From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 8 Aug 2007 13:02:53 +0000 (+0000)
Subject: use sigcrypt.
X-Git-Tag: release-0.5~141
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdb519c5c16e9bf5d9982248e99a38f3ebda905e;p=thirdparty%2Funbound.git

use sigcrypt.


git-svn-id: file:///svn/unbound/trunk@500 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index dc90479e5..3eb20ed5a 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -62,13 +62,7 @@ rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata,
 	*len = d->rr_len[idx];
 }
 
-/**
- * Get DNSKEY RR signature algorithm
- * @param k: DNSKEY rrset.
- * @param idx: which DNSKEY RR.
- * @return algorithm or 0 if DNSKEY too short.
- */
-static int
+int
 dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
 {
 	uint8_t* rdata;
@@ -79,6 +73,17 @@ dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
 	return (int)rdata[2+3];
 }
 
+int
+ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx)
+{
+	uint8_t* rdata;
+	size_t len;
+	rrset_get_rdata(k, idx, &rdata, &len);
+	if(len < 2+3)
+		return 0;
+	return (int)rdata[2+2];
+}
+
 /**
  * Get DS RR digest algorithm
  * @param k: DS rrset.
@@ -96,6 +101,19 @@ ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx)
 	return (int)rdata[2+3];
 }
 
+uint16_t 
+ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
+{
+	uint16_t t;
+	uint8_t* rdata;
+	size_t len;
+	rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len);
+	if(len < 2+2)
+		return 0;
+	memmove(&t, rdata+2, 2);
+	return t;
+}
+
 /**
  * Return pointer to the digest in a DS RR.
  * @param k: DS rrset.
@@ -222,11 +240,35 @@ int ds_digest_match_dnskey(struct module_env* env,
 }
 
 int 
-ds_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
+ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 
+	size_t ds_idx)
 {
 	return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
 }
 
+/** return true if DNSKEY algorithm id is supported */
+static int
+dnskey_algo_id_is_supported(int id)
+{
+	switch(id) {
+	case LDNS_DSA:
+	case LDNS_DSA_NSEC3:
+	case LDNS_RSASHA1:
+	case LDNS_RSASHA1_NSEC3:
+	case LDNS_RSAMD5:
+		return 1;
+	default:
+		return 0;
+	}
+}
+
+int 
+ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 
+	size_t ds_idx)
+{
+	return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx));
+}
+
 uint16_t 
 dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
 {
@@ -240,14 +282,7 @@ dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
         size_t dnskey_idx)
 {
-	switch(dnskey_get_algo(dnskey_rrset, dnskey_idx)) {
-		case LDNS_DSA:
-		case LDNS_DSA_NSEC3:
-		case LDNS_RSASHA1:
-		case LDNS_RSASHA1_NSEC3:
-		case LDNS_RSAMD5:
-			return 1;
-		default:
-			return 0;
-	}
+	return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset, 
+		dnskey_idx));
 }
+
diff --git a/validator/val_sigcrypt.h b/validator/val_sigcrypt.h
index f187e5cb8..219ec4b09 100644
--- a/validator/val_sigcrypt.h
+++ b/validator/val_sigcrypt.h
@@ -70,6 +70,14 @@ int ds_digest_match_dnskey(struct module_env* env,
 uint16_t dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, 
 	size_t dnskey_idx);
 
+/**
+ * Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
+ * @param ds_rrset: DS rrset
+ * @param ds_idx: index of RR in DS rrset.
+ * @return the keytag or 0 for badly formatted DSs.
+ */ 
+uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
+
 /** 
  * See if DNSKEY algorithm is supported 
  * @param dnskey_rrset: DNSKEY rrset.
@@ -80,12 +88,38 @@ int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
 	size_t dnskey_idx);
 
 /** 
- * See if DS algorithm is supported 
+ * See if DS digest algorithm is supported 
+ * @param ds_rrset: DS rrset
+ * @param ds_idx: index of RR in DS rrset.
+ * @return true if supported.
+ */
+int ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 
+	size_t ds_idx);
+
+/** 
+ * See if DS key algorithm is supported 
  * @param ds_rrset: DS rrset
  * @param ds_idx: index of RR in DS rrset.
  * @return true if supported.
  */
-int ds_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
+int ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 
+	size_t ds_idx);
+
+/**
+ * Get DS RR key algorithm. This value should match with the DNSKEY algo.
+ * @param k: DS rrset.
+ * @param idx: which DS.
+ * @return algorithm or 0 if DS too short.
+ */
+int ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx);
+
+/**
+ * Get DNSKEY RR signature algorithm
+ * @param k: DNSKEY rrset.
+ * @param idx: which DNSKEY RR.
+ * @return algorithm or 0 if DNSKEY too short.
+ */
+int dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx);
 
 /** verify rrset against dnskey rrset. */
 
diff --git a/validator/val_utils.c b/validator/val_utils.c
index 5a88855c2..50ab9e4c9 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -41,6 +41,7 @@
 #include "config.h"
 #include "validator/val_utils.h"
 #include "validator/val_kentry.h"
+#include "validator/val_sigcrypt.h"
 #include "util/data/msgreply.h"
 #include "util/data/packed_rrset.h"
 #include "util/data/dname.h"
@@ -213,19 +214,19 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 	num = rrset_get_count(dnskey_rrset);
 	for(i=0; i<num; i++) {
 		/* Skip DNSKEYs that don't match the basic criteria. */
-		/* if (ds.getFootprint() != dnskey.getFootprint()
-		 *             || ds.getAlgorithm() != dnskey.getAlgorithm())
-		 *                     {
-		 *                               continue;
-		 *                                       }
-		 */
+		if(ds_get_key_algo(ds_rrset, ds_idx) 
+		   != dnskey_get_algo(dnskey_rrset, i)
+		   || dnskey_calc_keytag(dnskey_rrset, i)
+		   != ds_get_keytag(ds_rrset, ds_idx)) {
+			continue;
+		}
 
 		/* Convert the candidate DNSKEY into a hash using the 
 		 * same DS hash algorithm. */
-		/* byte[] key_hash = calculateDSHash(dnskey, ds.getDigestID());
-		 *         byte[] ds_hash = ds.getDigest() */
-
-		/* if length or contents of the hash mismatch; continue */
+		if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset, 
+			ds_idx)) {
+			continue;
+		}
 
 		/* Otherwise, we have a match! Make sure that the DNSKEY 
 		 * verifies *with this key*  */
@@ -263,14 +264,11 @@ val_verify_new_DNSKEYs(struct region* region, struct module_env* env,
 
 	num = rrset_get_count(ds_rrset);
 	for(i=0; i<num; i++) {
-
 		/* Check to see if we can understand this DS. */
-		/* if (!supportsDigestID(ds.getDigestID())
-		 *           || !mVerifier.supportsAlgorithm(ds.getAlgorithm()))
-		 *                 {
-		 *                         continue;
-		 *                               }
-		 */
+		if(!ds_digest_algo_is_supported(ds_rrset, i) ||
+			!ds_key_algo_is_supported(ds_rrset, i)) {
+			continue;
+		}
 
 		/* Once we see a single DS with a known digestID and 
 		 * algorithm, we cannot return INSECURE (with a