dns_fixedname_t fname;
dns_name_t *name;
uint16_t flags = 0, kskflag = 0, revflag = 0;
- dns_secalg_t alg;
+ dst_algorithm_t alg;
bool oldstyle = false;
isc_mem_t *mctx = NULL;
int ch;
r.base = algname;
r.length = strlen(algname);
- ret = dns_secalg_fromtext(&alg, &r);
+ ret = dst_algorithm_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
bool wantzsk;
bool wantksk;
bool wantrev;
- dns_secalg_t alg;
+ dst_algorithm_t alg;
/* timing data */
int prepub;
isc_stdtime_t now;
UNUSED(argc);
- dns_secalg_format(ctx->alg, algstr, sizeof(algstr));
+ dst_algorithm_format(ctx->alg, algstr, sizeof(algstr));
if (ctx->predecessor == NULL) {
if (ctx->prepub == -1) {
}
switch (ctx->alg) {
- case DNS_KEYALG_RSASHA1:
- case DNS_KEYALG_NSEC3RSASHA1:
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
if (isc_crypto_fips_mode()) {
fatal("SHA1 based keys not supported in FIPS mode");
}
FALLTHROUGH;
- case DNS_KEYALG_RSASHA256:
- case DNS_KEYALG_RSASHA512:
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
if (ctx->size != 0 &&
(ctx->size < min_rsa || ctx->size > MAX_RSA))
{
case DST_ALG_ED448:
ctx->size = 456;
break;
+ default:
+ fatal("not a dnskey algorithm %u\n", ctx->alg);
}
if ((ctx->options & DST_TYPE_KEY) == 0) {
}
switch (ctx->alg) {
- case DNS_KEYALG_RSASHA1:
- case DNS_KEYALG_NSEC3RSASHA1:
- case DNS_KEYALG_RSASHA256:
- case DNS_KEYALG_RSASHA512:
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
show_progress = true;
break;
case DST_ALG_ED448:
show_progress = true;
break;
+ default:
+ break;
}
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY &&
}
r.base = algname;
r.length = strlen(algname);
- ret = dns_secalg_fromtext(&ctx.alg, &r);
+ ret = dst_algorithm_fromtext(&ctx.alg, &r);
if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
/* keygen */
bool ksk;
dns_ttl_t ttl;
- dns_secalg_t alg;
+ dst_algorithm_t alg;
int size;
time_t lifetime;
time_t parentpropagation;
}
/* Check algorithm and size. */
- dns_secalg_format(ksr->alg, algstr, sizeof(algstr));
+ dst_algorithm_format(ksr->alg, algstr, sizeof(algstr));
if (!dst_algorithm_supported(ksr->alg)) {
fatal("unsupported algorithm: %s", algstr);
}
*/
static dns_dnsseckey_t *
keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
+ dst_algorithm_t algorithm = dst_algorithm_fromdata(
+ rrsig->algorithm, rrsig->signature, rrsig->siglen);
+
ISC_LIST_FOREACH (keylist, key, link) {
if (rrsig->keyid == dst_key_id(key->key) &&
- rrsig->algorithm == dst_key_alg(key->key) &&
+ algorithm == dst_key_alg(key->key) &&
dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
{
return key;
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[DNS_NAME_FORMATSIZE];
+ dst_algorithm_t algorithm = dst_algorithm_fromdata(
+ sig->algorithm, sig->signature, sig->siglen);
dns_name_format(&sig->signer, namestr, sizeof(namestr));
- dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
+ dst_algorithm_format(algorithm, algstr, sizeof(algstr));
snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
}
}
if (dst_algorithm_supported(i)) {
isc_buffer_putstr(b, " ");
- (void)dns_secalg_totext(i, b);
+ dst_algorithm_totext(i, b);
}
}
}
algorithms = cfg_tuple_get(disabled, "algorithms");
CFG_LIST_FOREACH (algorithms, element) {
isc_textregion_t r;
- dns_secalg_t alg;
+ dst_algorithm_t alg;
r.base = UNCONST(cfg_obj_asstring(cfg_listelt_value(element)));
r.length = strlen(r.base);
-
- result = dns_secalg_fromtext(&alg, &r);
- if (result != ISC_R_SUCCESS) {
- uint8_t ui;
- result = isc_parse_uint8(&ui, r.base, 10);
- alg = ui;
- }
+ result = dst_algorithm_fromtext(&alg, &r);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element), ISC_LOG_ERROR,
"invalid algorithm");
/* variables for -key */
bool use_keyid = false;
dns_keytag_t keyid = 0;
- uint8_t algorithm = 0;
+ dst_algorithm_t algorithm = 0;
/* variables for -status */
bool status = false;
char output[4096];
}
alg.base = ptr;
alg.length = strlen(alg.base);
- result = dns_secalg_fromtext(
+ result = dst_algorithm_fromtext(
&algorithm, (isc_textregion_t *)&alg);
if (result != ISC_R_SUCCESS) {
msg = "Bad algorithm";
dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer);
sig.covered = set->type;
- sig.algorithm = dst_key_alg(key);
+ sig.algorithm = dst_algorithm_tosecalg(dst_key_alg(key));
sig.labels = dns_name_countlabels(name) - 1;
if (dns_name_iswildcard(name)) {
sig.labels--;
ISC_LINK_INIT(&sig.common, link);
sig.covered = 0;
- sig.algorithm = dst_key_alg(key);
+ sig.algorithm = dst_algorithm_tosecalg(dst_key_alg(key));
sig.labels = 0; /* the root name */
sig.originalttl = 0;
dns_rdataset_clone(rrsigs, &sigs);
ISC_LIST_FOREACH (*keylist, key, link) {
uint16_t keyid, sigid;
- dns_secalg_t keyalg, sigalg;
+ dst_algorithm_t keyalg, sigalg;
keyid = dst_key_id(key->key);
keyalg = dst_key_alg(key->key);
dns_rdataset_current(&sigs, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- sigalg = sig.algorithm;
+ sigalg = dst_algorithm_fromdata(
+ sig.algorithm, sig.signature, sig.siglen);
sigid = sig.keyid;
if (keyid == sigid && keyalg == sigalg) {
key->is_active = true;
dns_rdataset_clone(keyset, &keys);
DNS_RDATASET_FOREACH (&keys) {
dns_rdata_t rdata = DNS_RDATA_INIT;
+ dst_algorithm_t algorithm;
+ dns_rdata_dnskey_t keystruct;
+
dns_rdataset_current(&keys, &rdata);
REQUIRE(rdata.type == dns_rdatatype_key ||
rdata.type == dns_rdatatype_dnskey);
REQUIRE(rdata.length > 3);
+ result = dns_rdata_tostruct(&rdata, &keystruct, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ algorithm = dst_algorithm_fromdata(
+ keystruct.algorithm, keystruct.data, keystruct.datalen);
+
/* Skip unsupported algorithms */
- if (!dst_algorithm_supported(rdata.data[3])) {
+ if (!dst_algorithm_supported(algorithm)) {
goto skip;
}
}
isc_buffer_putuint16(target, (uint16_t)(key->key_flags & 0xffff));
isc_buffer_putuint8(target, (uint8_t)key->key_proto);
- isc_buffer_putuint8(target, (uint8_t)key->key_alg);
+ isc_buffer_putuint8(target,
+ (uint8_t)dst_algorithm_tosecalg(key->key_alg));
if ((key->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
if (isc_buffer_availablelength(target) < 2) {
dst_key_format(const dst_key_t *key, char *cp, unsigned int size) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[DNS_NAME_FORMATSIZE];
+ dst_algorithm_t algorithm = dst_key_alg(key);
dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
- dns_secalg_format((dns_secalg_t)dst_key_alg(key), algstr,
- sizeof(algstr));
+ dst_algorithm_format(algorithm, algstr, sizeof(algstr));
snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
}
void
dst__hmacsha512_init(struct dst_func **funcp);
void
-dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
+dst__opensslrsa_init(struct dst_func **funcp, unsigned short algorithm);
void
dst__opensslecdsa_init(struct dst_func **funcp);
void
/* Configuration */
dns_keystore_t *keystore;
uint32_t lifetime;
- uint8_t algorithm;
+ dst_algorithm_t algorithm;
int length;
uint8_t role;
uint16_t tag_min;
REQUIRE(key != NULL);
switch (key->algorithm) {
- case DNS_KEYALG_RSASHA1:
- case DNS_KEYALG_NSEC3RSASHA1:
- case DNS_KEYALG_RSASHA256:
- case DNS_KEYALG_RSASHA512:
- min = (key->algorithm == DNS_KEYALG_RSASHA512) ? 1024 : 512;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
+ min = (key->algorithm == DST_ALG_RSASHA512) ? 1024 : 512;
if (key->length > -1) {
size = (unsigned int)key->length;
if (size < min) {
size = 2048;
}
break;
- case DNS_KEYALG_ECDSA256:
+ case DST_ALG_ECDSA256:
size = 256;
break;
- case DNS_KEYALG_ECDSA384:
+ case DST_ALG_ECDSA384:
size = 384;
break;
- case DNS_KEYALG_ED25519:
+ case DST_ALG_ED25519:
size = 256;
break;
- case DNS_KEYALG_ED448:
+ case DST_ALG_ED448:
size = 456;
break;
default:
unsigned int siglen = 0;
EVP_MD_CTX *evp_md_ctx = NULL;
EVP_PKEY *pkey = NULL;
+ unsigned int len = 0;
REQUIRE(dctx != NULL && dctx->key != NULL);
REQUIRE(opensslrsa_valid_key_alg(dctx->key->key_alg));
evp_md_ctx = dctx->ctxdata.evp_md_ctx;
pkey = key->keydata.pkeypair.priv;
+ /*
+ * Account to the space the OIDs and DNS names consume.
+ */
+ switch (key->key_alg) {
+ }
+
isc_buffer_availableregion(sig, &r);
- if (r.length < (unsigned int)EVP_PKEY_size(pkey)) {
+ if (r.length < (unsigned int)EVP_PKEY_size(pkey) + len) {
return ISC_R_NOSPACE;
}
+ /*
+ * Add OID and DNS names to start of signature.
+ */
+ switch (key->key_alg) {
+ }
+
if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
return dst__openssl_toresult3(dctx->category, "EVP_SignFinal",
ISC_R_FAILURE);
}
-
isc_buffer_add(sig, siglen);
return ISC_R_SUCCESS;
int status = 0;
EVP_MD_CTX *evp_md_ctx = NULL;
EVP_PKEY *pkey = NULL;
+ const unsigned char *base = sig->base;
+ unsigned int length = sig->length;
REQUIRE(dctx != NULL && dctx->key != NULL);
REQUIRE(opensslrsa_valid_key_alg(dctx->key->key_alg));
return DST_R_VERIFYFAILURE;
}
- status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
+ /*
+ * Check identifying OID in front of public key material.
+ */
+ switch (key->key_alg) {
+ }
+
+ status = EVP_VerifyFinal(evp_md_ctx, base, length, pkey);
switch (status) {
case 1:
return ISC_R_SUCCESS;
isc_buffer_availableregion(data, &r);
+ /*
+ * Add identifying OID and DNS names to front of public key material.
+ */
+ switch (key->key_alg) {
+ }
+
ret = opensslrsa_components_get(key, &c, false);
if (ret != ISC_R_SUCCESS) {
goto err;
if (r.length == 0) {
DST_RET(ISC_R_SUCCESS);
}
+
+ /*
+ * Check identifying OID in front of public key material.
+ */
+ switch (key->key_alg) {
+ }
+
length = r.length;
if (r.length < 1) {
DST_RET(DST_R_INVALIDPUBLICKEY);
"\xf1";
static isc_result_t
-check_algorithm(unsigned char algorithm) {
+check_algorithm(unsigned short algorithm) {
rsa_components_t c = { .bnfree = true };
EVP_MD_CTX *evp_md_ctx = EVP_MD_CTX_create();
EVP_PKEY *pkey = NULL;
}
void
-dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
+dst__opensslrsa_init(dst_func_t **funcp, unsigned short algorithm) {
REQUIRE(funcp != NULL);
if (*funcp == NULL) {
#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
#define ID(x) dst_key_id(x)
#define ALG(x) dst_key_alg(x)
+#define DNSALG(x) dst_algorithm_tosecalg(dst_key_alg(x))
/*%
* KASP flags
isc_result_t ret;
bool have_ksk = false, have_zsk = false;
bool have_pksk = false, have_pzsk = false;
+ dst_algorithm_t algorithm;
+
+ algorithm = dst_algorithm_fromdata(
+ rrsig_ptr->algorithm, rrsig_ptr->signature, rrsig_ptr->siglen);
for (i = 0; i < nkeys; i++) {
bool ksk, zsk;
break;
}
- if (rrsig_ptr->algorithm != dst_key_alg(keys[i])) {
+ if (algorithm != dst_key_alg(keys[i])) {
continue;
}
* if the associated public key is still in the DNSKEY RRset
*/
for (i = 0; i < nkeys; i++) {
- if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
+ if ((algorithm == dst_key_alg(keys[i])) &&
(rrsig_ptr->keyid == dst_key_id(keys[i])))
{
return false;
DNS_RDATASET_FOREACH (&rdataset) {
dns_rdata_t rdata = DNS_RDATA_INIT;
+ dst_algorithm_t algorithm;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ algorithm = dst_algorithm_fromdata(
+ rrsig.algorithm, rrsig.signature, rrsig.siglen);
if (!dns_rdatatype_iskeymaterial(type)) {
bool warn = false, deleted = false;
char algbuf[DNS_NAME_FORMATSIZE];
dns_name_format(&zone->origin, origin,
sizeof(origin));
- dns_secalg_format(rrsig.algorithm,
- algbuf,
- sizeof(algbuf));
+ dst_algorithm_format(algorithm, algbuf,
+ sizeof(algbuf));
dns_zone_log(zone, ISC_LOG_WARNING,
"Key %s/%s/%d "
"missing or inactive "
*/
found = false;
for (i = 0; i < nkeys; i++) {
- if (rrsig.algorithm == dst_key_alg(keys[i]) &&
+ if (algorithm == dst_key_alg(keys[i]) &&
rrsig.keyid == dst_key_id(keys[i]))
{
found = true;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
INSIST(result == ISC_R_SUCCESS);
- if (rrsig.algorithm == dst_key_alg(key) &&
+ dst_algorithm_t algorithm;
+ algorithm = dst_algorithm_fromdata(
+ rrsig.algorithm, rrsig.signature, rrsig.siglen);
+ if (algorithm == dst_key_alg(key) &&
rrsig.keyid == dst_key_id(key))
{
dns_rdataset_disassociate(&rdataset);
return true;
}
- if (rrsig.algorithm == dst_key_alg(key)) {
+ if (algorithm == dst_key_alg(key)) {
count++;
}
}
/*
* Find the key we want to remove.
*/
- if (ALG(zone_keys[i]) == signing->algorithm &&
+ if (DNSALG(zone_keys[i]) ==
+ signing->algorithm &&
dst_key_id(zone_keys[i]) == signing->keyid)
{
dst_key_free(&zone_keys[i]);
* When adding look for the specific key.
*/
if (!signing->deleteit &&
- (dst_key_alg(zone_keys[i]) != signing->algorithm ||
+ (DNSALG(zone_keys[i]) != signing->algorithm ||
dst_key_id(zone_keys[i]) != signing->keyid))
{
continue;
* with the algorithm that was being removed.
*/
if (signing->deleteit &&
- ALG(zone_keys[i]) != signing->algorithm)
+ DNSALG(zone_keys[i]) != signing->algorithm)
{
continue;
}
unsigned char key_buf[4096];
isc_buffer_t keyb;
bool answer = false;
+ dst_algorithm_t algorithm;
REQUIRE(kfetch != NULL && keydata != NULL);
REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset));
result = dns_rdata_tostruct(&sigrr, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (dst_key_alg(dstkey) == sig.algorithm &&
+ algorithm = dst_algorithm_fromdata(sig.algorithm, sig.signature,
+ sig.siglen);
+ if (dst_key_alg(dstkey) == algorithm &&
dst_key_rid(dstkey) == sig.keyid)
{
result = dns_dnssec_verify(keyname, &kfetch->dnskeyset,
unsigned char cdsbuf[DNS_DS_BUFFERSIZE];
if (dst_key_id(k->key) != cds.key_tag ||
- dst_key_alg(k->key) != cds.algorithm)
+ dst_algorithm_tosecalg(dst_key_alg(k->key)) !=
+ cds.algorithm)
{
continue;
}
* are any signatures using that algorithm.
*/
static bool
-signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
+signed_with_alg(dns_rdataset_t *rdataset, dst_algorithm_t alg) {
+ dst_algorithm_t sigalg;
+
REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig);
if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
return false;
dns_rdataset_current(rdataset, &rdata);
dns_rdata_tostruct(&rdata, &rrsig, NULL);
- if (rrsig.algorithm == alg) {
+ sigalg = dst_algorithm_fromdata(rrsig.algorithm,
+ rrsig.signature, rrsig.siglen);
+ if (sigalg == alg) {
return true;
}
}
if (dst_key_id(key->key) != ds.key_tag) {
continue;
}
- if (dst_key_alg(key->key) != ds.algorithm) {
+ if (dst_algorithm_tosecalg(dst_key_alg(key->key)) !=
+ ds.algorithm)
+ {
continue;
}
/* Derive DS from DNSKEY, see if the rdata is equal. */
dst_key_t **dstkeys, size_t nkeys, dns_rdataset_t *rdataset) {
dns_rdata_rrsig_t sig;
isc_result_t result;
+ dst_algorithm_t algorithm;
result = dns_rdata_tostruct(sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ algorithm = dst_algorithm_fromdata(sig.algorithm, sig.signature,
+ sig.siglen);
+
for (size_t key = 0; key < nkeys; key++) {
- if (sig.algorithm != dst_key_alg(dstkeys[key]) ||
+ if (algorithm != dst_key_alg(dstkeys[key]) ||
sig.keyid != dst_key_id(dstkeys[key]) ||
!dns_name_equal(&sig.signer, vctx->origin))
{
DNS_RDATASET_FOREACH (&sigrdataset) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_rrsig_t sig;
+ dst_algorithm_t algorithm;
dns_rdataset_current(&sigrdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
namebuf, typebuf, sig.keyid);
continue;
}
- if ((set_algorithms[sig.algorithm] != 0) ||
- (vctx->act_algorithms[sig.algorithm] == 0))
+ algorithm = dst_algorithm_fromdata(sig.algorithm, sig.signature,
+ sig.siglen);
+ if ((set_algorithms[algorithm] != 0) ||
+ (vctx->act_algorithms[algorithm] == 0))
{
continue;
}
if (goodsig(vctx, &rdata, name, dstkeys, nkeys, rdataset)) {
dns_rdataset_settrust(rdataset, dns_trust_secure);
dns_rdataset_settrust(&sigrdataset, dns_trust_secure);
- set_algorithms[sig.algorithm] = 1;
+ set_algorithms[algorithm] = 1;
}
}
result = ISC_R_SUCCESS;
if ((vctx->act_algorithms[i] != 0) &&
(set_algorithms[i] == 0))
{
- dns_secalg_format(i, algbuf, sizeof(algbuf));
+ dst_algorithm_format(i, algbuf, sizeof(algbuf));
zoneverify_log_error(vctx,
"No correct %s signature "
"for %s %s",
dst_key_t *key = NULL;
isc_result_t result;
dns_rdataset_t dsset;
+ dst_algorithm_t algorithm;
active_keys = (is_ksk ? vctx->ksk_algorithms : vctx->zsk_algorithms);
standby_keys = (is_ksk ? vctx->standby_ksk : vctx->standby_zsk);
goodkey = (is_ksk ? &vctx->goodksk : &vctx->goodzsk);
+ algorithm = dst_algorithm_fromdata(dnskey->algorithm, dnskey->data,
+ dnskey->datalen);
/*
* First, does this key sign the DNSKEY rrset?
dns_dnssec_signs(keyrdata, vctx->origin, &vctx->soaset,
&vctx->soasigs, false, vctx->mctx))
{
- if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
- active_keys[dnskey->algorithm]++;
+ if (active_keys[algorithm] != DNS_KEYALG_MAX) {
+ active_keys[algorithm]++;
}
} else {
- if (standby_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
- standby_keys[dnskey->algorithm]++;
+ if (standby_keys[algorithm] != DNS_KEYALG_MAX) {
+ standby_keys[algorithm]++;
}
}
return;
}
- if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
- active_keys[dnskey->algorithm]++;
+ if (active_keys[algorithm] != DNS_KEYALG_MAX) {
+ active_keys[algorithm]++;
}
/*
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (ds.key_tag != dst_key_id(key) ||
- ds.algorithm != dst_key_alg(key))
+ ds.algorithm !=
+ dst_algorithm_tosecalg(dst_key_alg(key)))
{
continue;
}
if ((dnskey.flags & DNS_KEYOWNER_ZONE) != 0 &&
(dnskey.flags & DNS_KEYFLAG_REVOKE) != 0)
{
+ dst_algorithm_t algorithm;
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
!dns_dnssec_selfsigns(&rdata, vctx->origin,
&vctx->keyset, &vctx->keysigs,
buffer);
return ISC_R_FAILURE;
}
+ algorithm = dst_algorithm_fromdata(
+ dnskey.algorithm, dnskey.data, dnskey.datalen);
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
- vctx->revoked_ksk[dnskey.algorithm] !=
- DNS_KEYALG_MAX)
+ vctx->revoked_ksk[algorithm] != DNS_KEYALG_MAX)
{
- vctx->revoked_ksk[dnskey.algorithm]++;
+ vctx->revoked_ksk[algorithm]++;
} else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
- vctx->revoked_zsk[dnskey.algorithm] !=
+ vctx->revoked_zsk[algorithm] !=
DNS_KEYALG_MAX)
{
- vctx->revoked_zsk[dnskey.algorithm]++;
+ vctx->revoked_zsk[algorithm]++;
}
} else {
check_dnskey_sigs(vctx, &dnskey, &rdata, is_ksk);
: 0;
}
if (vctx->act_algorithms[i] != 0) {
- dns_secalg_format(i, algbuf, sizeof(algbuf));
+ dst_algorithm_format(i, algbuf, sizeof(algbuf));
report("- %s", algbuf);
}
}
{
continue;
}
- dns_secalg_format(i, algbuf, sizeof(algbuf));
+ dst_algorithm_format(i, algbuf, sizeof(algbuf));
zoneverify_log_error(vctx, "Missing %s for algorithm %s",
(vctx->ksk_algorithms[i] != 0) ? "ZSK"
: "self-"
report("The zone is not fully signed "
"for the following algorithms:");
}
- dns_secalg_format(i, algbuf, sizeof(algbuf));
+ dst_algorithm_format(i, algbuf, sizeof(algbuf));
report(" %s", algbuf);
first = false;
}
{
continue;
}
- dns_secalg_format(i, algbuf, sizeof(algbuf));
+ dst_algorithm_format(i, algbuf, sizeof(algbuf));
report("Algorithm: %s: KSKs: "
"%u active, %u stand-by, %u revoked",
algbuf, vctx->ksk_algorithms[i], vctx->standby_ksk[i],
CFG_LIST_FOREACH (obj, element) {
isc_textregion_t r;
- dns_secalg_t alg;
+ dst_algorithm_t alg;
r.base = UNCONST(cfg_obj_asstring(cfg_listelt_value(element)));
r.length = strlen(r.base);
- tresult = dns_secalg_fromtext(&alg, &r);
+ tresult = dst_algorithm_fromtext(&alg, &r);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element), ISC_LOG_ERROR,
"invalid algorithm '%s'", r.base);
#include <dns/secalg.h>
#include <dns/ttl.h>
+#include <dst/dst.h>
+
#include <isccfg/cfg.h>
#include <isccfg/duration.h>
#include <isccfg/kaspconf.h>
INSIST(!offline_ksk);
key->role |= DNS_KASP_KEY_ROLE_KSK | DNS_KASP_KEY_ROLE_ZSK;
key->lifetime = 0; /* unlimited */
- key->algorithm = DNS_KEYALG_ECDSA256;
+ key->algorithm = DST_ALG_ECDSA256;
key->length = -1;
result = dns_keystorelist_find(keystorelist,
DNS_KEYSTORE_KEYDIRECTORY,
obj = cfg_tuple_get(config, "algorithm");
alg.base = cfg_obj_asstring(obj);
alg.length = strlen(alg.base);
- result = dns_secalg_fromtext(&key->algorithm,
- (isc_textregion_t *)&alg);
+ result = dst_algorithm_fromtext(&key->algorithm,
+ (isc_textregion_t *)&alg);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, ISC_LOG_ERROR,
"dnssec-policy: bad algorithm %s",
result = DNS_R_BADALG;
goto cleanup;
}
-
if (check_algorithms && isc_crypto_fips_mode() &&
- (key->algorithm == DNS_KEYALG_RSASHA1 ||
- key->algorithm == DNS_KEYALG_NSEC3RSASHA1))
+ (key->algorithm == DST_ALG_RSASHA1 ||
+ key->algorithm == DST_ALG_NSEC3RSASHA1))
{
cfg_obj_log(obj, ISC_LOG_ERROR,
"dnssec-policy: algorithm %s not supported "
size = cfg_obj_asuint32(obj);
switch (key->algorithm) {
- case DNS_KEYALG_RSASHA1:
- case DNS_KEYALG_NSEC3RSASHA1:
- case DNS_KEYALG_RSASHA256:
- case DNS_KEYALG_RSASHA512:
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
if (isc_crypto_fips_mode()) {
min = 2048;
} else {
- min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+ min = DST_ALG_RSASHA512 ? 1024 : 512;
}
if (size < min || size > 4096) {
cfg_obj_log(obj, ISC_LOG_ERROR,
goto cleanup;
}
break;
- case DNS_KEYALG_ECDSA256:
- case DNS_KEYALG_ECDSA384:
- case DNS_KEYALG_ED25519:
- case DNS_KEYALG_ED448:
+ case DST_ALG_ECDSA256:
+ case DST_ALG_ECDSA384:
+ case DST_ALG_ED25519:
+ case DST_ALG_ED448:
cfg_obj_log(obj, ISC_LOG_WARNING,
"dnssec-policy: key algorithm %s "
"has predefined length; ignoring "
}
/* NSEC3 cannot be used with certain key algorithms. */
- if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DSA ||
- keyalg == DNS_KEYALG_RSASHA1)
+ if (keyalg == DST_ALG_RSAMD5 || keyalg == DST_ALG_DSA ||
+ keyalg == DST_ALG_RSASHA1)
{
badalg = keyalg;
}
bool secure = false;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
+ dst_algorithm_t sigalg, keyalg;
dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client, NULL);
result = dns_rdataset_next(keyrdataset);
}
+ sigalg = dst_algorithm_fromdata(rrsig->algorithm, rrsig->signature,
+ rrsig->siglen);
+
for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(keyrdataset))
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(keyrdataset, &rdata);
dns_rdata_tostruct(&rdata, &key, NULL); /* can't fail */
+ keyalg = dst_algorithm_fromdata(key.algorithm, key.data,
+ key.datalen);
- if (rrsig->algorithm != key.algorithm ||
- !dns_dnssec_iszonekey(&key))
- {
+ if (sigalg != keyalg || !dns_dnssec_iszonekey(&key)) {
continue;
}
{
char txt[DNS_NAME_FORMATSIZE + 32];
isc_buffer_t buffer;
+ dst_algorithm_t alg;
+ alg = dst_algorithm_fromdata(
+ rrsig.algorithm, rrsig.signature, rrsig.siglen);
isc_buffer_init(&buffer, txt, sizeof(txt));
- dns_secalg_totext(rrsig.algorithm, &buffer);
+ dst_algorithm_totext(alg, &buffer);
isc_buffer_putstr(&buffer, " ");
dns_name_totext(name, DNS_NAME_OMITFINALDOT, &buffer);
isc_buffer_putstr(&buffer, " (cached)");
projects / thirdparty / bind9.git / commitdiff
