algo))
+		  verify_func(algo))
 		{
 		  if (!expand_workspace(&sigs, &sig_sz, sigidx))
 		    return 0; 
@@ -1865,7 +1887,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
 		      if (crecp->flags & F_DNSSECOK)
 			return STAT_INSECURE; /* proved no DS here */
 		    }
-		  else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo))
+		  else if (!hash_find(ds_digest_name(crecp->addr.ds.digest)) || !verify_func(crecp->addr.ds.algo))
 		    return STAT_INSECURE; /* algo we can't use - insecure */
 		  else
 		    secure_ds = 1;
@@ -1887,7 +1909,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
 
 	  do 
 	    {
-	      if (crecp->uid == (unsigned int)class && !algo_digest_name(crecp->addr.key.algo))
+	      if (crecp->uid == (unsigned int)class && !verify_func(crecp->addr.key.algo))
 		return STAT_INSECURE;
 	    }
 	  while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY)));
-- 
1.7.10.4
Commit	Line	Data
1e1b03d5 MF	1	From 14a4ae883d51130d33da7133287e8867c64bab65 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Thu, 17 Dec 2015 17:23:03 +0000
	4	Subject: [PATCH] Do a better job of determining which DNSSEC sig algos are
	5	supported.
	6
	7	---
	8	src/dnssec.c \| 52 +++++++++++++++++++++++++++++++++++++---------------
	9	1 file changed, 37 insertions(+), 15 deletions(-)
	10
	11	diff --git a/src/dnssec.c b/src/dnssec.c
	12	index 1f8c954..82394ee 100644
	13	--- a/src/dnssec.c
	14	+++ b/src/dnssec.c
	15	@@ -65,10 +65,9 @@ static char *algo_digest_name(int algo)
	16	case 8: return "sha256";
	17	case 10: return "sha512";
	18	case 12: return "gosthash94";
	19	-#ifndef NO_NETTLE_ECC
	20	case 13: return "sha256";
	21	case 14: return "sha384";
	22	-#endif
	23	+
	24	default: return NULL;
	25	}
	26	}
	27	@@ -129,13 +128,15 @@ static int hash_init(const struct nettle_hash hash, void *ctxp, unsigned char
	28	}
	29
	30	static int dnsmasq_rsa_verify(struct blockdata key_data, unsigned int key_len, unsigned char sig, size_t sig_len,
	31	- unsigned char *digest, int algo)
	32	+ unsigned char *digest, size_t digest_len, int algo)
	33	{
	34	unsigned char *p;
	35	size_t exp_len;
	36
	37	static struct rsa_public_key *key = NULL;
	38	static mpz_t sig_mpz;
	39	+
	40	+ (void)digest_len;
	41
	42	if (key == NULL)
	43	{
	44	@@ -181,7 +182,7 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len,
	45	}
	46
	47	static int dnsmasq_dsa_verify(struct blockdata key_data, unsigned int key_len, unsigned char sig, size_t sig_len,
	48	- unsigned char *digest, int algo)
	49	+ unsigned char *digest, size_t digest_len, int algo)
	50	{
	51	unsigned char *p;
	52	unsigned int t;
	53	@@ -189,6 +190,8 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len,
	54	static struct dsa_public_key *key = NULL;
	55	static struct dsa_signature *sig_struct;
	56
	57	+ (void)digest_len;
	58	+
	59	if (key == NULL)
	60	{
	61	if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) \|\|
	62	@@ -292,26 +295,45 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
	63	}
	64	#endif
65
66	-static int verify(struct blockdata key_data, unsigned int key_len, unsigned char sig, size_t sig_len,
67	- unsigned char *digest, size_t digest_len, int algo)
68	+static int (verify_func(int algo))(struct blockdata key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
69	+ unsigned char *digest, size_t digest_len, int algo)
70	{
71	- (void)digest_len;
72	-
73	+
74	+ /* Enure at runtime that we have support for this digest */
75	+ if (!hash_find(algo_digest_name(algo)))
76	+ return NULL;
77	+
78	+ /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */
79	switch (algo)
80	{
81	case 1: case 5: case 7: case 8: case 10:
82	- return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, algo);
83	+ return dnsmasq_rsa_verify;
84
85	case 3: case 6:
86	- return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, algo);
87	+ return dnsmasq_dsa_verify;
88
89	#ifndef NO_NETTLE_ECC
90	case 13: case 14:
91	- return dnsmasq_ecdsa_verify(key_data, key_len, sig, sig_len, digest, digest_len, algo);
92	+ return dnsmasq_ecdsa_verify;
93	#endif
94	}
95
96	- return 0;
97	+ return NULL;
98	+}
99	+
100	+static int verify(struct blockdata key_data, unsigned int key_len, unsigned char sig, size_t sig_len,
101	+ unsigned char *digest, size_t digest_len, int algo)
102	+{
103	+
104	+ int (func)(struct blockdata key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
105	+ unsigned char *digest, size_t digest_len, int algo);
106	+
107	+ func = verify_func(algo);
108	+
109	+ if (!func)
110	+ return 0;
111	+
112	+ return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo);
113	}
114
115	/* Convert from presentation format to wire format, in place.
116	@@ -732,7 +754,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
117	if (check_date_range(sig_inception, sig_expiration) &&
118	labels <= name_labels &&
119	type_covered == type &&
120	- algo_digest_name(algo))
121	+ verify_func(algo))
122	{
123	if (!expand_workspace(&sigs, &sig_sz, sigidx))
124	return 0;
125	@@ -1865,7 +1887,7 @@ static int zone_status(char name, int class, char keyname, time_t now)
126	if (crecp->flags & F_DNSSECOK)
127	return STAT_INSECURE; /* proved no DS here */
128	}
129	- else if (!ds_digest_name(crecp->addr.ds.digest) \|\| !algo_digest_name(crecp->addr.ds.algo))
130	+ else if (!hash_find(ds_digest_name(crecp->addr.ds.digest)) \|\| !verify_func(crecp->addr.ds.algo))
131	return STAT_INSECURE; /* algo we can't use - insecure */
132	else
133	secure_ds = 1;
134	@@ -1887,7 +1909,7 @@ static int zone_status(char name, int class, char keyname, time_t now)
135
136	do
137	{
138	- if (crecp->uid == (unsigned int)class && !algo_digest_name(crecp->addr.key.algo))
139	+ if (crecp->uid == (unsigned int)class && !verify_func(crecp->addr.key.algo))
140	return STAT_INSECURE;
141	}
142	while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY)));
143	--
144	1.7.10.4
145