diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2022-11-16 15:54:43 +0000 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2022-11-16 15:57:31 +0000 |
commit | 1f9215f5f92c5478c8aaba8054d192a5e6280e95 (patch) | |
tree | 83591ca1b36111a877a0434b6b9c1fda032e901f | |
parent | f52cfdd8c37e09d77abdc151a4ddcf94f49f4821 (diff) | |
download | dnsmasq-1f9215f5f92c5478c8aaba8054d192a5e6280e95.tar.gz |
Fix GOST signature algorithms for DNSSEC validation.
Use CryptoPro version of the hash function.
Handle the little-endian wire format of key data.
Get the wire order of S and R correct.
Note that Nettle version 3.6 or later is required for GOST support.
-rw-r--r-- | src/crypto.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/src/crypto.c b/src/crypto.c index 5a5de6f..d799037 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -309,14 +309,14 @@ static int dnsmasq_gostdsa_verify(struct blockdata *key_data, unsigned int key_l mpz_init(y); } - mpz_import(x, 32 , 1, 1, 0, 0, p); - mpz_import(y, 32 , 1, 1, 0, 0, p + 32); + mpz_import(x, 32, -1, 1, 0, 0, p); + mpz_import(y, 32, -1, 1, 0, 0, p + 32); if (!ecc_point_set(gost_key, x, y)) - return 0; + return 0; - mpz_import(sig_struct->r, 32, 1, 1, 0, 0, sig); - mpz_import(sig_struct->s, 32, 1, 1, 0, 0, sig + 32); + mpz_import(sig_struct->s, 32, 1, 1, 0, 0, sig); + mpz_import(sig_struct->r, 32, 1, 1, 0, 0, sig + 32); return nettle_gostdsa_verify(gost_key, digest_len, digest, sig_struct); } @@ -430,7 +430,9 @@ char *ds_digest_name(int digest) { case 1: return "sha1"; case 2: return "sha256"; - case 3: return "gosthash94"; +#if MIN_VERSION(3, 6) + case 3: return "gosthash94cp"; +#endif case 4: return "sha384"; default: return NULL; } @@ -450,7 +452,7 @@ char *algo_digest_name(int algo) case 8: return "sha256"; /* RSA/SHA-256 */ case 10: return "sha512"; /* RSA/SHA-512 */ #if MIN_VERSION(3, 6) - case 12: return "gosthash94"; /* ECC-GOST */ + case 12: return "gosthash94cp"; /* ECC-GOST */ #endif case 13: return "sha256"; /* ECDSAP256SHA256 */ case 14: return "sha384"; /* ECDSAP384SHA384 */ |