*len = d->rr_len[idx];
}
-/**
- * Get DNSKEY RR signature algorithm
- * @param k: DNSKEY rrset.
- * @param idx: which DNSKEY RR.
- * @return algorithm or 0 if DNSKEY too short.
- */
-static int
+int
dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
{
uint8_t* rdata;
return (int)rdata[2+3];
}
+int
+ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx)
+{
+ uint8_t* rdata;
+ size_t len;
+ rrset_get_rdata(k, idx, &rdata, &len);
+ if(len < 2+3)
+ return 0;
+ return (int)rdata[2+2];
+}
+
/**
* Get DS RR digest algorithm
* @param k: DS rrset.
return (int)rdata[2+3];
}
+uint16_t
+ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
+{
+ uint16_t t;
+ uint8_t* rdata;
+ size_t len;
+ rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len);
+ if(len < 2+2)
+ return 0;
+ memmove(&t, rdata+2, 2);
+ return t;
+}
+
/**
* Return pointer to the digest in a DS RR.
* @param k: DS rrset.
}
int
-ds_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
+ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
+ size_t ds_idx)
{
return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
}
+/** return true if DNSKEY algorithm id is supported */
+static int
+dnskey_algo_id_is_supported(int id)
+{
+ switch(id) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+ case LDNS_RSAMD5:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+int
+ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
+ size_t ds_idx)
+{
+ return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx));
+}
+
uint16_t
dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
{
int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
size_t dnskey_idx)
{
- switch(dnskey_get_algo(dnskey_rrset, dnskey_idx)) {
- case LDNS_DSA:
- case LDNS_DSA_NSEC3:
- case LDNS_RSASHA1:
- case LDNS_RSASHA1_NSEC3:
- case LDNS_RSAMD5:
- return 1;
- default:
- return 0;
- }
+ return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset,
+ dnskey_idx));
}
+
uint16_t dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset,
size_t dnskey_idx);
+/**
+ * Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
+ * @param ds_rrset: DS rrset
+ * @param ds_idx: index of RR in DS rrset.
+ * @return the keytag or 0 for badly formatted DSs.
+ */
+uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
+
/**
* See if DNSKEY algorithm is supported
* @param dnskey_rrset: DNSKEY rrset.
size_t dnskey_idx);
/**
- * See if DS algorithm is supported
+ * See if DS digest algorithm is supported
+ * @param ds_rrset: DS rrset
+ * @param ds_idx: index of RR in DS rrset.
+ * @return true if supported.
+ */
+int ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
+ size_t ds_idx);
+
+/**
+ * See if DS key algorithm is supported
* @param ds_rrset: DS rrset
* @param ds_idx: index of RR in DS rrset.
* @return true if supported.
*/
-int ds_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
+int ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
+ size_t ds_idx);
+
+/**
+ * Get DS RR key algorithm. This value should match with the DNSKEY algo.
+ * @param k: DS rrset.
+ * @param idx: which DS.
+ * @return algorithm or 0 if DS too short.
+ */
+int ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx);
+
+/**
+ * Get DNSKEY RR signature algorithm
+ * @param k: DNSKEY rrset.
+ * @param idx: which DNSKEY RR.
+ * @return algorithm or 0 if DNSKEY too short.
+ */
+int dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx);
/** verify rrset against dnskey rrset. */
#include "config.h"
#include "validator/val_utils.h"
#include "validator/val_kentry.h"
+#include "validator/val_sigcrypt.h"
#include "util/data/msgreply.h"
#include "util/data/packed_rrset.h"
#include "util/data/dname.h"
num = rrset_get_count(dnskey_rrset);
for(i=0; i<num; i++) {
/* Skip DNSKEYs that don't match the basic criteria. */
- /* if (ds.getFootprint() != dnskey.getFootprint()
- * || ds.getAlgorithm() != dnskey.getAlgorithm())
- * {
- * continue;
- * }
- */
+ if(ds_get_key_algo(ds_rrset, ds_idx)
+ != dnskey_get_algo(dnskey_rrset, i)
+ || dnskey_calc_keytag(dnskey_rrset, i)
+ != ds_get_keytag(ds_rrset, ds_idx)) {
+ continue;
+ }
/* Convert the candidate DNSKEY into a hash using the
* same DS hash algorithm. */
- /* byte[] key_hash = calculateDSHash(dnskey, ds.getDigestID());
- * byte[] ds_hash = ds.getDigest() */
-
- /* if length or contents of the hash mismatch; continue */
+ if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
+ ds_idx)) {
+ continue;
+ }
/* Otherwise, we have a match! Make sure that the DNSKEY
* verifies *with this key* */
num = rrset_get_count(ds_rrset);
for(i=0; i<num; i++) {
-
/* Check to see if we can understand this DS. */
- /* if (!supportsDigestID(ds.getDigestID())
- * || !mVerifier.supportsAlgorithm(ds.getAlgorithm()))
- * {
- * continue;
- * }
- */
+ if(!ds_digest_algo_is_supported(ds_rrset, i) ||
+ !ds_key_algo_is_supported(ds_rrset, i)) {
+ continue;
+ }
/* Once we see a single DS with a known digestID and
* algorithm, we cannot return INSECURE (with a
projects / thirdparty / unbound.git / commitdiff
