diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2022-11-13 15:55:09 +0000 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2022-11-13 15:55:09 +0000 |
commit | f52cfdd8c37e09d77abdc151a4ddcf94f49f4821 (patch) | |
tree | a84ad4d158060d2a140dc3de7f7875921f85113f | |
parent | 2fc904111d9b6ec45fc1e4ec9f1f8b43c1e67b9b (diff) | |
download | dnsmasq-f52cfdd8c37e09d77abdc151a4ddcf94f49f4821.tar.gz |
Handle known DNSSEC signature algorithms which are not supported.
This fixes a confusion if certain algorithms are not supported
because the version is the crypto library is too old. The validation
should be treated the same as for a completely unknown algorithm,
(ie return unverified answer) and not as a validation failure
(ie return SERVFAIL).
The algorithems affected are GOST and ED448.
-rw-r--r-- | src/crypto.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/crypto.c b/src/crypto.c index 060e27f..5a5de6f 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -390,7 +390,12 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key return dnsmasq_ecdsa_verify; #if MIN_VERSION(3, 1) - case 15: case 16: + case 15: + return dnsmasq_eddsa_verify; +#endif + +#if MIN_VERSION(3, 6) + case 16: return dnsmasq_eddsa_verify; #endif } @@ -444,11 +449,17 @@ char *algo_digest_name(int algo) case 7: return "sha1"; /* RSASHA1-NSEC3-SHA1 */ case 8: return "sha256"; /* RSA/SHA-256 */ case 10: return "sha512"; /* RSA/SHA-512 */ +#if MIN_VERSION(3, 6) case 12: return "gosthash94"; /* ECC-GOST */ +#endif case 13: return "sha256"; /* ECDSAP256SHA256 */ case 14: return "sha384"; /* ECDSAP384SHA384 */ +#if MIN_VERSION(3, 1) case 15: return "null_hash"; /* ED25519 */ +# if MIN_VERSION(3, 6) case 16: return "null_hash"; /* ED448 */ +# endif +#endif default: return NULL; } } |