From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sat, 8 Jan 2011 00:54:30 +0000 (+0000)
Subject: make rest of powerdns RSASHA256 aware. Works too.
X-Git-Tag: auth-3.0~410
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f96192e36e7b0f8667a799feb18d5f2192c62634;p=pdns

make rest of powerdns RSASHA256 aware. Works too.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1837 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 21496de4a..904847e4e 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -180,12 +180,15 @@ void DNSSECKeeper::secureZone(const std::string& name, int algorithm)
   addKey(name, true, algorithm);
 }
  
-bool getSignerFor(DNSSECKeeper& dk, const std::string& qname, std::string &signer)
+bool getSignerFor(DNSSECKeeper& dk, const std::string& qname, std::string &signer, uint8_t& algorithm)
 {
   signer=qname;
+  DNSSECPrivateKey dpk;
   do {
-    if(dk.haveActiveKSKFor(signer)) 
+    if(dk.haveActiveKSKFor(signer, &dpk)) {
+      algorithm = dpk.d_algorithm;
       return true;
+    }
   } while(chopOff(signer));
   return false;
 }
@@ -233,9 +236,9 @@ int getRRSIGForRRSET(DNSSECKeeper& dk, const std::string signQName, uint16_t sig
   rrc.d_originalttl=signTTL; 
   rrc.d_siginception=getCurrentInception();;
   rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
-
+  
   rrc.d_tag=0;
-  if(!getSignerFor(dk, signQName, rrc.d_signer)) {
+  if(!getSignerFor(dk, signQName, rrc.d_signer, rrc.d_algorithm)) {
     cerr<<"No signer known for '"<<signQName<<"'\n";
     return -1;
   }
@@ -303,7 +306,10 @@ void fillOutRRSIG(DNSSECKeeper& dk, const std::string& signQName, RRSIGRecordCon
 
   unsigned char signature[mpi_size(&rc.getContext().N)];
 
-  int ret=rsa_pkcs1_sign(&rc.getContext(), RSA_PRIVATE, SIG_RSA_SHA1, 20, (unsigned char*) realhash.c_str(), signature);
+  int ret=rsa_pkcs1_sign(&rc.getContext(), RSA_PRIVATE, 
+    rrc.d_algorithm < 8 ? SIG_RSA_SHA1 : SIG_RSA_SHA256, 
+    rrc.d_algorithm < 8 ? 20 : 32,
+    (unsigned char*) realhash.c_str(), signature);
   
   if(ret!=0) {
     cerr<<"signing returned: "<<ret<<endl;
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 6aba1e020..88d152759 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -249,9 +249,16 @@ string getSHA1HashForRRSET(const std::string& qname, const RRSIGRecordContent& r
     toHash.append(rdata);
   }
   //  cerr<<"toHash: "<<makeHexDump(toHash)<<endl;
-  unsigned char hash[20];
-  sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
-  return string((char*)hash, 20);
+  
+  if(rrc.d_algorithm <= 7 ) {
+    unsigned char hash[20];
+    sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
+    return string((char*)hash, sizeof(hash));
+  } else {
+    unsigned char hash[32];
+    sha2((unsigned char*)toHash.c_str(), toHash.length(), hash, 0);
+    return string((char*)hash, sizeof(hash));
+  }
 }
 
 DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest)
@@ -341,10 +348,10 @@ std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const
     sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
     if(!times--) 
       break;
-    toHash.assign((char*)hash, 20);
+    toHash.assign((char*)hash, sizeof(hash));
     toHash.append(salt);
   }
-  return string((char*)hash, 20);
+  return string((char*)hash, sizeof(hash));
 }
 DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const
 {
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index ca29b4b6a..324459b45 100644
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -37,7 +37,7 @@ int countLabels(const std::string& signQName);
 class RSAContext;
 class DNSSECKeeper; 
 
-bool getSignerFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, std::string &signer);
+bool getSignerFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, std::string &signer, uint8_t& algorithm);
 DNSKEYRecordContent getDNSKEYFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, bool withKSK, RSAContext* rc);
 void fillOutRRSIG(DNSSECKeeper& dk, const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector<shared_ptr<DNSRecordContent> >& toSign, bool withKSK=false);
 uint32_t getCurrentInception();