}
result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
- dsbuf, &newdsrdata);
+ dsbuf, sizeof(dsbuf), &newdsrdata);
if (result != ISC_R_SUCCESS) {
vbprintf(3,
"dns_ds_buildrdata("
return ISC_R_NOSPACE;
}
- result = dns_ds_buildrdata(name, cdnskey, dt, r.base, ds);
+ result = dns_ds_buildrdata(name, cdnskey, dt, r.base, r.length, ds);
if (result == ISC_R_SUCCESS) {
isc_buffer_add(buf, DNS_DS_BUFFERSIZE);
}
return;
}
- result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
+ result = dns_ds_buildrdata(name, rdata, dt, buf, sizeof(buf), &ds);
if (result != ISC_R_SUCCESS) {
fatal("can't build record");
}
dns_rdata_init(rdata2);
CHECK(dns_ds_buildrdata(name, rdata, alg->digest,
- cdsbuf, &cds));
+ cdsbuf, sizeof(cdsbuf), &cds));
cds.type = dns_rdatatype_cds;
dns_rdata_toregion(&cds, &rcds);
isc_buffer_allocate(mctx, &newbuf2, rcds.length);
dns_rdata_t ds = DNS_RDATA_INIT;
dns_rdataset_current(&keyset, &key);
result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
- dsbuf, &ds);
+ dsbuf, sizeof(dsbuf), &ds);
check_result(result, "dns_ds_buildrdata");
dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name, ttl, &ds,
if (type != dns_rdatatype_dnskey) {
result = dns_ds_buildrdata(gorigin, &rdata,
DNS_DSDIGEST_SHA256, dsbuf,
- &ds);
+ sizeof(dsbuf), &ds);
check_result(result, "dns_ds_buildrdata");
dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name,
0, &ds, &tuple);
static isc_result_t
ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp,
- unsigned char *digest, dns_rdata_ds_t *ds) {
+ unsigned char *digest, size_t digest_len, dns_rdata_ds_t *ds) {
isc_result_t result;
dns_rdata_dnskey_t keystruct;
dns_rdata_t rdata = DNS_RDATA_INIT;
keystruct.common.rdtype, &keystruct,
&rrdatabuf));
CHECK(dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256,
- digest, ds));
+ digest, digest_len, ds));
break;
case INIT_DS:
CHECK(ISC_R_UNEXPECTEDEND);
}
break;
+#if defined(DNS_DSDIGEST_SHA256PRIVATE)
+ case DNS_DSDIGEST_SHA256PRIVATE:
+ if (r.length < ISC_SHA256_DIGESTLENGTH) {
+ CHECK(ISC_R_UNEXPECTEDEND);
+ }
+ break;
+#endif
+#if defined(DNS_DSDIGEST_SHA384PRIVATE)
+ case DNS_DSDIGEST_SHA384PRIVATE:
+ if (r.length < ISC_SHA384_DIGESTLENGTH) {
+ CHECK(ISC_R_UNEXPECTEDEND);
+ }
+ break;
+#endif
default:
cfg_obj_log(key, ISC_LOG_ERROR,
"key '%s': "
break;
}
+ if (r.length > digest_len) {
+ CHECK(ISC_R_NOSPACE);
+ }
ds->length = r.length;
ds->digest = digest;
- INSIST(r.length <= ISC_MAX_MD_SIZE);
memmove(ds->digest, r.base, r.length);
- if (!dst_algorithm_supported(ds->algorithm)) {
+ algorithm = ds->algorithm;
+
+#if defined(DNS_DSDIGEST_SHA256PRIVATE) && defined(DNS_DSDIGEST_SHA384PRIVATE)
+ /*
+ * Extract the private algorithm from the start
+ * of the hash field.
+ */
+ switch (ds->digest_type) {
+ /*
+ * Digest types that do not encode the private DNSSEC algorithm
+ * at the start of the digest field.
+ */
+ case DNS_DSDIGEST_SHA1:
+ case DNS_DSDIGEST_SHA256:
+ case DNS_DSDIGEST_SHA384:
+ break;
+ /*
+ * Digest types that encode the private DNSSEC algorithm
+ * at the start of the digest field.
+ */
+ case DNS_DSDIGEST_SHA256PRIVATE:
+ case DNS_DSDIGEST_SHA384PRIVATE:
+ algorithm = dst_algorithm_fromdata(
+ ds->algorithm, ds->digest, ds->length);
+ break;
+ /*
+ * Unknown digest types.
+ */
+ default:
+ break;
+ }
+#endif
+ if (!dst_algorithm_supported(algorithm)) {
CHECK(DST_R_UNSUPPORTEDALG);
}
dns_rdata_ds_t ds;
isc_result_t result;
bool initializing = managed;
- unsigned char digest[ISC_MAX_MD_SIZE];
+ unsigned char digest[DNS_DS_BUFFERSIZE];
isc_buffer_t b;
- result = ta_fromconfig(key, &initializing, &namestr, digest, &ds);
+ result = ta_fromconfig(key, &initializing, &namestr, digest,
+ sizeof(digest), &ds);
switch (result) {
case ISC_R_SUCCESS:
#include <isc/net.h>
#include <isc/util.h>
+#include <dns/ds.h>
#include <dns/edns.h>
#include <dns/lib.h>
fprintf(stderr, "\t--edns-version\n");
fprintf(stderr, "\t--enable-dnstap\n");
fprintf(stderr, "\t--enable-querytrace\n");
+ fprintf(stderr, "\t--extended-ds-digest\n");
fprintf(stderr, "\t--fips-provider\n");
fprintf(stderr, "\t--gethostname\n");
fprintf(stderr, "\t--gssapi\n");
#endif /* ifdef WANT_QUERYTRACE */
}
+ if (strcasecmp(argv[1], "--extended-ds-digest") == 0) {
+#if defined(DNS_DSDIGEST_SHA256PRIVATE) && defined(DNS_DSDIGEST_SHA384PRIVATE)
+ return 0;
+#else
+ return 1;
+#endif
+ }
+
if (strcasecmp(argv[1], "--fips-provider") == 0) {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
OSSL_PROVIDER *fips = OSSL_PROVIDER_load(NULL, "fips");
dns_rdata_t cdsrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
- r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata);
+ r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf,
+ sizeof(dsbuf), &cdsrdata);
if (r != ISC_R_SUCCESS) {
char algbuf[DNS_DSDIGEST_FORMATSIZE];
dns_dsdigest_format(digesttype, algbuf,
dns_rdata_t cdsrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
- r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata);
+ r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf,
+ sizeof(dsbuf), &cdsrdata);
if (r != ISC_R_SUCCESS) {
return r;
}
}
result = dns_ds_buildrdata(name, keyrdata, ds.digest_type, buf,
- &newdsrdata);
+ sizeof(buf), &newdsrdata);
if (result != ISC_R_SUCCESS) {
continue;
}
#include <dns/ds.h>
#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdatastruct.h>
isc_result_t
dns_ds_fromkeyrdata(const dns_name_t *owner, dns_rdata_t *key,
dns_dsdigest_t digest_type, unsigned char *digest,
- dns_rdata_ds_t *dsrdata) {
+ size_t len, dns_rdata_ds_t *dsrdata) {
isc_result_t result;
dns_fixedname_t fname;
dns_name_t *name;
- unsigned int digestlen;
+ unsigned int digestlen = 0;
+ unsigned int privatelen = 0;
isc_region_t r;
isc_md_t *md;
const isc_md_type_t *md_type = NULL;
REQUIRE(key != NULL);
REQUIRE(key->type == dns_rdatatype_dnskey ||
key->type == dns_rdatatype_cdnskey);
+ REQUIRE(digest != NULL);
if (!dst_ds_digest_supported(digest_type)) {
return ISC_R_NOTIMPLEMENTED;
break;
case DNS_DSDIGEST_SHA384:
+#ifdef DNS_DSDIGEST_SHA384PRIVATE
+ case DNS_DSDIGEST_SHA384PRIVATE:
+#endif
md_type = ISC_MD_SHA384;
break;
case DNS_DSDIGEST_SHA256:
+#ifdef DNS_DSDIGEST_SHA256PRIVATE
+ case DNS_DSDIGEST_SHA256PRIVATE:
+#endif
md_type = ISC_MD_SHA256;
break;
goto end;
}
+#if defined(DNS_DSDIGEST_SHA256PRIVATE) && defined(DNS_DSDIGEST_SHA384PRIVATE)
+ /*
+ * Insert PRIVATE algorithm identify at start of digest.
+ */
+ switch (digest_type) {
+ case DNS_DSDIGEST_SHA1:
+ case DNS_DSDIGEST_SHA256:
+ case DNS_DSDIGEST_SHA384:
+ break;
+ case DNS_DSDIGEST_SHA256PRIVATE:
+ case DNS_DSDIGEST_SHA384PRIVATE:
+ switch (r.base[3]) {
+ case DNS_KEYALG_PRIVATEDNS: {
+ isc_region_t r2 = r;
+ INSIST(r2.length >= 5);
+ isc_region_consume(&r2, 4);
+ dns_name_fromregion(name, &r2);
+ dns_name_toregion(name, &r2);
+ privatelen = r2.length;
+ if (r2.length > len) {
+ result = ISC_R_NOSPACE;
+ goto end;
+ }
+ memmove(digest, r2.base, privatelen);
+ digest += privatelen;
+ len -= privatelen;
+ break;
+ }
+ case DNS_KEYALG_PRIVATEOID: {
+ isc_region_t r2 = r;
+ INSIST(r2.length >= 5);
+ isc_region_consume(&r2, 4);
+ privatelen = r2.base[0] + 1;
+ if (r2.base[0] > len) {
+ result = ISC_R_NOSPACE;
+ goto end;
+ }
+ INSIST(r2.length >= privatelen);
+ memmove(digest, r2.base, privatelen);
+ digest += privatelen;
+ len -= privatelen;
+ break;
+ }
+ default:
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+#endif
+
+ size_t mdsize = isc_md_get_size(md);
+ if (mdsize > len) {
+ result = ISC_R_NOSPACE;
+ goto end;
+ }
+
result = isc_md_final(md, digest, &digestlen);
if (result != ISC_R_SUCCESS) {
goto end;
dsrdata->algorithm = r.base[3];
dsrdata->key_tag = dst_region_computeid(&r);
dsrdata->digest_type = digest_type;
- dsrdata->digest = digest;
- dsrdata->length = digestlen;
+ dsrdata->digest = digest - privatelen;
+ dsrdata->length = digestlen + privatelen;
end:
isc_md_free(md);
isc_result_t
dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
- dns_dsdigest_t digest_type, unsigned char *buffer,
+ dns_dsdigest_t digest_type, unsigned char *buffer, size_t len,
dns_rdata_t *rdata) {
isc_result_t result;
unsigned char digest[ISC_MAX_MD_SIZE];
dns_rdata_ds_t ds;
isc_buffer_t b;
- result = dns_ds_fromkeyrdata(owner, key, digest_type, digest, &ds);
+ result = dns_ds_fromkeyrdata(owner, key, digest_type, digest, len, &ds);
if (result != ISC_R_SUCCESS) {
return result;
}
bool
dst_ds_digest_supported(unsigned int digest_type) {
return digest_type == DNS_DSDIGEST_SHA1 ||
+#if defined(DNS_DSDIGEST_SHA256PRIVATE)
+ digest_type == DNS_DSDIGEST_SHA256PRIVATE ||
+#endif
digest_type == DNS_DSDIGEST_SHA256 ||
+#if defined(DNS_DSDIGEST_SHA256PRIVATE)
+ digest_type == DNS_DSDIGEST_SHA384PRIVATE ||
+#endif
digest_type == DNS_DSDIGEST_SHA384;
}
#define DNS_DSDIGEST_GOST2012 (5)
#define DNS_DSDIGEST_SM3 (6)
+#if TEST_PRIVATE_DSDIGEST
/*
- * Assuming SHA-384 digest type.
+ * Possible future digest types that encode the PRIVATEDNS and
+ * PRIVATEOID identifiers before the cryptographic digest value.
*/
-#define DNS_DS_BUFFERSIZE (52)
+#define DNS_DSDIGEST_SHA256PRIVATE (7)
+#define DNS_DSDIGEST_SHA384PRIVATE (8)
+#define DNS_DSDIGEST_SM3PRIVATE (9)
+#endif
+
+/*
+ * Assuming SHA-384 digest type + maximal PRIVATEDNS name.
+ */
+#define DNS_DS_BUFFERSIZE (52 + 255)
isc_result_t
dns_ds_fromkeyrdata(const dns_name_t *owner, dns_rdata_t *key,
dns_dsdigest_t digest_type, unsigned char *digest,
- dns_rdata_ds_t *dsrdata);
+ size_t len, dns_rdata_ds_t *dsrdata);
/*%<
* Build a DS rdata structure from a key.
*
isc_result_t
dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
- dns_dsdigest_t digest_type, unsigned char *buffer,
+ dns_dsdigest_t digest_type, unsigned char *buffer, size_t len,
dns_rdata_t *rdata);
/*%<
* Similar to dns_ds_fromkeyrdata(), but copies the DS into a
}
result = dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256,
- digest, &ds);
+ digest, sizeof(digest), &ds);
if (result != ISC_R_SUCCESS) {
goto finish;
}
/* RFC3658, RFC4509, RFC5933, RFC6605, RFC9558, RFC9563 */
+#if defined(DNS_DSDIGEST_SHA256PRIVATE) && \
+ defined(DNS_DSDIGEST_SHA384PRIVATE) && \
+ defined(DNS_DSDIGEST_SM3PRIVATE)
+#define DSDIGESTPRIVATENAMES \
+ { DNS_DSDIGEST_SHA256PRIVATE, "SHA-256-PRIVATE", 0 }, \
+ { DNS_DSDIGEST_SHA256PRIVATE, "SHA256PRIVATE", 0 }, \
+ { DNS_DSDIGEST_SHA384PRIVATE, "SHA-384-PRIVATE", 0 }, \
+ { DNS_DSDIGEST_SHA384PRIVATE, "SHA384PRIVATE", 0 }, \
+ { DNS_DSDIGEST_SM3PRIVATE, "SM3-PRIVATE", 0 }, \
+ { DNS_DSDIGEST_SM3PRIVATE, "SM3PRIVATE", 0 },
+#else
+#define DSDIGESTPRIVATENAMES
+#endif
+
#define DSDIGESTNAMES \
{ DNS_DSDIGEST_SHA1, "SHA-1", 0 }, { DNS_DSDIGEST_SHA1, "SHA1", 0 }, \
{ DNS_DSDIGEST_SHA256, "SHA-256", 0 }, \
{ DNS_DSDIGEST_SHA384, "SHA-384", 0 }, \
{ DNS_DSDIGEST_SHA384, "SHA384", 0 }, \
{ DNS_DSDIGEST_GOST2012, "GOST-2012", 0 }, \
- { DNS_DSDIGEST_GOST2012, "GOST2012", 0 }, SENTINEL
+ { DNS_DSDIGEST_GOST2012, "GOST2012", 0 }, \
+ DSDIGESTPRIVATENAMES SENTINEL
struct tbl {
unsigned int value;
isc_result_t result;
dns_rdata_ds_t ds;
dns_rdata_dnskey_t key;
+ unsigned char *data = 0;
+ unsigned int datalen = 0;
dns_rdata_reset(&dsrdata);
dns_rdataset_current(val->dsset, &dsrdata);
return DNS_R_BADALG;
}
- if (ds.algorithm != DNS_KEYALG_PRIVATEDNS &&
- ds.algorithm != DNS_KEYALG_PRIVATEOID)
+ switch (ds.algorithm) {
+ case DNS_KEYALG_PRIVATEDNS:
+ case DNS_KEYALG_PRIVATEOID:
+ switch (ds.digest_type) {
+#if defined(DNS_DSDIGEST_SHA256PRIVATE) && defined(DNS_DSDIGEST_SHA384PRIVATE)
+ case DNS_DSDIGEST_SHA256PRIVATE:
+ case DNS_DSDIGEST_SHA384PRIVATE:
+ data = ds.digest;
+ datalen = ds.length;
+ break;
+#endif
+ default:
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (data != NULL || (ds.algorithm != DNS_KEYALG_PRIVATEDNS &&
+ ds.algorithm != DNS_KEYALG_PRIVATEOID))
{
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->name, ds.algorithm,
- NULL, 0))
+ data, datalen))
{
if (val->unsupported_algorithm == 0) {
val->unsupported_algorithm = ds.algorithm;
* found a matching dnskey.
*/
dns_rdata_tostruct(&keyrdata, &key, NULL);
- if (ds.algorithm == DNS_KEYALG_PRIVATEDNS ||
- ds.algorithm == DNS_KEYALG_PRIVATEOID)
+ if (data == NULL && (ds.algorithm == DNS_KEYALG_PRIVATEDNS ||
+ ds.algorithm == DNS_KEYALG_PRIVATEOID))
{
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->name, key.algorithm,
ds.algorithm == DNS_KEYALG_PRIVATEDNS)
{
switch (ds.digest_type) {
+#if defined(DNS_DSDIGEST_SHA256PRIVATE) && defined(DNS_DSDIGEST_SHA384PRIVATE)
+ case DNS_DSDIGEST_SHA256PRIVATE:
+ case DNS_DSDIGEST_SHA384PRIVATE:
+ data = ds.digest;
+ datalen = ds.length;
+ break;
+#endif
case DNS_DSDIGEST_SHA1:
case DNS_DSDIGEST_SHA256:
case DNS_DSDIGEST_SHA384:
* it would be raised already.
*
* If we have seen a private algorithm for which we couldn't find a
- * DNSKEY we must assume the child zone is secure. With PRIVATEDNS and
- * PRIVATEOID we can only make that determination if we match a DNSKEY
- * for every DS with these algorithms. Since we don't know whether the
- * private algorithm is unsupported or not, we are required to treat it
- * as supported.
+ * DNSKEY nor extract it from the digest field we must assume the child
+ * zone is secure. With PRIVATEDNS and PRIVATEOID we can make that
+ * determination if we match a DNSKEY for every DS with these algorithms
+ * or extract the algorithm from the digest field. Since we don't know
+ * whether the private algorithm is unsupported or not, we are required
+ * to treat it as supported.
*/
if (seen_private) {
char namebuf[DNS_NAME_FORMATSIZE];
goto finish;
}
- result = dns_ds_fromkeyrdata(keyname, &rdata,
- DNS_DSDIGEST_SHA256,
- digest, &ds);
+ result = dns_ds_fromkeyrdata(
+ keyname, &rdata, DNS_DSDIGEST_SHA256, digest,
+ sizeof(digest), &ds);
if (result != ISC_R_SUCCESS) {
goto finish;
}
isc_result_t result;
dns_name_t *name = UNCONST(keyname);
char rdatabuf[DST_KEY_MAXSIZE];
- unsigned char digest[ISC_MAX_MD_SIZE];
+ unsigned char digest[DNS_DS_BUFFERSIZE];
dns_rdata_ds_t ds;
dns_rdata_t rdata;
isc_buffer_t b;
CHECK(dns_rdata_tostruct(&rdata, &ds, NULL));
} else {
CHECK(dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256,
- digest, &ds));
+ digest, sizeof(digest), &ds));
}
CHECK(dns_keytable_add(view->secroots_priv, false, false, name, &ds,
bool initial) {
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
- unsigned char data[4096], digest[ISC_MAX_MD_SIZE];
+ unsigned char data[4096], digest[DNS_DS_BUFFERSIZE];
isc_buffer_t buffer;
dns_keytable_t *sr = NULL;
dns_rdata_ds_t ds;
dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
dns_rdatatype_dnskey, dnskey, &buffer);
CHECK(dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256, digest,
- &ds));
+ sizeof(digest), &ds));
CHECK(dns_keytable_add(sr, true, initial, keyname, &ds, sfd_add,
zone->view));
return result;
}
result = dns_ds_buildrdata(dns_zone_getorigin(zone), &dnskey,
- cds.digest_type, cdsbuf, &cdsrdata);
+ cds.digest_type, cdsbuf,
+ sizeof(cdsbuf), &cdsrdata);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"dns_ds_buildrdata(keytag=%d, algo=%d, "
/* Derive DS from DNSKEY, see if the rdata is equal. */
make_dnskey(key->key, keybuf, sizeof(keybuf), &dnskey);
r = dns_ds_buildrdata(&zone->origin, &dnskey,
- ds.digest_type, dsbuf, &dsrdata);
+ ds.digest_type, dsbuf,
+ sizeof(dsbuf), &dsrdata);
if (r != ISC_R_SUCCESS) {
continue;
}
result = dns_ds_buildrdata(vctx->origin, keyrdata,
ds.digest_type, buf,
- &newdsrdata);
+ sizeof(buf), &newdsrdata);
if (result != ISC_R_SUCCESS) {
continue;
}
static void
create_dsstruct(dns_name_t *name, uint16_t flags, uint8_t proto, uint8_t alg,
- const char *keystr, unsigned char *digest,
+ const char *keystr, unsigned char *digest, size_t digest_len,
dns_rdata_ds_t *dsstruct) {
isc_result_t result;
unsigned char rrdata[4096];
* Build DS rdata struct.
*/
result = dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256, digest,
- dsstruct);
+ digest_len, dsstruct);
assert_int_equal(result, ISC_R_SUCCESS);
dns_rdata_freestruct(&dnskey);
/* Common setup: create a keytable and ntatable to test with a few keys */
static void
create_tables(void) {
- unsigned char digest[ISC_MAX_MD_SIZE];
+ unsigned char digest[DNS_DS_BUFFERSIZE];
dns_rdata_ds_t ds;
dns_fixedname_t fn;
dns_name_t *keyname = dns_fixedname_name(&fn);
/* Add a normal key */
dns_test_namefromstring("example.com.", &fn);
- create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr1, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
/* Add an initializing managed key */
dns_test_namefromstring("managed.com.", &fn);
- create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr1, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, true, true, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
ISC_LOOP_TEST_IMPL(add) {
dns_keynode_t *keynode = NULL;
dns_keynode_t *null_keynode = NULL;
- unsigned char digest[ISC_MAX_MD_SIZE];
+ unsigned char digest[DNS_DS_BUFFERSIZE];
dns_rdata_ds_t ds;
dns_fixedname_t fn;
dns_name_t *keyname = dns_fixedname_name(&fn);
* report success.
*/
dns_test_namefromstring("example.com.", &fn);
- create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr1, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
/* Add another key (different keydata) */
dns_keynode_detach(&keynode);
- create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr2, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
* node, the node should *not* be marked as initializing.
*/
dns_test_namefromstring("managed.com.", &fn);
- create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr2, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, true, true, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
* initializing key.
*/
dns_test_namefromstring("two.com.", &fn);
- create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr1, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, true, true, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
* trust anchor for two.com and we haven't run dns_keynode_trust(),
* the initialization status should not change.
*/
- create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr2, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, true, false, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
&null_keynode),
ISC_R_SUCCESS);
dns_test_namefromstring("null.example.", &fn);
- create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr2, digest, sizeof(digest),
+ &ds);
assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds,
NULL, NULL),
ISC_R_SUCCESS);
bool issecure, covered;
dns_fixedname_t fn;
dns_name_t *keyname = dns_fixedname_name(&fn);
- unsigned char digest[ISC_MAX_MD_SIZE];
+ unsigned char digest[DNS_DS_BUFFERSIZE];
dns_rdata_ds_t ds;
dns_view_t *myview = NULL;
isc_stdtime_t now = isc_stdtime_now();
assert_int_equal(result, ISC_R_SUCCESS);
dns_test_namefromstring("example.", &fn);
- create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+ create_dsstruct(keyname, 257, 3, 5, keystr1, digest, sizeof(digest),
+ &ds);
result = dns_keytable_add(keytable, false, false, keyname, &ds, NULL,
NULL),
assert_int_equal(result, ISC_R_SUCCESS);
projects / thirdparty / bind9.git / commitdiff
