Tidy DNSSEC algorithm table use.
diff --git a/src/crypto.c b/src/crypto.c
index 83372c7..140fb35 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -365,7 +365,7 @@
#endif
-int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
unsigned char *digest, size_t digest_len, int algo)
{
@@ -409,6 +409,11 @@
return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo);
}
+/* Note the ds_digest_name(), algo_digest_name() and nsec3_digest_name()
+ define which algo numbers we support. If algo_digest_name() returns
+ non-NULL for an algorithm number, we assume that algrorithm is
+ supported by verify(). */
+
/* http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
char *ds_digest_name(int digest)
{
@@ -427,18 +432,19 @@
{
switch (algo)
{
- case 1: return "md5";
- case 3: return "sha1";
- case 5: return "sha1";
- case 6: return "sha1";
- case 7: return "sha1";
- case 8: return "sha256";
- case 10: return "sha512";
- case 12: return "gosthash94";
- case 13: return "sha256";
- case 14: return "sha384";
- case 15: return "null_hash"; /* Ed25519 */
- case 16: return NULL; /* Ed448 */
+ case 1: return "md5"; /* RSA/MD5 */
+ case 2: return NULL; /* Diffie-Hellman */
+ case 3: return "sha1"; /* DSA/SHA1 */
+ case 5: return "sha1"; /* RSA/SHA1 */
+ case 6: return "sha1"; /* DSA-NSEC3-SHA1 */
+ case 7: return "sha1"; /* RSASHA1-NSEC3-SHA1 */
+ case 8: return "sha256"; /* RSA/SHA-256 */
+ case 10: return "sha512"; /* RSA/SHA-512 */
+ case 12: return NULL; /* ECC-GOST */
+ case 13: return "sha256"; /* ECDSAP256SHA256 */
+ case 14: return "sha384"; /* ECDSAP384SHA384 */
+ case 15: return "null_hash"; /* ED25519 */
+ case 16: return NULL; /* ED448 */
default: return NULL;
}
}
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index b4d836a..91b1f04 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1186,8 +1186,6 @@
/* crypto.c */
const struct nettle_hash *hash_find(char *name);
int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp);
-int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
- unsigned char *digest, size_t digest_len, int algo);
int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
unsigned char *digest, size_t digest_len, int algo);
char *ds_digest_name(int digest);
diff --git a/src/dnssec.c b/src/dnssec.c
index cc79a23..5b6e095 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -799,7 +799,7 @@
{
a.addr.log.keytag = keytag;
a.addr.log.algo = algo;
- if (verify_func(algo))
+ if (algo_digest_name(algo))
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
else
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
@@ -926,7 +926,7 @@
a.addr.log.keytag = keytag;
a.addr.log.algo = algo;
a.addr.log.digest = digest;
- if (hash_find(ds_digest_name(digest)) && verify_func(algo))
+ if (ds_digest_name(digest) && algo_digest_name(algo))
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu");
else
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)");
@@ -1613,8 +1613,8 @@
do
{
if (crecp->uid == (unsigned int)class &&
- hash_find(ds_digest_name(crecp->addr.ds.digest)) &&
- verify_func(crecp->addr.ds.algo))
+ ds_digest_name(crecp->addr.ds.digest) &&
+ algo_digest_name(crecp->addr.ds.algo))
break;
}
while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS)));