* warning, but do not prevent further keys from being processed.
*/
if (!dns_resolver_algorithm_supported(view->resolver, keyname,
- ds.algorithm))
+ ds.algorithm, NULL, 0))
{
cfg_obj_log(key, ISC_LOG_WARNING,
"ignoring %s for '%s': algorithm is disabled",
bool
dns_resolver_algorithm_supported(dns_resolver_t *resolver,
- const dns_name_t *name, unsigned int alg);
+ const dns_name_t *name, unsigned int alg,
+ unsigned char *private, size_t len);
/*%<
* Check if the given algorithm is supported by this resolver.
* This checks whether the algorithm has been disabled via
* dns_resolver_disable_algorithm(), then checks the underlying
* crypto libraries if it was not specifically disabled.
+ *
+ * The algorithm is specified with the value 'alg' or, if
+ * 'alg' is PRIVATEOID or PRIVATEDNS, then the algorithm is
+ * encoded as a DNS name or OID in the first 'len' bytes of
+ * 'private'.
*/
bool
bool
dns_resolver_algorithm_supported(dns_resolver_t *resolver,
- const dns_name_t *name, unsigned int alg) {
+ const dns_name_t *name, unsigned int alg,
+ unsigned char *private, size_t len) {
REQUIRE(VALID_RESOLVER(resolver));
if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) {
return false;
}
+ /*
+ * Look up the DST algorithm identifier for private-OID
+ * and private-DNS keys.
+ */
+ if (alg == DST_ALG_PRIVATEDNS && private != NULL) {
+ isc_buffer_t b;
+ isc_buffer_init(&b, private, len);
+ isc_buffer_add(&b, len);
+ alg = dst_algorithm_fromprivatedns(&b);
+ if (alg == 0) {
+ return false;
+ }
+ }
+
+ if (alg == DST_ALG_PRIVATEOID && private != NULL) {
+ isc_buffer_t b;
+ isc_buffer_init(&b, private, len);
+ isc_buffer_add(&b, len);
+ alg = dst_algorithm_fromprivateoid(&b);
+ if (alg == 0) {
+ return false;
+ }
+ }
if (dns_nametree_covered(resolver->algorithms, name, NULL, alg)) {
return false;
}
* At this point we could check that the signature algorithm
* was known and "sufficiently good".
*/
- if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
- val->siginfo->algorithm))
+ if (!dns_resolver_algorithm_supported(
+ val->view->resolver, val->name, val->siginfo->algorithm,
+ val->siginfo->signature, val->siginfo->siglen))
{
if (val->unsupported_algorithm == 0) {
val->unsupported_algorithm = val->siginfo->algorithm;
}
if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
- ds.algorithm))
+ ds.algorithm, NULL, 0))
{
if (val->unsupported_algorithm == 0) {
val->unsupported_algorithm = ds.algorithm;
}
if (!dns_resolver_algorithm_supported(val->view->resolver,
- val->name, ds.algorithm))
+ val->name, ds.algorithm,
+ NULL, 0))
{
continue;
}
if (dns_resolver_ds_digest_supported(val->view->resolver, name,
ds.digest_type) &&
dns_resolver_algorithm_supported(val->view->resolver, name,
- ds.algorithm))
+ ds.algorithm, NULL, 0))
{
return true;
}
dns_rdataset_current(sigrdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_resolver_algorithm_supported(client->view->resolver,
- name, rrsig.algorithm))
+ if (!dns_resolver_algorithm_supported(
+ client->view->resolver, name, rrsig.algorithm,
+ rrsig.signature, rrsig.siglen))
{
char txt[DNS_NAME_FORMATSIZE + 32];
isc_buffer_t buffer;
projects / thirdparty / bind9.git / commitdiff
