From: Mark Andrews Date: Mon, 31 Mar 2025 13:12:52 +0000 (+1100) Subject: Use DST algorithm values instead of dns_secalg where needed X-Git-Tag: v9.21.10~47^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71801ab123412b1de4c93f105eb3dd1998054b7b;p=thirdparty%2Fbind9.git Use DST algorithm values instead of dns_secalg where needed DST algorithm and DNSSEC algorithm values are not necessarily the same anymore: if the DNSSEC algorithm value is PRIVATEOID or PRIVATEDNS, then the DST algorithm will be mapped to something else. The conversion is now done correctly where necessary. --- diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 6d572040340..49ddb8ad7a6 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -113,7 +113,7 @@ main(int argc, char **argv) { dns_fixedname_t fname; dns_name_t *name; uint16_t flags = 0, kskflag = 0, revflag = 0; - dns_secalg_t alg; + dst_algorithm_t alg; bool oldstyle = false; isc_mem_t *mctx = NULL; int ch; @@ -382,7 +382,7 @@ main(int argc, char **argv) { r.base = algname; r.length = strlen(algname); - ret = dns_secalg_fromtext(&alg, &r); + ret = dst_algorithm_fromtext(&alg, &r); if (ret != ISC_R_SUCCESS) { fatal("unknown algorithm %s", algname); } diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 12bbbe0d852..500b11fd033 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -89,7 +89,7 @@ struct keygen_ctx { bool wantzsk; bool wantksk; bool wantrev; - dns_secalg_t alg; + dst_algorithm_t alg; /* timing data */ int prepub; isc_stdtime_t now; @@ -245,7 +245,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { UNUSED(argc); - dns_secalg_format(ctx->alg, algstr, sizeof(algstr)); + dst_algorithm_format(ctx->alg, algstr, sizeof(algstr)); if (ctx->predecessor == NULL) { if (ctx->prepub == -1) { @@ -454,14 +454,14 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } switch (ctx->alg) { - case DNS_KEYALG_RSASHA1: - case DNS_KEYALG_NSEC3RSASHA1: + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: if (isc_crypto_fips_mode()) { fatal("SHA1 based keys not supported in FIPS mode"); } FALLTHROUGH; - case DNS_KEYALG_RSASHA256: - case DNS_KEYALG_RSASHA512: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: if (ctx->size != 0 && (ctx->size < min_rsa || ctx->size > MAX_RSA)) { @@ -480,6 +480,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { case DST_ALG_ED448: ctx->size = 456; break; + default: + fatal("not a dnskey algorithm %u\n", ctx->alg); } if ((ctx->options & DST_TYPE_KEY) == 0) { @@ -502,10 +504,10 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } switch (ctx->alg) { - case DNS_KEYALG_RSASHA1: - case DNS_KEYALG_NSEC3RSASHA1: - case DNS_KEYALG_RSASHA256: - case DNS_KEYALG_RSASHA512: + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: show_progress = true; break; @@ -515,6 +517,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { case DST_ALG_ED448: show_progress = true; break; + default: + break; } if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY && @@ -1072,7 +1076,7 @@ main(int argc, char **argv) { } r.base = algname; r.length = strlen(algname); - ret = dns_secalg_fromtext(&ctx.alg, &r); + ret = dst_algorithm_fromtext(&ctx.alg, &r); if (ret != ISC_R_SUCCESS) { fatal("unknown algorithm %s", algname); } diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index 189f8994fab..b4a4e5736ab 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -64,7 +64,7 @@ struct ksr_ctx { /* keygen */ bool ksk; dns_ttl_t ttl; - dns_secalg_t alg; + dst_algorithm_t alg; int size; time_t lifetime; time_t parentpropagation; @@ -341,7 +341,7 @@ create_key(ksr_ctx_t *ksr, dns_kasp_t *kasp, dns_kasp_key_t *kaspkey, } /* Check algorithm and size. */ - dns_secalg_format(ksr->alg, algstr, sizeof(algstr)); + dst_algorithm_format(ksr->alg, algstr, sizeof(algstr)); if (!dst_algorithm_supported(ksr->alg)) { fatal("unsupported algorithm: %s", algstr); } diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 68a6cc5c2c6..e2a01429e01 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -348,9 +348,12 @@ iszsk(dns_dnsseckey_t *key) { */ static dns_dnsseckey_t * keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) { + dst_algorithm_t algorithm = dst_algorithm_fromdata( + rrsig->algorithm, rrsig->signature, rrsig->siglen); + ISC_LIST_FOREACH (keylist, key, link) { if (rrsig->keyid == dst_key_id(key->key) && - rrsig->algorithm == dst_key_alg(key->key) && + algorithm == dst_key_alg(key->key) && dns_name_equal(&rrsig->signer, dst_key_name(key->key))) { return key; diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 91a6c47554b..88c398400bd 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -120,9 +120,11 @@ void sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) { char namestr[DNS_NAME_FORMATSIZE]; char algstr[DNS_NAME_FORMATSIZE]; + dst_algorithm_t algorithm = dst_algorithm_fromdata( + sig->algorithm, sig->signature, sig->siglen); dns_name_format(&sig->signer, namestr, sizeof(namestr)); - dns_secalg_format(sig->algorithm, algstr, sizeof(algstr)); + dst_algorithm_format(algorithm, algstr, sizeof(algstr)); snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid); } diff --git a/bin/named/main.c b/bin/named/main.c index fb8062588dc..903598e707a 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -424,7 +424,7 @@ list_dnssec_algorithms(isc_buffer_t *b) { } if (dst_algorithm_supported(i)) { isc_buffer_putstr(b, " "); - (void)dns_secalg_totext(i, b); + dst_algorithm_totext(i, b); } } } diff --git a/bin/named/server.c b/bin/named/server.c index b39bf1b1072..397a89df898 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1597,17 +1597,11 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { algorithms = cfg_tuple_get(disabled, "algorithms"); CFG_LIST_FOREACH (algorithms, element) { isc_textregion_t r; - dns_secalg_t alg; + dst_algorithm_t alg; r.base = UNCONST(cfg_obj_asstring(cfg_listelt_value(element))); r.length = strlen(r.base); - - result = dns_secalg_fromtext(&alg, &r); - if (result != ISC_R_SUCCESS) { - uint8_t ui; - result = isc_parse_uint8(&ui, r.base, 10); - alg = ui; - } + result = dst_algorithm_fromtext(&alg, &r); if (result != ISC_R_SUCCESS) { cfg_obj_log(cfg_listelt_value(element), ISC_LOG_ERROR, "invalid algorithm"); @@ -14363,7 +14357,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, /* variables for -key */ bool use_keyid = false; dns_keytag_t keyid = 0; - uint8_t algorithm = 0; + dst_algorithm_t algorithm = 0; /* variables for -status */ bool status = false; char output[4096]; @@ -14419,7 +14413,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, } alg.base = ptr; alg.length = strlen(alg.base); - result = dns_secalg_fromtext( + result = dst_algorithm_fromtext( &algorithm, (isc_textregion_t *)&alg); if (result != ISC_R_SUCCESS) { msg = "Bad algorithm"; diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 3632f861781..6e73674d2b5 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -224,7 +224,7 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer); sig.covered = set->type; - sig.algorithm = dst_key_alg(key); + sig.algorithm = dst_algorithm_tosecalg(dst_key_alg(key)); sig.labels = dns_name_countlabels(name) - 1; if (dns_name_iswildcard(name)) { sig.labels--; @@ -762,7 +762,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { ISC_LINK_INIT(&sig.common, link); sig.covered = 0; - sig.algorithm = dst_key_alg(key); + sig.algorithm = dst_algorithm_tosecalg(dst_key_alg(key)); sig.labels = 0; /* the root name */ sig.originalttl = 0; @@ -1469,7 +1469,7 @@ mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) { dns_rdataset_clone(rrsigs, &sigs); ISC_LIST_FOREACH (*keylist, key, link) { uint16_t keyid, sigid; - dns_secalg_t keyalg, sigalg; + dst_algorithm_t keyalg, sigalg; keyid = dst_key_id(key->key); keyalg = dst_key_alg(key->key); @@ -1480,7 +1480,8 @@ mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) { dns_rdataset_current(&sigs, &rdata); result = dns_rdata_tostruct(&rdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - sigalg = sig.algorithm; + sigalg = dst_algorithm_fromdata( + sig.algorithm, sig.signature, sig.siglen); sigid = sig.keyid; if (keyid == sigid && keyalg == sigalg) { key->is_active = true; @@ -1544,14 +1545,23 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, dns_rdataset_clone(keyset, &keys); DNS_RDATASET_FOREACH (&keys) { dns_rdata_t rdata = DNS_RDATA_INIT; + dst_algorithm_t algorithm; + dns_rdata_dnskey_t keystruct; + dns_rdataset_current(&keys, &rdata); REQUIRE(rdata.type == dns_rdatatype_key || rdata.type == dns_rdatatype_dnskey); REQUIRE(rdata.length > 3); + result = dns_rdata_tostruct(&rdata, &keystruct, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + algorithm = dst_algorithm_fromdata( + keystruct.algorithm, keystruct.data, keystruct.datalen); + /* Skip unsupported algorithms */ - if (!dst_algorithm_supported(rdata.data[3])) { + if (!dst_algorithm_supported(algorithm)) { goto skip; } diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 4e0e3741d0b..19fd35d0ae7 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -645,7 +645,8 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) { } isc_buffer_putuint16(target, (uint16_t)(key->key_flags & 0xffff)); isc_buffer_putuint8(target, (uint8_t)key->key_proto); - isc_buffer_putuint8(target, (uint8_t)key->key_alg); + isc_buffer_putuint8(target, + (uint8_t)dst_algorithm_tosecalg(key->key_alg)); if ((key->key_flags & DNS_KEYFLAG_EXTENDED) != 0) { if (isc_buffer_availablelength(target) < 2) { @@ -1357,10 +1358,10 @@ void dst_key_format(const dst_key_t *key, char *cp, unsigned int size) { char namestr[DNS_NAME_FORMATSIZE]; char algstr[DNS_NAME_FORMATSIZE]; + dst_algorithm_t algorithm = dst_key_alg(key); dns_name_format(dst_key_name(key), namestr, sizeof(namestr)); - dns_secalg_format((dns_secalg_t)dst_key_alg(key), algstr, - sizeof(algstr)); + dst_algorithm_format(algorithm, algstr, sizeof(algstr)); snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key)); } diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 049d6349870..21dc8cb06a8 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -193,7 +193,7 @@ dst__hmacsha384_init(struct dst_func **funcp); void dst__hmacsha512_init(struct dst_func **funcp); void -dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); +dst__opensslrsa_init(struct dst_func **funcp, unsigned short algorithm); void dst__opensslecdsa_init(struct dst_func **funcp); void diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 609edbe949e..e2b0ea94dfc 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -52,7 +52,7 @@ struct dns_kasp_key { /* Configuration */ dns_keystore_t *keystore; uint32_t lifetime; - uint8_t algorithm; + dst_algorithm_t algorithm; int length; uint8_t role; uint16_t tag_min; diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 3cd44ea74cc..f0b61fd499c 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -426,11 +426,11 @@ dns_kasp_key_size(dns_kasp_key_t *key) { REQUIRE(key != NULL); switch (key->algorithm) { - case DNS_KEYALG_RSASHA1: - case DNS_KEYALG_NSEC3RSASHA1: - case DNS_KEYALG_RSASHA256: - case DNS_KEYALG_RSASHA512: - min = (key->algorithm == DNS_KEYALG_RSASHA512) ? 1024 : 512; + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: + min = (key->algorithm == DST_ALG_RSASHA512) ? 1024 : 512; if (key->length > -1) { size = (unsigned int)key->length; if (size < min) { @@ -443,16 +443,16 @@ dns_kasp_key_size(dns_kasp_key_t *key) { size = 2048; } break; - case DNS_KEYALG_ECDSA256: + case DST_ALG_ECDSA256: size = 256; break; - case DNS_KEYALG_ECDSA384: + case DST_ALG_ECDSA384: size = 384; break; - case DNS_KEYALG_ED25519: + case DST_ALG_ED25519: size = 256; break; - case DNS_KEYALG_ED448: + case DST_ALG_ED448: size = 456; break; default: diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index cc945a20ea4..bfeb7bba768 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -264,6 +264,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { unsigned int siglen = 0; EVP_MD_CTX *evp_md_ctx = NULL; EVP_PKEY *pkey = NULL; + unsigned int len = 0; REQUIRE(dctx != NULL && dctx->key != NULL); REQUIRE(opensslrsa_valid_key_alg(dctx->key->key_alg)); @@ -272,17 +273,28 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { evp_md_ctx = dctx->ctxdata.evp_md_ctx; pkey = key->keydata.pkeypair.priv; + /* + * Account to the space the OIDs and DNS names consume. + */ + switch (key->key_alg) { + } + isc_buffer_availableregion(sig, &r); - if (r.length < (unsigned int)EVP_PKEY_size(pkey)) { + if (r.length < (unsigned int)EVP_PKEY_size(pkey) + len) { return ISC_R_NOSPACE; } + /* + * Add OID and DNS names to start of signature. + */ + switch (key->key_alg) { + } + if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) { return dst__openssl_toresult3(dctx->category, "EVP_SignFinal", ISC_R_FAILURE); } - isc_buffer_add(sig, siglen); return ISC_R_SUCCESS; @@ -317,6 +329,8 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { int status = 0; EVP_MD_CTX *evp_md_ctx = NULL; EVP_PKEY *pkey = NULL; + const unsigned char *base = sig->base; + unsigned int length = sig->length; REQUIRE(dctx != NULL && dctx->key != NULL); REQUIRE(opensslrsa_valid_key_alg(dctx->key->key_alg)); @@ -330,7 +344,13 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { return DST_R_VERIFYFAILURE; } - status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey); + /* + * Check identifying OID in front of public key material. + */ + switch (key->key_alg) { + } + + status = EVP_VerifyFinal(evp_md_ctx, base, length, pkey); switch (status) { case 1: return ISC_R_SUCCESS; @@ -740,6 +760,12 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_availableregion(data, &r); + /* + * Add identifying OID and DNS names to front of public key material. + */ + switch (key->key_alg) { + } + ret = opensslrsa_components_get(key, &c, false); if (ret != ISC_R_SUCCESS) { goto err; @@ -794,6 +820,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { if (r.length == 0) { DST_RET(ISC_R_SUCCESS); } + + /* + * Check identifying OID in front of public key material. + */ + switch (key->key_alg) { + } + length = r.length; if (r.length < 1) { DST_RET(DST_R_INVALIDPUBLICKEY); @@ -1214,7 +1247,7 @@ static const unsigned char sha512_sig[] = "\xf1"; static isc_result_t -check_algorithm(unsigned char algorithm) { +check_algorithm(unsigned short algorithm) { rsa_components_t c = { .bnfree = true }; EVP_MD_CTX *evp_md_ctx = EVP_MD_CTX_create(); EVP_PKEY *pkey = NULL; @@ -1272,7 +1305,7 @@ err: } void -dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { +dst__opensslrsa_init(dst_func_t **funcp, unsigned short algorithm) { REQUIRE(funcp != NULL); if (*funcp == NULL) { diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ef14c483d83..d3e62bbb0cb 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -139,6 +139,7 @@ #define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) #define ID(x) dst_key_id(x) #define ALG(x) dst_key_alg(x) +#define DNSALG(x) dst_algorithm_tosecalg(dst_key_alg(x)) /*% * KASP flags @@ -6806,6 +6807,10 @@ delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys, isc_result_t ret; bool have_ksk = false, have_zsk = false; bool have_pksk = false, have_pzsk = false; + dst_algorithm_t algorithm; + + algorithm = dst_algorithm_fromdata( + rrsig_ptr->algorithm, rrsig_ptr->signature, rrsig_ptr->siglen); for (i = 0; i < nkeys; i++) { bool ksk, zsk; @@ -6814,7 +6819,7 @@ delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys, break; } - if (rrsig_ptr->algorithm != dst_key_alg(keys[i])) { + if (algorithm != dst_key_alg(keys[i])) { continue; } @@ -6873,7 +6878,7 @@ delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys, * if the associated public key is still in the DNSKEY RRset */ for (i = 0; i < nkeys; i++) { - if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) && + if ((algorithm == dst_key_alg(keys[i])) && (rrsig_ptr->keyid == dst_key_id(keys[i]))) { return false; @@ -6936,10 +6941,13 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, DNS_RDATASET_FOREACH (&rdataset) { dns_rdata_t rdata = DNS_RDATA_INIT; + dst_algorithm_t algorithm; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &rrsig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); + algorithm = dst_algorithm_fromdata( + rrsig.algorithm, rrsig.signature, rrsig.siglen); if (!dns_rdatatype_iskeymaterial(type)) { bool warn = false, deleted = false; @@ -6983,9 +6991,8 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, char algbuf[DNS_NAME_FORMATSIZE]; dns_name_format(&zone->origin, origin, sizeof(origin)); - dns_secalg_format(rrsig.algorithm, - algbuf, - sizeof(algbuf)); + dst_algorithm_format(algorithm, algbuf, + sizeof(algbuf)); dns_zone_log(zone, ISC_LOG_WARNING, "Key %s/%s/%d " "missing or inactive " @@ -7005,7 +7012,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, */ found = false; for (i = 0; i < nkeys; i++) { - if (rrsig.algorithm == dst_key_alg(keys[i]) && + if (algorithm == dst_key_alg(keys[i]) && rrsig.keyid == dst_key_id(keys[i])) { found = true; @@ -7618,13 +7625,16 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node, dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &rrsig, NULL); INSIST(result == ISC_R_SUCCESS); - if (rrsig.algorithm == dst_key_alg(key) && + dst_algorithm_t algorithm; + algorithm = dst_algorithm_fromdata( + rrsig.algorithm, rrsig.signature, rrsig.siglen); + if (algorithm == dst_key_alg(key) && rrsig.keyid == dst_key_id(key)) { dns_rdataset_disassociate(&rdataset); return true; } - if (rrsig.algorithm == dst_key_alg(key)) { + if (algorithm == dst_key_alg(key)) { count++; } } @@ -9677,7 +9687,8 @@ zone_sign(dns_zone_t *zone) { /* * Find the key we want to remove. */ - if (ALG(zone_keys[i]) == signing->algorithm && + if (DNSALG(zone_keys[i]) == + signing->algorithm && dst_key_id(zone_keys[i]) == signing->keyid) { dst_key_free(&zone_keys[i]); @@ -9752,7 +9763,7 @@ zone_sign(dns_zone_t *zone) { * When adding look for the specific key. */ if (!signing->deleteit && - (dst_key_alg(zone_keys[i]) != signing->algorithm || + (DNSALG(zone_keys[i]) != signing->algorithm || dst_key_id(zone_keys[i]) != signing->keyid)) { continue; @@ -9763,7 +9774,7 @@ zone_sign(dns_zone_t *zone) { * with the algorithm that was being removed. */ if (signing->deleteit && - ALG(zone_keys[i]) != signing->algorithm) + DNSALG(zone_keys[i]) != signing->algorithm) { continue; } @@ -10288,6 +10299,7 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) { unsigned char key_buf[4096]; isc_buffer_t keyb; bool answer = false; + dst_algorithm_t algorithm; REQUIRE(kfetch != NULL && keydata != NULL); REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset)); @@ -10315,7 +10327,9 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) { result = dns_rdata_tostruct(&sigrr, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (dst_key_alg(dstkey) == sig.algorithm && + algorithm = dst_algorithm_fromdata(sig.algorithm, sig.signature, + sig.siglen); + if (dst_key_alg(dstkey) == algorithm && dst_key_rid(dstkey) == sig.keyid) { result = dns_dnssec_verify(keyname, &kfetch->dnskeyset, @@ -16440,7 +16454,8 @@ cds_inuse(dns_zone_t *zone, dns_rdata_t *rdata, dns_dnsseckeylist_t *keylist, unsigned char cdsbuf[DNS_DS_BUFFERSIZE]; if (dst_key_id(k->key) != cds.key_tag || - dst_key_alg(k->key) != cds.algorithm) + dst_algorithm_tosecalg(dst_key_alg(k->key)) != + cds.algorithm) { continue; } @@ -20609,7 +20624,9 @@ failure: * are any signatures using that algorithm. */ static bool -signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) { +signed_with_alg(dns_rdataset_t *rdataset, dst_algorithm_t alg) { + dst_algorithm_t sigalg; + REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig); if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) { return false; @@ -20621,7 +20638,9 @@ signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) { dns_rdataset_current(rdataset, &rdata); dns_rdata_tostruct(&rdata, &rrsig, NULL); - if (rrsig.algorithm == alg) { + sigalg = dst_algorithm_fromdata(rrsig.algorithm, + rrsig.signature, rrsig.siglen); + if (sigalg == alg) { return true; } } @@ -20967,7 +20986,9 @@ checkds_done(void *arg) { if (dst_key_id(key->key) != ds.key_tag) { continue; } - if (dst_key_alg(key->key) != ds.algorithm) { + if (dst_algorithm_tosecalg(dst_key_alg(key->key)) != + ds.algorithm) + { continue; } /* Derive DS from DNSKEY, see if the rdata is equal. */ diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index fdd46f3bbe7..d6cce894ebb 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -173,12 +173,16 @@ goodsig(const vctx_t *vctx, dns_rdata_t *sigrdata, const dns_name_t *name, dst_key_t **dstkeys, size_t nkeys, dns_rdataset_t *rdataset) { dns_rdata_rrsig_t sig; isc_result_t result; + dst_algorithm_t algorithm; result = dns_rdata_tostruct(sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); + algorithm = dst_algorithm_fromdata(sig.algorithm, sig.signature, + sig.siglen); + for (size_t key = 0; key < nkeys; key++) { - if (sig.algorithm != dst_key_alg(dstkeys[key]) || + if (algorithm != dst_key_alg(dstkeys[key]) || sig.keyid != dst_key_id(dstkeys[key]) || !dns_name_equal(&sig.signer, vctx->origin)) { @@ -835,6 +839,7 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name, DNS_RDATASET_FOREACH (&sigrdataset) { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_rrsig_t sig; + dst_algorithm_t algorithm; dns_rdataset_current(&sigrdataset, &rdata); result = dns_rdata_tostruct(&rdata, &sig, NULL); @@ -849,15 +854,17 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name, namebuf, typebuf, sig.keyid); continue; } - if ((set_algorithms[sig.algorithm] != 0) || - (vctx->act_algorithms[sig.algorithm] == 0)) + algorithm = dst_algorithm_fromdata(sig.algorithm, sig.signature, + sig.siglen); + if ((set_algorithms[algorithm] != 0) || + (vctx->act_algorithms[algorithm] == 0)) { continue; } if (goodsig(vctx, &rdata, name, dstkeys, nkeys, rdataset)) { dns_rdataset_settrust(rdataset, dns_trust_secure); dns_rdataset_settrust(&sigrdataset, dns_trust_secure); - set_algorithms[sig.algorithm] = 1; + set_algorithms[algorithm] = 1; } } result = ISC_R_SUCCESS; @@ -871,7 +878,7 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name, if ((vctx->act_algorithms[i] != 0) && (set_algorithms[i] == 0)) { - dns_secalg_format(i, algbuf, sizeof(algbuf)); + dst_algorithm_format(i, algbuf, sizeof(algbuf)); zoneverify_log_error(vctx, "No correct %s signature " "for %s %s", @@ -1425,10 +1432,13 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, dst_key_t *key = NULL; isc_result_t result; dns_rdataset_t dsset; + dst_algorithm_t algorithm; active_keys = (is_ksk ? vctx->ksk_algorithms : vctx->zsk_algorithms); standby_keys = (is_ksk ? vctx->standby_ksk : vctx->standby_zsk); goodkey = (is_ksk ? &vctx->goodksk : &vctx->goodzsk); + algorithm = dst_algorithm_fromdata(dnskey->algorithm, dnskey->data, + dnskey->datalen); /* * First, does this key sign the DNSKEY rrset? @@ -1440,19 +1450,19 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, dns_dnssec_signs(keyrdata, vctx->origin, &vctx->soaset, &vctx->soasigs, false, vctx->mctx)) { - if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) { - active_keys[dnskey->algorithm]++; + if (active_keys[algorithm] != DNS_KEYALG_MAX) { + active_keys[algorithm]++; } } else { - if (standby_keys[dnskey->algorithm] != DNS_KEYALG_MAX) { - standby_keys[dnskey->algorithm]++; + if (standby_keys[algorithm] != DNS_KEYALG_MAX) { + standby_keys[algorithm]++; } } return; } - if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) { - active_keys[dnskey->algorithm]++; + if (active_keys[algorithm] != DNS_KEYALG_MAX) { + active_keys[algorithm]++; } /* @@ -1503,7 +1513,8 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, RUNTIME_CHECK(result == ISC_R_SUCCESS); if (ds.key_tag != dst_key_id(key) || - ds.algorithm != dst_key_alg(key)) + ds.algorithm != + dst_algorithm_tosecalg(dst_key_alg(key))) { continue; } @@ -1558,6 +1569,7 @@ check_dnskey(vctx_t *vctx) { if ((dnskey.flags & DNS_KEYOWNER_ZONE) != 0 && (dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) { + dst_algorithm_t algorithm; if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 && !dns_dnssec_selfsigns(&rdata, vctx->origin, &vctx->keyset, &vctx->keysigs, @@ -1586,16 +1598,17 @@ check_dnskey(vctx_t *vctx) { buffer); return ISC_R_FAILURE; } + algorithm = dst_algorithm_fromdata( + dnskey.algorithm, dnskey.data, dnskey.datalen); if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 && - vctx->revoked_ksk[dnskey.algorithm] != - DNS_KEYALG_MAX) + vctx->revoked_ksk[algorithm] != DNS_KEYALG_MAX) { - vctx->revoked_ksk[dnskey.algorithm]++; + vctx->revoked_ksk[algorithm]++; } else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && - vctx->revoked_zsk[dnskey.algorithm] != + vctx->revoked_zsk[algorithm] != DNS_KEYALG_MAX) { - vctx->revoked_zsk[dnskey.algorithm]++; + vctx->revoked_zsk[algorithm]++; } } else { check_dnskey_sigs(vctx, &dnskey, &rdata, is_ksk); @@ -1627,7 +1640,7 @@ determine_active_algorithms(vctx_t *vctx, bool ignore_kskflag, : 0; } if (vctx->act_algorithms[i] != 0) { - dns_secalg_format(i, algbuf, sizeof(algbuf)); + dst_algorithm_format(i, algbuf, sizeof(algbuf)); report("- %s", algbuf); } } @@ -1646,7 +1659,7 @@ determine_active_algorithms(vctx_t *vctx, bool ignore_kskflag, { continue; } - dns_secalg_format(i, algbuf, sizeof(algbuf)); + dst_algorithm_format(i, algbuf, sizeof(algbuf)); zoneverify_log_error(vctx, "Missing %s for algorithm %s", (vctx->ksk_algorithms[i] != 0) ? "ZSK" : "self-" @@ -1889,7 +1902,7 @@ check_bad_algorithms(const vctx_t *vctx, void (*report)(const char *, ...)) { report("The zone is not fully signed " "for the following algorithms:"); } - dns_secalg_format(i, algbuf, sizeof(algbuf)); + dst_algorithm_format(i, algbuf, sizeof(algbuf)); report(" %s", algbuf); first = false; } @@ -1916,7 +1929,7 @@ print_summary(const vctx_t *vctx, bool keyset_kskonly, { continue; } - dns_secalg_format(i, algbuf, sizeof(algbuf)); + dst_algorithm_format(i, algbuf, sizeof(algbuf)); report("Algorithm: %s: KSKs: " "%u active, %u stand-by, %u revoked", algbuf, vctx->ksk_algorithms[i], vctx->standby_ksk[i], diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index 1e82acf9d31..af78c88c42a 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -365,12 +365,12 @@ disabled_algorithms(const cfg_obj_t *disabled) { CFG_LIST_FOREACH (obj, element) { isc_textregion_t r; - dns_secalg_t alg; + dst_algorithm_t alg; r.base = UNCONST(cfg_obj_asstring(cfg_listelt_value(element))); r.length = strlen(r.base); - tresult = dns_secalg_fromtext(&alg, &r); + tresult = dst_algorithm_fromtext(&alg, &r); if (tresult != ISC_R_SUCCESS) { cfg_obj_log(cfg_listelt_value(element), ISC_LOG_ERROR, "invalid algorithm '%s'", r.base); diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 0e29e8d39ec..21e09b079e7 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -31,6 +31,8 @@ #include #include +#include + #include #include #include @@ -127,7 +129,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, INSIST(!offline_ksk); key->role |= DNS_KASP_KEY_ROLE_KSK | DNS_KASP_KEY_ROLE_ZSK; key->lifetime = 0; /* unlimited */ - key->algorithm = DNS_KEYALG_ECDSA256; + key->algorithm = DST_ALG_ECDSA256; key->length = -1; result = dns_keystorelist_find(keystorelist, DNS_KEYSTORE_KEYDIRECTORY, @@ -217,8 +219,8 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, obj = cfg_tuple_get(config, "algorithm"); alg.base = cfg_obj_asstring(obj); alg.length = strlen(alg.base); - result = dns_secalg_fromtext(&key->algorithm, - (isc_textregion_t *)&alg); + result = dst_algorithm_fromtext(&key->algorithm, + (isc_textregion_t *)&alg); if (result != ISC_R_SUCCESS) { cfg_obj_log(obj, ISC_LOG_ERROR, "dnssec-policy: bad algorithm %s", @@ -226,10 +228,9 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, result = DNS_R_BADALG; goto cleanup; } - if (check_algorithms && isc_crypto_fips_mode() && - (key->algorithm == DNS_KEYALG_RSASHA1 || - key->algorithm == DNS_KEYALG_NSEC3RSASHA1)) + (key->algorithm == DST_ALG_RSASHA1 || + key->algorithm == DST_ALG_NSEC3RSASHA1)) { cfg_obj_log(obj, ISC_LOG_ERROR, "dnssec-policy: algorithm %s not supported " @@ -255,14 +256,14 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, size = cfg_obj_asuint32(obj); switch (key->algorithm) { - case DNS_KEYALG_RSASHA1: - case DNS_KEYALG_NSEC3RSASHA1: - case DNS_KEYALG_RSASHA256: - case DNS_KEYALG_RSASHA512: + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: if (isc_crypto_fips_mode()) { min = 2048; } else { - min = DNS_KEYALG_RSASHA512 ? 1024 : 512; + min = DST_ALG_RSASHA512 ? 1024 : 512; } if (size < min || size > 4096) { cfg_obj_log(obj, ISC_LOG_ERROR, @@ -274,10 +275,10 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, goto cleanup; } break; - case DNS_KEYALG_ECDSA256: - case DNS_KEYALG_ECDSA384: - case DNS_KEYALG_ED25519: - case DNS_KEYALG_ED448: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + case DST_ALG_ED25519: + case DST_ALG_ED448: cfg_obj_log(obj, ISC_LOG_WARNING, "dnssec-policy: key algorithm %s " "has predefined length; ignoring " @@ -356,8 +357,8 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp) { } /* NSEC3 cannot be used with certain key algorithms. */ - if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DSA || - keyalg == DNS_KEYALG_RSASHA1) + if (keyalg == DST_ALG_RSAMD5 || keyalg == DST_ALG_DSA || + keyalg == DST_ALG_RSASHA1) { badalg = keyalg; } diff --git a/lib/ns/query.c b/lib/ns/query.c index 9ccda552f84..85e01f9f83f 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -2375,6 +2375,7 @@ get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, bool secure = false; dns_clientinfomethods_t cm; dns_clientinfo_t ci; + dst_algorithm_t sigalg, keyalg; dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL); @@ -2403,6 +2404,9 @@ get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, result = dns_rdataset_next(keyrdataset); } + sigalg = dst_algorithm_fromdata(rrsig->algorithm, rrsig->signature, + rrsig->siglen); + for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(keyrdataset)) { dns_rdata_t rdata = DNS_RDATA_INIT; @@ -2411,10 +2415,10 @@ get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, dns_rdataset_current(keyrdataset, &rdata); dns_rdata_tostruct(&rdata, &key, NULL); /* can't fail */ + keyalg = dst_algorithm_fromdata(key.algorithm, key.data, + key.datalen); - if (rrsig->algorithm != key.algorithm || - !dns_dnssec_iszonekey(&key)) - { + if (sigalg != keyalg || !dns_dnssec_iszonekey(&key)) { continue; } @@ -2481,9 +2485,12 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, { char txt[DNS_NAME_FORMATSIZE + 32]; isc_buffer_t buffer; + dst_algorithm_t alg; + alg = dst_algorithm_fromdata( + rrsig.algorithm, rrsig.signature, rrsig.siglen); isc_buffer_init(&buffer, txt, sizeof(txt)); - dns_secalg_totext(rrsig.algorithm, &buffer); + dst_algorithm_totext(alg, &buffer); isc_buffer_putstr(&buffer, " "); dns_name_totext(name, DNS_NAME_OMITFINALDOT, &buffer); isc_buffer_putstr(&buffer, " (cached)");