mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
Implement digest_sig and digest_rrsig for ZONEMD
ZONEMD needs to be able to digest SIG and RRSIG records. The signer
field can be compressed in SIG so we need to call dns_name_digest().
While for RRSIG the records the signer field is not compressed the
canonical form has the signer field downcased (RFC 4034, 6.2). This
also implies that compare_rrsig needs to downcase the signer field
during comparison.
(cherry picked from commit 006c5990ce)
This commit is contained in:
Mark Andrews
@@ -390,6 +390,9 @@ static int
|
||||
compare_rrsig(ARGS_COMPARE) {
|
||||
isc_region_t r1;
|
||||
isc_region_t r2;
|
||||
dns_name_t name1;
|
||||
dns_name_t name2;
|
||||
int order;
|
||||
|
||||
REQUIRE(rdata1->type == rdata2->type);
|
||||
REQUIRE(rdata1->rdclass == rdata2->rdclass);
|
||||
@@ -399,6 +402,32 @@ compare_rrsig(ARGS_COMPARE) {
|
||||
|
||||
dns_rdata_toregion(rdata1, &r1);
|
||||
dns_rdata_toregion(rdata2, &r2);
|
||||
|
||||
INSIST(r1.length > 18);
|
||||
INSIST(r2.length > 18);
|
||||
r1.length = 18;
|
||||
r2.length = 18;
|
||||
order = isc_region_compare(&r1, &r2);
|
||||
if (order != 0) {
|
||||
return order;
|
||||
}
|
||||
|
||||
dns_name_init(&name1, NULL);
|
||||
dns_name_init(&name2, NULL);
|
||||
dns_rdata_toregion(rdata1, &r1);
|
||||
dns_rdata_toregion(rdata2, &r2);
|
||||
isc_region_consume(&r1, 18);
|
||||
isc_region_consume(&r2, 18);
|
||||
dns_name_fromregion(&name1, &r1);
|
||||
dns_name_fromregion(&name2, &r2);
|
||||
order = dns_name_rdatacompare(&name1, &name2);
|
||||
if (order != 0) {
|
||||
return order;
|
||||
}
|
||||
|
||||
isc_region_consume(&r1, name_length(&name1));
|
||||
isc_region_consume(&r2, name_length(&name2));
|
||||
|
||||
return isc_region_compare(&r1, &r2);
|
||||
}
|
||||
|
||||
@@ -566,13 +595,32 @@ additionaldata_rrsig(ARGS_ADDLDATA) {
|
||||
|
||||
static isc_result_t
|
||||
digest_rrsig(ARGS_DIGEST) {
|
||||
isc_region_t r1, r2;
|
||||
dns_name_t name;
|
||||
|
||||
REQUIRE(rdata->type == dns_rdatatype_rrsig);
|
||||
|
||||
UNUSED(rdata);
|
||||
UNUSED(digest);
|
||||
UNUSED(arg);
|
||||
dns_rdata_toregion(rdata, &r1);
|
||||
r2 = r1;
|
||||
|
||||
return ISC_R_NOTIMPLEMENTED;
|
||||
/*
|
||||
* Type covered (2) + Algorithm (1) +
|
||||
* Labels (1) + Original TTL (4) +
|
||||
* Expire time (4) + Time signed (4) +
|
||||
* Key ID (2).
|
||||
*/
|
||||
isc_region_consume(&r2, 18);
|
||||
r1.length = 18;
|
||||
RETERR((digest)(arg, &r1));
|
||||
|
||||
/* Signer */
|
||||
dns_name_init(&name, NULL);
|
||||
dns_name_fromregion(&name, &r2);
|
||||
RETERR(dns_name_digest(&name, digest, arg));
|
||||
isc_region_consume(&r2, name_length(&name));
|
||||
|
||||
/* Signature */
|
||||
return (digest)(arg, &r2);
|
||||
}
|
||||
|
||||
static dns_rdatatype_t
|
||||
@@ -613,47 +661,7 @@ checknames_rrsig(ARGS_CHECKNAMES) {
|
||||
|
||||
static int
|
||||
casecompare_rrsig(ARGS_COMPARE) {
|
||||
isc_region_t r1;
|
||||
isc_region_t r2;
|
||||
dns_name_t name1;
|
||||
dns_name_t name2;
|
||||
int order;
|
||||
|
||||
REQUIRE(rdata1->type == rdata2->type);
|
||||
REQUIRE(rdata1->rdclass == rdata2->rdclass);
|
||||
REQUIRE(rdata1->type == dns_rdatatype_rrsig);
|
||||
REQUIRE(rdata1->length != 0);
|
||||
REQUIRE(rdata2->length != 0);
|
||||
|
||||
dns_rdata_toregion(rdata1, &r1);
|
||||
dns_rdata_toregion(rdata2, &r2);
|
||||
|
||||
INSIST(r1.length > 18);
|
||||
INSIST(r2.length > 18);
|
||||
r1.length = 18;
|
||||
r2.length = 18;
|
||||
order = isc_region_compare(&r1, &r2);
|
||||
if (order != 0) {
|
||||
return order;
|
||||
}
|
||||
|
||||
dns_name_init(&name1, NULL);
|
||||
dns_name_init(&name2, NULL);
|
||||
dns_rdata_toregion(rdata1, &r1);
|
||||
dns_rdata_toregion(rdata2, &r2);
|
||||
isc_region_consume(&r1, 18);
|
||||
isc_region_consume(&r2, 18);
|
||||
dns_name_fromregion(&name1, &r1);
|
||||
dns_name_fromregion(&name2, &r2);
|
||||
order = dns_name_rdatacompare(&name1, &name2);
|
||||
if (order != 0) {
|
||||
return order;
|
||||
}
|
||||
|
||||
isc_region_consume(&r1, name_length(&name1));
|
||||
isc_region_consume(&r2, name_length(&name2));
|
||||
|
||||
return isc_region_compare(&r1, &r2);
|
||||
return compare_rrsig(rdata1, rdata2);
|
||||
}
|
||||
|
||||
#endif /* RDATA_GENERIC_RRSIG_46_C */
|
||||
|
||||
@@ -559,13 +559,32 @@ additionaldata_sig(ARGS_ADDLDATA) {
|
||||
|
||||
static isc_result_t
|
||||
digest_sig(ARGS_DIGEST) {
|
||||
isc_region_t r1, r2;
|
||||
dns_name_t name;
|
||||
|
||||
REQUIRE(rdata->type == dns_rdatatype_sig);
|
||||
|
||||
UNUSED(rdata);
|
||||
UNUSED(digest);
|
||||
UNUSED(arg);
|
||||
dns_rdata_toregion(rdata, &r1);
|
||||
r2 = r1;
|
||||
|
||||
return ISC_R_NOTIMPLEMENTED;
|
||||
/*
|
||||
* Type covered (2) + Algorithm (1) +
|
||||
* Labels (1) + Original TTL (4) +
|
||||
* Expire time (4) + Time signed (4) +
|
||||
* Key ID (2).
|
||||
*/
|
||||
isc_region_consume(&r2, 18);
|
||||
r1.length = 18;
|
||||
RETERR((digest)(arg, &r1));
|
||||
|
||||
/* Signer */
|
||||
dns_name_init(&name, NULL);
|
||||
dns_name_fromregion(&name, &r2);
|
||||
RETERR(dns_name_digest(&name, digest, arg));
|
||||
isc_region_consume(&r2, name_length(&name));
|
||||
|
||||
/* Signature */
|
||||
return (digest)(arg, &r2);
|
||||
}
|
||||
|
||||
static dns_rdatatype_t
|
||||
|
||||
Reference in New Issue
Block a user