Commit 75e1200f authored by Jan Včelák's avatar Jan Včelák 🚀

DNSSEC: check allowed algorithms for signing

Also removes the restriction that NSEC3 only algorithms can
be used only with NSEC3.

refs #4
parent ae6a3b94
......@@ -140,6 +140,8 @@ src/libknot/consts.c
src/libknot/consts.h
src/libknot/dname.c
src/libknot/dname.h
src/libknot/dnssec/algorithm.c
src/libknot/dnssec/algorithm.h
src/libknot/dnssec/key.c
src/libknot/dnssec/key.h
src/libknot/dnssec/nsec-bitmap.h
......
......@@ -147,6 +147,8 @@ libknot_la_SOURCES = \
libknot/tsig-op.c \
libknot/binary.h \
libknot/binary.c \
libknot/dnssec/algorithm.c \
libknot/dnssec/algorithm.h \
libknot/dnssec/key.c \
libknot/dnssec/key.h \
libknot/dnssec/nsec-bitmap.h \
......
......@@ -125,28 +125,6 @@ typedef enum {
KNOT_TSIG_ALG_DIG_LENGTH_SHA512 = 64
} knot_tsig_algorithm_digest_length_t;
/*!
* \brief DNSSEC algorithm numbers.
*
* http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
*/
typedef enum {
KNOT_DNSSEC_ALG_RSAMD5 = 1,
KNOT_DNSSEC_ALG_DH = 2,
KNOT_DNSSEC_ALG_DSA = 3,
KNOT_DNSSEC_ALG_RSASHA1 = 5,
KNOT_DNSSEC_ALG_DSA_NSEC3_SHA1 = 6,
KNOT_DNSSEC_ALG_RSASHA1_NSEC3_SHA1 = 7,
KNOT_DNSSEC_ALG_RSASHA256 = 8,
KNOT_DNSSEC_ALG_RSASHA512 = 10,
KNOT_DNSSEC_ALG_ECC_GOST = 12,
KNOT_DNSSEC_ALG_ECDSAP256SHA256 = 13,
KNOT_DNSSEC_ALG_ECDSAP384SHA384 = 14
} knot_dnssec_algorithm_t;
/*!
* \brief DS digest lengths.
*/
......
/* Copyright (C) 2013 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdbool.h>
#include <stdint.h>
#include "libknot/dnssec/algorithm.h"
/*!
* \brief Check if algorithm is supported for zone signing.
*/
bool knot_dnssec_algorithm_is_zonesign(uint8_t algorithm, bool nsec3_enabled)
{
switch (algorithm) {
// NSEC only
case KNOT_DNSSEC_ALG_DSA:
case KNOT_DNSSEC_ALG_RSASHA1:
return !nsec3_enabled;
// NSEC3 only
case KNOT_DNSSEC_ALG_DSA_NSEC3_SHA1:
case KNOT_DNSSEC_ALG_RSASHA1_NSEC3_SHA1:
return true; // allow even with NSEC
// both NSEC and NSEC3
case KNOT_DNSSEC_ALG_RSASHA256:
case KNOT_DNSSEC_ALG_RSASHA512:
case KNOT_DNSSEC_ALG_ECC_GOST:
case KNOT_DNSSEC_ALG_ECDSAP256SHA256:
case KNOT_DNSSEC_ALG_ECDSAP384SHA384:
return true;
// unsupported or unknown
default:
return false;
}
}
/* Copyright (C) 2013 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*!
* \file algorithm.h
*
* \author Jan Vcelak <jan.vcelak@nic.cz>
*
* \brief DNSSEC key algorithm utilities.
*
* \addtogroup dnssec
* @{
*/
#ifndef _KNOT_DNSSEC_ALGORITHM_H_
#define _KNOT_DNSSEC_ALGORITHM_H_
#include <stdbool.h>
#include <stdint.h>
/*!
* \brief DNSSEC algorithm numbers.
*
* http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
*/
typedef enum {
KNOT_DNSSEC_ALG_RSAMD5 = 1,
KNOT_DNSSEC_ALG_DH = 2,
KNOT_DNSSEC_ALG_DSA = 3,
KNOT_DNSSEC_ALG_RSASHA1 = 5,
KNOT_DNSSEC_ALG_DSA_NSEC3_SHA1 = 6,
KNOT_DNSSEC_ALG_RSASHA1_NSEC3_SHA1 = 7,
KNOT_DNSSEC_ALG_RSASHA256 = 8,
KNOT_DNSSEC_ALG_RSASHA512 = 10,
KNOT_DNSSEC_ALG_ECC_GOST = 12,
KNOT_DNSSEC_ALG_ECDSAP256SHA256 = 13,
KNOT_DNSSEC_ALG_ECDSAP384SHA384 = 14
} knot_dnssec_algorithm_t;
/*!
* \brief Check if algorithm is supported for zone signing.
*
* \param algorithm Algorithm identification.
* \param nsec3_enabled NSEC3 enabled for signed zone.
*
* \return Given algorithm is allowed for zone signing.
*/
bool knot_dnssec_algorithm_is_zonesign(uint8_t algorithm, bool nsec3_enabled);
#endif // _KNOT_DNSSEC_ALGORITHM_H_
/*! @} */
......@@ -25,7 +25,8 @@
#include "common.h"
#include "common/descriptor.h"
#include "common/memdup.h"
#include "nsec3.h"
#include "libknot/dnssec/algorithm.h"
#include "libknot/dnssec/nsec3.h"
#include "util/tolower.h"
/*!
......
......@@ -18,8 +18,9 @@
#include "common.h"
#include "common/descriptor.h"
#include "common/errcode.h"
#include "key.h"
#include "sign.h"
#include "libknot/dnssec/algorithm.h"
#include "libknot/dnssec/key.h"
#include "libknot/dnssec/sign.h"
#include <assert.h>
#include <openssl/dsa.h>
#include <openssl/opensslconf.h>
......
......@@ -28,6 +28,7 @@
#define _KNOT_DNSSEC_SIGN_H_
#include "common/descriptor.h"
#include "libknot/dnssec/algorithm.h"
#include "libknot/dnssec/key.h"
/*!
......
......@@ -21,6 +21,7 @@
#include <stdio.h> // TMP
#include "common/errcode.h"
#include "libknot/dname.h"
#include "libknot/dnssec/algorithm.h"
#include "libknot/dnssec/nsec3.h"
#include "libknot/dnssec/sign.h"
#include "libknot/dnssec/zone-keys.h"
......@@ -159,8 +160,10 @@ int load_zone_keys(const char *keydir_name, const knot_dname_t *zone_name,
continue;
}
if (knot_is_nsec3_algorithm(params.algorithm) != nsec3_enabled) {
fprintf(stderr, "wrong algorithm for current NSEC\n");
if (!knot_dnssec_algorithm_is_zonesign(params.algorithm,
nsec3_enabled)
) {
fprintf(stderr, "algorithm not allowed for zone signing\n");
knot_free_key_params(&params);
continue;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment