Implement RSA-MD5.

75ffc9bf · Giovanni Bajo · Simon Kelley · 3af1ea8c · 75ffc9bf · 75ffc9bf
Commit 75ffc9bf authored May 02, 2012 by Giovanni Bajo Committed by Simon Kelley Aug 20, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 27 deletions

src/dnssec-openssl.c src/dnssec-openssl.c +12 -17

src/dnssec.c src/dnssec.c +19 -10

No files found.
--- a/src/dnssec-openssl.c
+++ b/src/dnssec-openssl.c
@@ -77,12 +77,7 @@ static int dsasha1_parse_key(BIGNUM *Q, BIGNUM *P, BIGNUM *G, BIGNUM *Y, struct
      keydata_to_bn(Y, &key_data, &p, 64+T*8);
 }

-static int rsamd5_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len)
-{
-  return 0;
-}
-
-static int rsasha1_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len)
+static int rsa_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len, int nid, int dlen)
 {
  int validated = 0;

@@ -90,26 +85,26 @@ static int rsasha1_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned
  rsa->e = BN_new();
  rsa->n = BN_new();
  if (rsasha1_parse_key(rsa->e, rsa->n, key_data, key_len)
-      && RSA_verify(NID_sha1, ctx->digest, 20, ctx->sig, ctx->siglen, rsa))
+      && RSA_verify(nid, ctx->digest, dlen, ctx->sig, ctx->siglen, rsa))
    validated = 1;

  RSA_free(rsa);
  return validated;
 }

-static int rsasha256_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len)
+static int rsamd5_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len)
 {
-  int validated = 0;
+  return rsa_verify(ctx, key_data, key_len, NID_md5, 16);
+}

-  RSA *rsa = RSA_new();
-  rsa->e = BN_new();
-  rsa->n = BN_new();
-  if (rsasha1_parse_key(rsa->e, rsa->n, key_data, key_len)
-      && RSA_verify(NID_sha256, ctx->digest, 32, ctx->sig, ctx->siglen, rsa))
-    validated = 1;
+static int rsasha1_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len)
+{
+  return rsa_verify(ctx, key_data, key_len, NID_sha1, 20);
+}

-  RSA_free(rsa);
-  return validated;
+static int rsasha256_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len)
+{
+  return rsa_verify(ctx, key_data, key_len, NID_sha256, 32);
 }

 static int dsasha1_verify(VerifyAlgCtx *ctx, struct keydata *key_data, unsigned key_len)

--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -649,16 +649,25 @@ static void dnssec_parserrsig(struct dns_header *header, size_t pktlen,
 }

 /* Compute keytag (checksum to quickly index a key). See RFC4034 */
-static int dnskey_keytag(unsigned char *rdata, int rdlen)
+static int dnskey_keytag(int alg, unsigned char *rdata, int rdlen)
 {
-  unsigned long ac;
-  int i;
-
-  ac = 0;
-  for (i = 0; i < rdlen; ++i)
-    ac += (i & 1) ? rdata[i] : rdata[i] << 8;
-  ac += (ac >> 16) & 0xFFFF;
-  return ac & 0xFFFF;
+  if (alg == 1)
+    {
+      /* Algorithm 1 (RSAMD5) has a different (older) keytag calculation algorithm.
+         See RFC4034, Appendix B.1 */
+      return rdata[rdlen-3] * 256 + rdata[rdlen-2];
+    }
+  else
+    {
+      unsigned long ac;
+      int i;
+
+      ac = 0;
+      for (i = 0; i < rdlen; ++i)
+        ac += (i & 1) ? rdata[i] : rdata[i] << 8;
+      ac += (ac >> 16) & 0xFFFF;
+      return ac & 0xFFFF;
+    }
 }

 /* Check if the DS record (from cache) points to the DNSKEY record (from cache) */
@@ -712,7 +721,7 @@ int dnssec_parsekey(struct dns_header *header, size_t pktlen, char *owner, unsig
      crecp->uid = rdlen;
      crecp->addr.key.keydata = key;
      crecp->addr.key.algo = alg;
-      crecp->addr.key.keytag = dnskey_keytag(ordata, ordlen);
+      crecp->addr.key.keytag = dnskey_keytag(alg, ordata, ordlen);
      printf("DNSKEY: storing key for %s (keytag: %d)\n", owner, crecp->addr.key.keytag);
    }
  else