mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 06:55:30 +00:00
Code Issues Releases Wiki Activity

Implement digest_sig and digest_rrsig for ZONEMD

Browse Source 
ZONEMD needs to be able to digest SIG and RRSIG records.  The signer
field can be compressed in SIG so we need to call dns_name_digest().
While for RRSIG the records the signer field is not compressed the
canonical form has the signer field downcased (RFC 4034, 6.2).  This
also implies that compare_rrsig needs to downcase the signer field
during comparison.

(cherry picked from commit 006c5990ce)
This commit is contained in:
Mark Andrews
2021-06-23 19:51:51 +10:00
parent 30f3264d18
commit c0197077aa
2 changed files with 76 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
lib/dns/rdata/generic/rrsig_46.c
View File

@@ -390,6 +390,9 @@ static int
compare_rrsig(ARGS_COMPARE) { compare_rrsig(ARGS_COMPARE) {
isc_region_t r1; isc_region_t r1;
isc_region_t r2; isc_region_t r2;
dns_name_t name1;
dns_name_t name2;
int order;
REQUIRE(rdata1->type == rdata2->type); REQUIRE(rdata1->type == rdata2->type);
REQUIRE(rdata1->rdclass == rdata2->rdclass); REQUIRE(rdata1->rdclass == rdata2->rdclass);
@@ -399,6 +402,32 @@ compare_rrsig(ARGS_COMPARE) {
dns_rdata_toregion(rdata1, &r1); dns_rdata_toregion(rdata1, &r1);
dns_rdata_toregion(rdata2, &r2); dns_rdata_toregion(rdata2, &r2);
INSIST(r1.length > 18);
INSIST(r2.length > 18);
r1.length = 18;
r2.length = 18;
order = isc_region_compare(&r1, &r2);
if (order != 0) {
return order;
}
dns_name_init(&name1, NULL);
dns_name_init(&name2, NULL);
dns_rdata_toregion(rdata1, &r1);
dns_rdata_toregion(rdata2, &r2);
isc_region_consume(&r1, 18);
isc_region_consume(&r2, 18);
dns_name_fromregion(&name1, &r1);
dns_name_fromregion(&name2, &r2);
order = dns_name_rdatacompare(&name1, &name2);
if (order != 0) {
return order;
}
isc_region_consume(&r1, name_length(&name1));
isc_region_consume(&r2, name_length(&name2));
return isc_region_compare(&r1, &r2); return isc_region_compare(&r1, &r2);
} }
@@ -566,13 +595,32 @@ additionaldata_rrsig(ARGS_ADDLDATA) {
static isc_result_t static isc_result_t
digest_rrsig(ARGS_DIGEST) { digest_rrsig(ARGS_DIGEST) {
isc_region_t r1, r2;
dns_name_t name;
REQUIRE(rdata->type == dns_rdatatype_rrsig); REQUIRE(rdata->type == dns_rdatatype_rrsig);
UNUSED(rdata); dns_rdata_toregion(rdata, &r1);
UNUSED(digest); r2 = r1;
UNUSED(arg);
return ISC_R_NOTIMPLEMENTED; /*
* Type covered (2) + Algorithm (1) +
* Labels (1) + Original TTL (4) +
* Expire time (4) + Time signed (4) +
* Key ID (2).
*/
isc_region_consume(&r2, 18);
r1.length = 18;
RETERR((digest)(arg, &r1));
/* Signer */
dns_name_init(&name, NULL);
dns_name_fromregion(&name, &r2);
RETERR(dns_name_digest(&name, digest, arg));
isc_region_consume(&r2, name_length(&name));
/* Signature */
return (digest)(arg, &r2);
} }
static dns_rdatatype_t static dns_rdatatype_t
@@ -613,47 +661,7 @@ checknames_rrsig(ARGS_CHECKNAMES) {
static int static int
casecompare_rrsig(ARGS_COMPARE) { casecompare_rrsig(ARGS_COMPARE) {
isc_region_t r1; return compare_rrsig(rdata1, rdata2);
isc_region_t r2;
dns_name_t name1;
dns_name_t name2;
int order;
REQUIRE(rdata1->type == rdata2->type);
REQUIRE(rdata1->rdclass == rdata2->rdclass);
REQUIRE(rdata1->type == dns_rdatatype_rrsig);
REQUIRE(rdata1->length != 0);
REQUIRE(rdata2->length != 0);
dns_rdata_toregion(rdata1, &r1);
dns_rdata_toregion(rdata2, &r2);
INSIST(r1.length > 18);
INSIST(r2.length > 18);
r1.length = 18;
r2.length = 18;
order = isc_region_compare(&r1, &r2);
if (order != 0) {
return order;
}
dns_name_init(&name1, NULL);
dns_name_init(&name2, NULL);
dns_rdata_toregion(rdata1, &r1);
dns_rdata_toregion(rdata2, &r2);
isc_region_consume(&r1, 18);
isc_region_consume(&r2, 18);
dns_name_fromregion(&name1, &r1);
dns_name_fromregion(&name2, &r2);
order = dns_name_rdatacompare(&name1, &name2);
if (order != 0) {
return order;
}
isc_region_consume(&r1, name_length(&name1));
isc_region_consume(&r2, name_length(&name2));
return isc_region_compare(&r1, &r2);
} }
#endif /* RDATA_GENERIC_RRSIG_46_C */ #endif /* RDATA_GENERIC_RRSIG_46_C */

27
lib/dns/rdata/generic/sig_24.c
View File

@@ -559,13 +559,32 @@ additionaldata_sig(ARGS_ADDLDATA) {
static isc_result_t static isc_result_t
digest_sig(ARGS_DIGEST) { digest_sig(ARGS_DIGEST) {
isc_region_t r1, r2;
dns_name_t name;
REQUIRE(rdata->type == dns_rdatatype_sig); REQUIRE(rdata->type == dns_rdatatype_sig);
UNUSED(rdata); dns_rdata_toregion(rdata, &r1);
UNUSED(digest); r2 = r1;
UNUSED(arg);
return ISC_R_NOTIMPLEMENTED; /*
* Type covered (2) + Algorithm (1) +
* Labels (1) + Original TTL (4) +
* Expire time (4) + Time signed (4) +
* Key ID (2).
*/
isc_region_consume(&r2, 18);
r1.length = 18;
RETERR((digest)(arg, &r1));
/* Signer */
dns_name_init(&name, NULL);
dns_name_fromregion(&name, &r2);
RETERR(dns_name_digest(&name, digest, arg));
isc_region_consume(&r2, name_length(&name));
/* Signature */
return (digest)(arg, &r2);
} }
static dns_rdatatype_t static dns_rdatatype_t