From: Mark Andrews Date: Wed, 16 Apr 2025 01:31:41 +0000 (+1000) Subject: Support PRIVATEOID/PRIVATEDNS in the resolver X-Git-Tag: v9.21.10~47^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb184b864c18c2e6a045c0006f4dd20a7bb46160;p=thirdparty%2Fbind9.git Support PRIVATEOID/PRIVATEDNS in the resolver dns_resolver_algorithm_supported() has been extended so in addition to an algorithm number, it can also take a pointer to an RRSIG signature field in which key information is encoded. --- diff --git a/bin/named/server.c b/bin/named/server.c index ddfd7a38556..5a333cc937a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -958,7 +958,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots, * warning, but do not prevent further keys from being processed. */ if (!dns_resolver_algorithm_supported(view->resolver, keyname, - ds.algorithm)) + ds.algorithm, NULL, 0)) { cfg_obj_log(key, ISC_LOG_WARNING, "ignoring %s for '%s': algorithm is disabled", diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h index 459e4517310..a16d730619a 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -434,12 +434,18 @@ dns_resolver_disable_ds_digest(dns_resolver_t *resolver, const dns_name_t *name, bool dns_resolver_algorithm_supported(dns_resolver_t *resolver, - const dns_name_t *name, unsigned int alg); + const dns_name_t *name, unsigned int alg, + unsigned char *private, size_t len); /*%< * Check if the given algorithm is supported by this resolver. * This checks whether the algorithm has been disabled via * dns_resolver_disable_algorithm(), then checks the underlying * crypto libraries if it was not specifically disabled. + * + * The algorithm is specified with the value 'alg' or, if + * 'alg' is PRIVATEOID or PRIVATEDNS, then the algorithm is + * encoded as a DNS name or OID in the first 'len' bytes of + * 'private'. */ bool diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 93d19197961..89479732360 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -10614,13 +10614,37 @@ dns_resolver_disable_ds_digest(dns_resolver_t *resolver, const dns_name_t *name, bool dns_resolver_algorithm_supported(dns_resolver_t *resolver, - const dns_name_t *name, unsigned int alg) { + const dns_name_t *name, unsigned int alg, + unsigned char *private, size_t len) { REQUIRE(VALID_RESOLVER(resolver)); if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) { return false; } + /* + * Look up the DST algorithm identifier for private-OID + * and private-DNS keys. + */ + if (alg == DST_ALG_PRIVATEDNS && private != NULL) { + isc_buffer_t b; + isc_buffer_init(&b, private, len); + isc_buffer_add(&b, len); + alg = dst_algorithm_fromprivatedns(&b); + if (alg == 0) { + return false; + } + } + + if (alg == DST_ALG_PRIVATEOID && private != NULL) { + isc_buffer_t b; + isc_buffer_init(&b, private, len); + isc_buffer_add(&b, len); + alg = dst_algorithm_fromprivateoid(&b); + if (alg == 0) { + return false; + } + } if (dns_nametree_covered(resolver->algorithms, name, NULL, alg)) { return false; } diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 4882262b951..d4eff705803 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1641,8 +1641,9 @@ validate_answer_process(void *arg) { * At this point we could check that the signature algorithm * was known and "sufficiently good". */ - if (!dns_resolver_algorithm_supported(val->view->resolver, val->name, - val->siginfo->algorithm)) + if (!dns_resolver_algorithm_supported( + val->view->resolver, val->name, val->siginfo->algorithm, + val->siginfo->signature, val->siginfo->siglen)) { if (val->unsupported_algorithm == 0) { val->unsupported_algorithm = val->siginfo->algorithm; @@ -2011,7 +2012,7 @@ validate_dnskey_dsset(dns_validator_t *val) { } if (!dns_resolver_algorithm_supported(val->view->resolver, val->name, - ds.algorithm)) + ds.algorithm, NULL, 0)) { if (val->unsupported_algorithm == 0) { val->unsupported_algorithm = ds.algorithm; @@ -2213,7 +2214,8 @@ validate_dnskey(void *arg) { } if (!dns_resolver_algorithm_supported(val->view->resolver, - val->name, ds.algorithm)) + val->name, ds.algorithm, + NULL, 0)) { continue; } @@ -2916,7 +2918,7 @@ check_ds_algs(dns_validator_t *val, dns_name_t *name, if (dns_resolver_ds_digest_supported(val->view->resolver, name, ds.digest_type) && dns_resolver_algorithm_supported(val->view->resolver, name, - ds.algorithm)) + ds.algorithm, NULL, 0)) { return true; } diff --git a/lib/ns/query.c b/lib/ns/query.c index 85e01f9f83f..e4e769d85be 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -2480,8 +2480,9 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, dns_rdataset_current(sigrdataset, &rdata); result = dns_rdata_tostruct(&rdata, &rrsig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (!dns_resolver_algorithm_supported(client->view->resolver, - name, rrsig.algorithm)) + if (!dns_resolver_algorithm_supported( + client->view->resolver, name, rrsig.algorithm, + rrsig.signature, rrsig.siglen)) { char txt[DNS_NAME_FORMATSIZE + 32]; isc_buffer_t buffer;