summaryrefslogtreecommitdiff
path: root/validator/val_secalgo.c
diff options
context:
space:
mode:
Diffstat (limited to 'validator/val_secalgo.c')
-rw-r--r--validator/val_secalgo.c45
1 files changed, 45 insertions, 0 deletions
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 88d23472118f4..e9ec5a5b5879d 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -1320,6 +1320,9 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
#include "ecdsa.h"
#include "ecc-curve.h"
#endif
+#ifdef HAVE_NETTLE_EDDSA_H
+#include "eddsa.h"
+#endif
static int
_digest_nettle(int algo, uint8_t* buf, size_t len,
@@ -1477,6 +1480,10 @@ dnskey_algo_id_is_supported(int id)
case LDNS_ECDSAP384SHA384:
#endif
return 1;
+#ifdef USE_ED25519
+ case LDNS_ED25519:
+ return 1;
+#endif
case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
case LDNS_ECC_GOST:
default:
@@ -1718,6 +1725,30 @@ _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char*
}
#endif
+#ifdef USE_ED25519
+static char *
+_verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
+{
+ int res = 0;
+
+ if(sigblock_len != ED25519_SIGNATURE_SIZE) {
+ return "wrong ED25519 signature length";
+ }
+ if(keylen != ED25519_KEY_SIZE) {
+ return "wrong ED25519 key length";
+ }
+
+ res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf),
+ sldns_buffer_begin(buf), (uint8_t*)sigblock);
+
+ if (!res)
+ return "ED25519 signature verification failed";
+ else
+ return NULL;
+}
+#endif
+
/**
* Check a canonical sig+rrset and signature against a dnskey
* @param buf: buffer with data to verify, the first rrsig part and the
@@ -1759,9 +1790,13 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
case LDNS_RSASHA1_NSEC3:
digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
#endif
+ /* double fallthrough annotation to please gcc parser */
+ /* fallthrough */
#ifdef USE_SHA2
+ /* fallthrough */
case LDNS_RSASHA256:
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+ /* fallthrough */
case LDNS_RSASHA512:
digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
@@ -1776,6 +1811,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
#ifdef USE_ECDSA
case LDNS_ECDSAP256SHA256:
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
+ /* fallthrough */
case LDNS_ECDSAP384SHA384:
digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
@@ -1785,6 +1821,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
else
return sec_status_secure;
#endif
+#ifdef USE_ED25519
+ case LDNS_ED25519:
+ *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len,
+ key, keylen);
+ if (*reason != NULL)
+ return sec_status_bogus;
+ else
+ return sec_status_secure;
+#endif
case LDNS_RSAMD5:
case LDNS_ECC_GOST:
default:
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-23 12:44:45 +0000