head 1.1; branch 1.1.1; access; symbols netbsd-11-0-RC5:1.1.1.1.2.2 netbsd-11:1.1.1.1.0.2 unbound-1-25-1:1.1.1.1 NLNETLABS:1.1.1; locks; strict; comment @# @; 1.1 date 2026.05.21.16.11.48; author christos; state Exp; branches 1.1.1.1; next ; commitid KUtmCKdRNks7oHGG; 1.1.1.1 date 2026.05.21.16.11.48; author christos; state Exp; branches 1.1.1.1.2.1; next ; commitid KUtmCKdRNks7oHGG; 1.1.1.1.2.1 date 2026.05.21.16.11.48; author martin; state dead; branches; next 1.1.1.1.2.2; commitid f6njiPn3ohMHtVJG; 1.1.1.1.2.2 date 2026.06.15.18.50.40; author martin; state Exp; branches; next ; commitid f6njiPn3ohMHtVJG; desc @@ 1.1 log @Initial revision @ text @diff --git a/sldns/keyraw.c b/sldns/keyraw.c index 42a9262a3..cc6406a56 100644 --- a/sldns/keyraw.c +++ b/sldns/keyraw.c @@@@ -85,7 +85,7 @@@@ sldns_rr_dnskey_key_size_raw(const unsigned char* keydata, } break; #ifdef USE_GOST - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: return 512; #endif #ifdef USE_ECDSA @@@@ -146,7 +146,7 @@@@ sldns_key_EVP_load_gost_id(void) if(gost_id) return gost_id; /* see if configuration loaded gost implementation from other engine*/ - meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); + meth = EVP_PKEY_asn1_find_str(NULL, "gost2012_256", -1); if(meth) { EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); return gost_id; @@@@ -170,7 +170,7 @@@@ sldns_key_EVP_load_gost_id(void) return 0; } - meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); + meth = EVP_PKEY_asn1_find_str(&e, "gost2012_256", -1); if(!meth) { /* algo not found */ ENGINE_finish(e); @@@@ -536,12 +536,17 @@@@ EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len) EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen) { - /* prefix header for X509 encoding */ - uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, - 0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40}; - unsigned char encoded[37+64]; + /* prefix header for X509 encoding + * + * note: based on draft-makarenko-gost2012-dnssec-01 (pre-RFC9558 and it DOES work!) + * ASN1 header described in RFC9558 is not suitable due to d2i_PUBKEY() works with + * non-compressed public keys (two additional bytes 0x04, 0x40 at the end of header) + */ + uint8_t asn[32] = { 0x30, 0x5e, 0x30, 0x17, 0x06, 0x08, 0x2a, 0x85, + 0x03, 0x07, 0x01, 0x01, 0x01, 0x01, 0x30, 0x0b, + 0x06, 0x09, 0x2a, 0x85, 0x03, 0x07, 0x01, 0x02, + 0x01, 0x01, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40 }; + unsigned char encoded[32+64]; const unsigned char* pp; if(keylen != 64) { /* key wrong size */ @@@@ -549,8 +554,8 @@@@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen) } /* create evp_key */ - memmove(encoded, asn, 37); - memmove(encoded+37, key, 64); + memmove(encoded, asn, 32); + memmove(encoded+32, key, 64); pp = (unsigned char*)&encoded[0]; return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded)); diff --git a/sldns/rrdef.h b/sldns/rrdef.h index bbc3d5b86..7d5f3c057 100644 --- a/sldns/rrdef.h +++ b/sldns/rrdef.h @@@@ -384,11 +384,12 @@@@ enum sldns_enum_algorithm LDNS_RSASHA1_NSEC3 = 7, LDNS_RSASHA256 = 8, /* RFC 5702 */ LDNS_RSASHA512 = 10, /* RFC 5702 */ - LDNS_ECC_GOST = 12, /* RFC 5933 */ + LDNS_ECC_GOST = 12, /* RFC 5933, deprecated */ LDNS_ECDSAP256SHA256 = 13, /* RFC 6605 */ LDNS_ECDSAP384SHA384 = 14, /* RFC 6605 */ LDNS_ED25519 = 15, /* RFC 8080 */ LDNS_ED448 = 16, /* RFC 8080 */ + LDNS_ECC_GOST12 = 23, /* RFC 9558 */ LDNS_INDIRECT = 252, LDNS_PRIVATEDNS = 253, LDNS_PRIVATEOID = 254 @@@@ -402,8 +403,9 @@@@ enum sldns_enum_hash { LDNS_SHA1 = 1, /* RFC 4034 */ LDNS_SHA256 = 2, /* RFC 4509 */ - LDNS_HASH_GOST = 3, /* RFC 5933 */ - LDNS_SHA384 = 4 /* RFC 6605 */ + LDNS_HASH_GOST = 3, /* RFC 5933, deprecated */ + LDNS_SHA384 = 4, /* RFC 6605 */ + LDNS_HASH_GOST12 = 5 /* RFC 9558 */ }; typedef enum sldns_enum_hash sldns_hash; diff --git a/sldns/wire2str.c b/sldns/wire2str.c index 75b8f37b0..b4c4755e6 100644 --- a/sldns/wire2str.c +++ b/sldns/wire2str.c @@@@ -45,11 +45,12 @@@@ static sldns_lookup_table sldns_algorithms_data[] = { { LDNS_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" }, { LDNS_RSASHA256, "RSASHA256"}, { LDNS_RSASHA512, "RSASHA512"}, - { LDNS_ECC_GOST, "ECC-GOST"}, + { LDNS_ECC_GOST, "ECC-GOST"}, /* deprecated */ { LDNS_ECDSAP256SHA256, "ECDSAP256SHA256"}, { LDNS_ECDSAP384SHA384, "ECDSAP384SHA384"}, { LDNS_ED25519, "ED25519"}, { LDNS_ED448, "ED448"}, + { LDNS_ECC_GOST12, "ECC-GOST12"}, { LDNS_INDIRECT, "INDIRECT" }, { LDNS_PRIVATEDNS, "PRIVATEDNS" }, { LDNS_PRIVATEOID, "PRIVATEOID" }, @@@@ -61,8 +62,9 @@@@ sldns_lookup_table* sldns_algorithms = sldns_algorithms_data; static sldns_lookup_table sldns_hashes_data[] = { { LDNS_SHA1, "SHA1" }, { LDNS_SHA256, "SHA256" }, - { LDNS_HASH_GOST, "HASH-GOST" }, + { LDNS_HASH_GOST, "HASH-GOST" }, /* deprecated */ { LDNS_SHA384, "SHA384" }, + { LDNS_HASH_GOST12, "HASH-GOST12" }, { 0, NULL } }; sldns_lookup_table* sldns_hashes = sldns_hashes_data; diff --git a/testcode/unitverify.c b/testcode/unitverify.c index fcf2e2ffe..4a33e9f6a 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@@@ -696,7 +696,7 @@@@ verify_test(void) #endif #ifdef USE_GOST if(sldns_key_EVP_load_gost_id()) - verifytest_file(SRCDIRSTR "/testdata/test_sigs.gost", "20090807060504"); + verifytest_file(SRCDIRSTR "/testdata/test_sigs.gost12", "20251226060504"); else printf("Warning: skipped GOST, openssl does not provide gost.\n"); #endif #ifdef USE_ECDSA diff --git a/testdata/test_sigs.gost12 b/testdata/test_sigs.gost12 new file mode 100644 index 000000000..72a250cff --- /dev/null +++ b/testdata/test_sigs.gost12 @@@@ -0,0 +1,39 @@@@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; Test GOST signatures using algo number 23. + +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +nlnetlabs.nl. 3600 IN DNSKEY 256 3 23 cdOtkEcb6NhcdOpIbPYtWyWxdlUiKgtKQbYg3lIjtG7i3fYjUID9zyOgoQEiV9wuGCfrw5cNsnvNw+8HiVFK4g== ;{id = 12301 (zsk), size = 512b} +ENTRY_END + +; entry to test +ENTRY_BEGIN +SECTION QUESTION +open.nlnetlabs.nl. IN A +SECTION ANSWER +open.nlnetlabs.nl. 600 IN A 213.154.224.1 +open.nlnetlabs.nl. 600 IN RRSIG A 23 3 600 20260122084903 20251225084903 12301 nlnetlabs.nl. I12wYNs96DxMy26CWx296/sWMJAFg4nNXBo0sw7PnuMbJW5NFAmZYtFWhUdOWn4umaiodYOAmKG8Zg/OKvEtAQ== +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +open.nlnetlabs.nl. IN AAAA +SECTION ANSWER +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::1 +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::53 +open.nlnetlabs.nl. 600 IN RRSIG AAAA 23 3 600 20260122084903 20251225084903 12301 nlnetlabs.nl. J0jHa+CP8HM6UDa2+uYgaze2mfpJTh2hkZ2KwMTYb5sfL6iBmxxql0c/403Itk4fMfYBMGn7zfzDQ+CxnCgSWw== +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +open.nlnetlabs.nl. IN NSEC +SECTION ANSWER +open.nlnetlabs.nl. 86400 IN NSEC nlnetlabs.nl. A AAAA RRSIG NSEC +open.nlnetlabs.nl. 86400 IN RRSIG NSEC 23 3 86400 20260122084903 20251225084903 12301 nlnetlabs.nl. INCLYe9vAaNYaYx5Ay3Q6QdX+wPW9sMRvVlGt/jUEGgCi+88QlV80CT1oHrhRI66I14Wk6NRAGZRNx1tUPSHSg== +ENTRY_END diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index be8347b1b..4f621a309 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@@@ -246,10 +246,10 @@@@ ds_digest_size_supported(int algo) return SHA256_DIGEST_LENGTH; #endif #ifdef USE_GOST - case LDNS_HASH_GOST: + case LDNS_HASH_GOST12: /* we support GOST if it can be loaded */ (void)sldns_key_EVP_load_gost_id(); - if(EVP_get_digestbyname("md_gost94")) + if(EVP_get_digestbyname("md_gost12_256")) return 32; else return 0; #endif @@@@ -265,9 +265,9 @@@@ ds_digest_size_supported(int algo) #ifdef USE_GOST /** Perform GOST hash */ static int -do_gost94(unsigned char* data, size_t len, unsigned char* dest) +do_gost12(unsigned char* data, size_t len, unsigned char* dest) { - const EVP_MD* md = EVP_get_digestbyname("md_gost94"); + const EVP_MD* md = EVP_get_digestbyname("md_gost12_256"); if(!md) return 0; return sldns_digest_evp(data, (unsigned int)len, dest, md); @@@@ -302,8 +302,8 @@@@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, return 1; #endif #ifdef USE_GOST - case LDNS_HASH_GOST: - if(do_gost94(buf, len, res)) + case LDNS_HASH_GOST12: + if(do_gost12(buf, len, res)) return 1; break; #endif @@@@ -384,7 +384,7 @@@@ dnskey_algo_id_is_supported(int id) #endif #ifdef USE_GOST - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: /* we support GOST if it can be loaded */ return sldns_key_EVP_load_gost_id(); #endif @@@@ -612,17 +612,17 @@@@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, break; #ifdef USE_GOST - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: *evp_key = sldns_gost2pkey_raw(key, keylen); if(!*evp_key) { verbose(VERB_QUERY, "verify: " "sldns_gost2pkey_raw failed"); return 0; } - *digest_type = EVP_get_digestbyname("md_gost94"); + *digest_type = EVP_get_digestbyname("md_gost12_256"); if(!*digest_type) { verbose(VERB_QUERY, "verify: " - "EVP_getdigest md_gost94 failed"); + "EVP_getdigest md_gost12_256 failed"); return 0; } break; @@@@ -964,7 +964,7 @@@@ ds_digest_size_supported(int algo) return SHA384_LENGTH; #endif /* GOST not supported in NSS */ - case LDNS_HASH_GOST: + case LDNS_HASH_GOST12: default: break; } return 0; @@@@ -991,7 +991,7 @@@@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) == SECSuccess; #endif - case LDNS_HASH_GOST: + case LDNS_HASH_GOST12: default: verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); @@@@ -1031,7 +1031,7 @@@@ dnskey_algo_id_is_supported(int id) case LDNS_ECDSAP384SHA384: return PK11_TokenExists(CKM_ECDSA); #endif - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: return 0; } @@@@ -1352,7 +1352,7 @@@@ nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, /* no prefix for DSA verification */ break; #endif /* USE_ECDSA */ - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: verbose(VERB_QUERY, "verify: unknown algorithm %d", algo); @@@@ -1675,7 +1675,7 @@@@ ds_digest_size_supported(int algo) return SHA384_DIGEST_SIZE; #endif /* GOST not supported */ - case LDNS_HASH_GOST: + case LDNS_ECC_GOST12: default: break; } @@@@ -1700,7 +1700,7 @@@@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); #endif - case LDNS_HASH_GOST: + case LDNS_ECC_GOST12: default: verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); @@@@ -1744,7 +1744,7 @@@@ dnskey_algo_id_is_supported(int id) return 1; #endif case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: return 0; } @@@@ -2103,7 +2103,7 @@@@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, return sec_status_secure; #endif case LDNS_RSAMD5: - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: *reason = "unable to verify signature, unknown algorithm"; return sec_status_bogus; @ 1.1.1.1 log @Import unbound 1.25.1 (previous was 1.24.2) Bug Fixes Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. For changes to older versions see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1 @ text @@ 1.1.1.1.2.1 log @file gost12.patch was added on branch netbsd-11 on 2026-06-15 18:50:40 +0000 @ text @d1 325 @ 1.1.1.1.2.2 log @Pull up the following revisions, requested by christos in ticket #309: external/bsd/unbound/dist/contrib/gost12.patch up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/auth_https_origin.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/auth_https_origin.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/auth_https_origin.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/auth_https_origin.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/auth_https_origin.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/petal.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_https_origin.tdir/petal.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cached_servfail_timeout.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_notify_lookup.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/dname_unsigned_cname.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/ds_wildcard_cname.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/fwd_scrub_rrsig.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_dname_ttl0.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_nat64_donotq.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_priv_svcb.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_scrub_dname_out_of_zone.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_svcb_malformed.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/long_qname.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/respip_dns64_lookup.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_scopezero_bogus.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_scopezero_global_nocache.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/ttl_zero_cacherep.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf2 up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/tls_reuse_auth.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/tls_reuse_auth.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/tls_reuse_auth.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/tls_reuse_auth.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/unbound_control.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/unbound_control.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/unbound_server.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/tls_reuse_auth.tdir/unbound_server.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/serve_expired_client_timeout_no_prefetch.rpl delete external/bsd/unbound/dist/README.md up to 1.1.1.5 external/bsd/unbound/dist/aclocal.m4 up to 1.1.1.7 external/bsd/unbound/dist/acx_nlnetlabs.m4 up to 1.1.1.7 external/bsd/unbound/dist/config.h.in up to 1.1.1.11 external/bsd/unbound/dist/configure up to 1.1.1.11 external/bsd/unbound/dist/configure.ac up to 1.1.1.11 external/bsd/unbound/dist/cachedb/cachedb.c up to 1.1.1.10 external/bsd/unbound/dist/cachedb/redis.c up to 1.1.1.6 external/bsd/unbound/dist/compat/arc4random.c up to 1.1.1.6 external/bsd/unbound/dist/compat/chacha_private.h up to 1.1.1.2 external/bsd/unbound/dist/compat/getentropy_linux.c up to 1.1.1.4 external/bsd/unbound/dist/compat/gmtime_r.c up to 1.1.1.2 external/bsd/unbound/dist/contrib/README up to 1.1.1.8 external/bsd/unbound/dist/contrib/unbound.service.in up to 1.1.1.9 external/bsd/unbound/dist/contrib/unbound_portable.service.in up to 1.1.1.3 external/bsd/unbound/dist/contrib/ios/install_openssl.sh up to 1.1.1.2 external/bsd/unbound/dist/contrib/ios/setenv_ios.sh up to 1.1.1.2 external/bsd/unbound/dist/daemon/daemon.c up to 1.1.1.10 external/bsd/unbound/dist/daemon/daemon.h up to 1.1.1.7 external/bsd/unbound/dist/daemon/remote.c up to 1.1.1.11 external/bsd/unbound/dist/daemon/remote.h up to 1.1.1.6 external/bsd/unbound/dist/daemon/stats.c up to 1.1.1.11 external/bsd/unbound/dist/daemon/unbound.c up to 1.1.1.10 external/bsd/unbound/dist/daemon/worker.c up to 1.1.1.11 external/bsd/unbound/dist/dns64/dns64.c up to 1.1.1.10 external/bsd/unbound/dist/dnscrypt/dnscrypt.c up to 1.1.1.6 external/bsd/unbound/dist/dnstap/dtstream.c up to 1.1.1.6 external/bsd/unbound/dist/dnstap/dtstream.h up to 1.1.1.2 external/bsd/unbound/dist/dnstap/unbound-dnstap-socket.c up to 1.1.1.5 external/bsd/unbound/dist/doc/Changelog up to 1.1.1.11 external/bsd/unbound/dist/doc/README up to 1.1.1.11 external/bsd/unbound/dist/doc/README.DNS64 up to 1.1.1.3 external/bsd/unbound/dist/doc/README.man up to 1.1.1.2 external/bsd/unbound/dist/doc/example.conf.in up to 1.1.1.11 external/bsd/unbound/dist/doc/libunbound.3.in up to 1.1.1.11 external/bsd/unbound/dist/doc/unbound-anchor.8.in up to 1.1.1.11 external/bsd/unbound/dist/doc/unbound-anchor.rst up to 1.1.1.2 external/bsd/unbound/dist/doc/unbound-checkconf.8.in up to 1.1.1.11 external/bsd/unbound/dist/doc/unbound-control.8.in up to 1.1.1.11 external/bsd/unbound/dist/doc/unbound-control.rst up to 1.1.1.2 external/bsd/unbound/dist/doc/unbound-host.1.in up to 1.1.1.11 external/bsd/unbound/dist/doc/unbound.8.in up to 1.1.1.11 external/bsd/unbound/dist/doc/unbound.conf.5.in up to 1.1.1.11 external/bsd/unbound/dist/doc/unbound.conf.rst up to 1.1.1.2 external/bsd/unbound/dist/doc/unbound.rst up to 1.1.1.2 external/bsd/unbound/dist/edns-subnet/subnetmod.c up to 1.1.1.10 external/bsd/unbound/dist/edns-subnet/subnetmod.h up to 1.1.1.8 external/bsd/unbound/dist/ipsecmod/ipsecmod.c up to 1.1.1.6 external/bsd/unbound/dist/iterator/iter_fwd.c up to 1.1.1.8 external/bsd/unbound/dist/iterator/iter_hints.c up to 1.1.1.8 external/bsd/unbound/dist/iterator/iter_priv.c up to 1.1.1.3 external/bsd/unbound/dist/iterator/iter_scrub.c up to 1.1.1.11 external/bsd/unbound/dist/iterator/iter_utils.c up to 1.1.1.10 external/bsd/unbound/dist/iterator/iter_utils.h up to 1.1.1.9 external/bsd/unbound/dist/iterator/iterator.c up to 1.1.1.11 external/bsd/unbound/dist/libunbound/unbound.h up to 1.8 external/bsd/unbound/dist/libunbound/python/libunbound.i up to 1.1.1.6 external/bsd/unbound/dist/pythonmod/interface.i up to 1.1.1.10 external/bsd/unbound/dist/pythonmod/pythonmod.c up to 1.1.1.8 external/bsd/unbound/dist/respip/respip.c up to 1.1.1.8 external/bsd/unbound/dist/services/authzone.c up to 1.6 external/bsd/unbound/dist/services/listen_dnsport.c up to 1.1.1.11 external/bsd/unbound/dist/services/localzone.c up to 1.1.1.10 external/bsd/unbound/dist/services/localzone.h up to 1.1.1.9 external/bsd/unbound/dist/services/mesh.c up to 1.1.1.11 external/bsd/unbound/dist/services/mesh.h up to 1.1.1.9 external/bsd/unbound/dist/services/modstack.c up to 1.1.1.10 external/bsd/unbound/dist/services/outside_network.c up to 1.1.1.11 external/bsd/unbound/dist/services/outside_network.h up to 1.1.1.10 external/bsd/unbound/dist/services/rpz.c up to 1.1.1.6 external/bsd/unbound/dist/services/cache/dns.c up to 1.1.1.10 external/bsd/unbound/dist/services/cache/dns.h up to 1.1.1.9 external/bsd/unbound/dist/services/cache/infra.c up to 1.1.1.9 external/bsd/unbound/dist/services/cache/rrset.c up to 1.1.1.8 external/bsd/unbound/dist/sldns/rrdef.h up to 1.1.1.8 external/bsd/unbound/dist/sldns/wire2str.c up to 1.1.1.9 external/bsd/unbound/dist/smallapp/unbound-anchor.c up to 1.1.1.10 external/bsd/unbound/dist/smallapp/unbound-checkconf.c up to 1.1.1.11 external/bsd/unbound/dist/smallapp/unbound-control.c up to 1.1.1.11 external/bsd/unbound/dist/smallapp/unbound-host.c up to 1.1.1.9 external/bsd/unbound/dist/testcode/asynclook.c up to 1.1.1.7 external/bsd/unbound/dist/testcode/checklocks.h up to 1.1.1.4 external/bsd/unbound/dist/testcode/dohclient.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/doqclient.c up to 1.1.1.3 external/bsd/unbound/dist/testcode/mini_tdir.sh up to 1.1.1.6 external/bsd/unbound/dist/testcode/petal.c up to 1.1.1.9 external/bsd/unbound/dist/testcode/pktview.c up to 1.1.1.2 external/bsd/unbound/dist/testcode/replay.h up to 1.1.1.8 external/bsd/unbound/dist/testcode/streamtcp.c up to 1.1.1.10 external/bsd/unbound/dist/testcode/testpkts.c up to 1.1.1.11 external/bsd/unbound/dist/testcode/testpkts.h up to 1.1.1.6 external/bsd/unbound/dist/testcode/unitldns.c up to 1.1.1.6 external/bsd/unbound/dist/testcode/unitmain.c up to 1.1.1.11 external/bsd/unbound/dist/testcode/unitmsgparse.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/unitverify.c up to 1.1.1.9 external/bsd/unbound/dist/testcode/unitzonemd.c up to 1.1.1.4 external/bsd/unbound/dist/testdata/cachedb_expired.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/cachedb_expired_client_timeout.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/cachedb_expired_reply_ttl.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/cachedb_subnet_change.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/cachedb_val_expired.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_0ttlservfail.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_scrub_promiscuous.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/refuse_xfr.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/rrset_use_cached.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/serve_expired_0ttl_nodata.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired_0ttl_nxdomain.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired_0ttl_servfail.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired_client_timeout.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired_client_timeout_servfail.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired_reply_ttl.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/serve_expired_ttl_client_timeout.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_ttl_reset.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/serve_expired_zerottl.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/subnet_global_prefetch_always_forward.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/subnet_global_prefetch_expired.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/test_ldnsrr.5 up to 1.1.1.5 external/bsd/unbound/dist/testdata/test_sigs.revoked up to 1.1.1.2 external/bsd/unbound/dist/testdata/val_ds_cname.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_nsec3_iter_high.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/val_nx_nsec3_collision.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_nx_nsec3_params.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/04-checkconf.tdir/good.all up to 1.1.1.3 external/bsd/unbound/dist/testdata/04-checkconf.tdir/good.ifport up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/stat_values.tdir/stat_values.test up to 1.1.1.6 external/bsd/unbound/dist/util/alloc.c up to 1.1.1.6 external/bsd/unbound/dist/util/config_file.c up to 1.1.1.11 external/bsd/unbound/dist/util/config_file.h up to 1.1.1.11 external/bsd/unbound/dist/util/configlexer.c up to 1.1.1.11 external/bsd/unbound/dist/util/configlexer.lex up to 1.1.1.11 external/bsd/unbound/dist/util/configparser.c up to 1.1.1.11 external/bsd/unbound/dist/util/configparser.h up to 1.1.1.11 external/bsd/unbound/dist/util/configparser.y up to 1.1.1.11 external/bsd/unbound/dist/util/fptr_wlist.c up to 1.1.1.10 external/bsd/unbound/dist/util/fptr_wlist.h up to 1.1.1.7 external/bsd/unbound/dist/util/iana_ports.inc up to 1.1.1.11 external/bsd/unbound/dist/util/locks.h up to 1.1.1.4 external/bsd/unbound/dist/util/log.c up to 1.1.1.9 external/bsd/unbound/dist/util/module.h up to 1.1.1.9 external/bsd/unbound/dist/util/net_help.c up to 1.1.1.11 external/bsd/unbound/dist/util/net_help.h up to 1.1.1.10 external/bsd/unbound/dist/util/netevent.c up to 1.9 external/bsd/unbound/dist/util/timehist.h up to 1.1.1.3 external/bsd/unbound/dist/util/data/msgencode.c up to 1.1.1.10 external/bsd/unbound/dist/util/data/msgencode.h up to 1.1.1.5 external/bsd/unbound/dist/util/data/msgparse.c up to 1.1.1.9 external/bsd/unbound/dist/util/data/msgparse.h up to 1.1.1.9 external/bsd/unbound/dist/util/data/msgreply.c up to 1.1.1.11 external/bsd/unbound/dist/util/data/msgreply.h up to 1.1.1.11 external/bsd/unbound/dist/util/data/packed_rrset.c up to 1.1.1.6 external/bsd/unbound/dist/util/data/packed_rrset.h up to 1.1.1.7 external/bsd/unbound/dist/util/shm_side/shm_main.c up to 1.1.1.6 external/bsd/unbound/dist/util/shm_side/shm_main.h up to 1.1.1.2 external/bsd/unbound/dist/validator/val_neg.c up to 1.1.1.8 external/bsd/unbound/dist/validator/val_nsec3.c up to 1.1.1.7 external/bsd/unbound/dist/validator/val_nsec3.h up to 1.1.1.6 external/bsd/unbound/dist/validator/val_sigcrypt.c up to 1.1.1.10 external/bsd/unbound/dist/validator/val_sigcrypt.h up to 1.1.1.6 external/bsd/unbound/dist/validator/val_utils.c up to 1.1.1.7 external/bsd/unbound/dist/validator/val_utils.h up to 1.1.1.7 external/bsd/unbound/dist/validator/validator.c up to 1.1.1.11 external/bsd/unbound/dist/winrc/win_svc.c up to 1.1.1.6 doc/3RDPARTY (manually edited) Import unbound 1.25.1 @ text @a0 325 diff --git a/sldns/keyraw.c b/sldns/keyraw.c index 42a9262a3..cc6406a56 100644 --- a/sldns/keyraw.c +++ b/sldns/keyraw.c @@@@ -85,7 +85,7 @@@@ sldns_rr_dnskey_key_size_raw(const unsigned char* keydata, } break; #ifdef USE_GOST - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: return 512; #endif #ifdef USE_ECDSA @@@@ -146,7 +146,7 @@@@ sldns_key_EVP_load_gost_id(void) if(gost_id) return gost_id; /* see if configuration loaded gost implementation from other engine*/ - meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); + meth = EVP_PKEY_asn1_find_str(NULL, "gost2012_256", -1); if(meth) { EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); return gost_id; @@@@ -170,7 +170,7 @@@@ sldns_key_EVP_load_gost_id(void) return 0; } - meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); + meth = EVP_PKEY_asn1_find_str(&e, "gost2012_256", -1); if(!meth) { /* algo not found */ ENGINE_finish(e); @@@@ -536,12 +536,17 @@@@ EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len) EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen) { - /* prefix header for X509 encoding */ - uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, - 0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40}; - unsigned char encoded[37+64]; + /* prefix header for X509 encoding + * + * note: based on draft-makarenko-gost2012-dnssec-01 (pre-RFC9558 and it DOES work!) + * ASN1 header described in RFC9558 is not suitable due to d2i_PUBKEY() works with + * non-compressed public keys (two additional bytes 0x04, 0x40 at the end of header) + */ + uint8_t asn[32] = { 0x30, 0x5e, 0x30, 0x17, 0x06, 0x08, 0x2a, 0x85, + 0x03, 0x07, 0x01, 0x01, 0x01, 0x01, 0x30, 0x0b, + 0x06, 0x09, 0x2a, 0x85, 0x03, 0x07, 0x01, 0x02, + 0x01, 0x01, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40 }; + unsigned char encoded[32+64]; const unsigned char* pp; if(keylen != 64) { /* key wrong size */ @@@@ -549,8 +554,8 @@@@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen) } /* create evp_key */ - memmove(encoded, asn, 37); - memmove(encoded+37, key, 64); + memmove(encoded, asn, 32); + memmove(encoded+32, key, 64); pp = (unsigned char*)&encoded[0]; return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded)); diff --git a/sldns/rrdef.h b/sldns/rrdef.h index bbc3d5b86..7d5f3c057 100644 --- a/sldns/rrdef.h +++ b/sldns/rrdef.h @@@@ -384,11 +384,12 @@@@ enum sldns_enum_algorithm LDNS_RSASHA1_NSEC3 = 7, LDNS_RSASHA256 = 8, /* RFC 5702 */ LDNS_RSASHA512 = 10, /* RFC 5702 */ - LDNS_ECC_GOST = 12, /* RFC 5933 */ + LDNS_ECC_GOST = 12, /* RFC 5933, deprecated */ LDNS_ECDSAP256SHA256 = 13, /* RFC 6605 */ LDNS_ECDSAP384SHA384 = 14, /* RFC 6605 */ LDNS_ED25519 = 15, /* RFC 8080 */ LDNS_ED448 = 16, /* RFC 8080 */ + LDNS_ECC_GOST12 = 23, /* RFC 9558 */ LDNS_INDIRECT = 252, LDNS_PRIVATEDNS = 253, LDNS_PRIVATEOID = 254 @@@@ -402,8 +403,9 @@@@ enum sldns_enum_hash { LDNS_SHA1 = 1, /* RFC 4034 */ LDNS_SHA256 = 2, /* RFC 4509 */ - LDNS_HASH_GOST = 3, /* RFC 5933 */ - LDNS_SHA384 = 4 /* RFC 6605 */ + LDNS_HASH_GOST = 3, /* RFC 5933, deprecated */ + LDNS_SHA384 = 4, /* RFC 6605 */ + LDNS_HASH_GOST12 = 5 /* RFC 9558 */ }; typedef enum sldns_enum_hash sldns_hash; diff --git a/sldns/wire2str.c b/sldns/wire2str.c index 75b8f37b0..b4c4755e6 100644 --- a/sldns/wire2str.c +++ b/sldns/wire2str.c @@@@ -45,11 +45,12 @@@@ static sldns_lookup_table sldns_algorithms_data[] = { { LDNS_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" }, { LDNS_RSASHA256, "RSASHA256"}, { LDNS_RSASHA512, "RSASHA512"}, - { LDNS_ECC_GOST, "ECC-GOST"}, + { LDNS_ECC_GOST, "ECC-GOST"}, /* deprecated */ { LDNS_ECDSAP256SHA256, "ECDSAP256SHA256"}, { LDNS_ECDSAP384SHA384, "ECDSAP384SHA384"}, { LDNS_ED25519, "ED25519"}, { LDNS_ED448, "ED448"}, + { LDNS_ECC_GOST12, "ECC-GOST12"}, { LDNS_INDIRECT, "INDIRECT" }, { LDNS_PRIVATEDNS, "PRIVATEDNS" }, { LDNS_PRIVATEOID, "PRIVATEOID" }, @@@@ -61,8 +62,9 @@@@ sldns_lookup_table* sldns_algorithms = sldns_algorithms_data; static sldns_lookup_table sldns_hashes_data[] = { { LDNS_SHA1, "SHA1" }, { LDNS_SHA256, "SHA256" }, - { LDNS_HASH_GOST, "HASH-GOST" }, + { LDNS_HASH_GOST, "HASH-GOST" }, /* deprecated */ { LDNS_SHA384, "SHA384" }, + { LDNS_HASH_GOST12, "HASH-GOST12" }, { 0, NULL } }; sldns_lookup_table* sldns_hashes = sldns_hashes_data; diff --git a/testcode/unitverify.c b/testcode/unitverify.c index fcf2e2ffe..4a33e9f6a 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@@@ -696,7 +696,7 @@@@ verify_test(void) #endif #ifdef USE_GOST if(sldns_key_EVP_load_gost_id()) - verifytest_file(SRCDIRSTR "/testdata/test_sigs.gost", "20090807060504"); + verifytest_file(SRCDIRSTR "/testdata/test_sigs.gost12", "20251226060504"); else printf("Warning: skipped GOST, openssl does not provide gost.\n"); #endif #ifdef USE_ECDSA diff --git a/testdata/test_sigs.gost12 b/testdata/test_sigs.gost12 new file mode 100644 index 000000000..72a250cff --- /dev/null +++ b/testdata/test_sigs.gost12 @@@@ -0,0 +1,39 @@@@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; Test GOST signatures using algo number 23. + +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +nlnetlabs.nl. 3600 IN DNSKEY 256 3 23 cdOtkEcb6NhcdOpIbPYtWyWxdlUiKgtKQbYg3lIjtG7i3fYjUID9zyOgoQEiV9wuGCfrw5cNsnvNw+8HiVFK4g== ;{id = 12301 (zsk), size = 512b} +ENTRY_END + +; entry to test +ENTRY_BEGIN +SECTION QUESTION +open.nlnetlabs.nl. IN A +SECTION ANSWER +open.nlnetlabs.nl. 600 IN A 213.154.224.1 +open.nlnetlabs.nl. 600 IN RRSIG A 23 3 600 20260122084903 20251225084903 12301 nlnetlabs.nl. I12wYNs96DxMy26CWx296/sWMJAFg4nNXBo0sw7PnuMbJW5NFAmZYtFWhUdOWn4umaiodYOAmKG8Zg/OKvEtAQ== +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +open.nlnetlabs.nl. IN AAAA +SECTION ANSWER +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::1 +open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::53 +open.nlnetlabs.nl. 600 IN RRSIG AAAA 23 3 600 20260122084903 20251225084903 12301 nlnetlabs.nl. J0jHa+CP8HM6UDa2+uYgaze2mfpJTh2hkZ2KwMTYb5sfL6iBmxxql0c/403Itk4fMfYBMGn7zfzDQ+CxnCgSWw== +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +open.nlnetlabs.nl. IN NSEC +SECTION ANSWER +open.nlnetlabs.nl. 86400 IN NSEC nlnetlabs.nl. A AAAA RRSIG NSEC +open.nlnetlabs.nl. 86400 IN RRSIG NSEC 23 3 86400 20260122084903 20251225084903 12301 nlnetlabs.nl. INCLYe9vAaNYaYx5Ay3Q6QdX+wPW9sMRvVlGt/jUEGgCi+88QlV80CT1oHrhRI66I14Wk6NRAGZRNx1tUPSHSg== +ENTRY_END diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index be8347b1b..4f621a309 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@@@ -246,10 +246,10 @@@@ ds_digest_size_supported(int algo) return SHA256_DIGEST_LENGTH; #endif #ifdef USE_GOST - case LDNS_HASH_GOST: + case LDNS_HASH_GOST12: /* we support GOST if it can be loaded */ (void)sldns_key_EVP_load_gost_id(); - if(EVP_get_digestbyname("md_gost94")) + if(EVP_get_digestbyname("md_gost12_256")) return 32; else return 0; #endif @@@@ -265,9 +265,9 @@@@ ds_digest_size_supported(int algo) #ifdef USE_GOST /** Perform GOST hash */ static int -do_gost94(unsigned char* data, size_t len, unsigned char* dest) +do_gost12(unsigned char* data, size_t len, unsigned char* dest) { - const EVP_MD* md = EVP_get_digestbyname("md_gost94"); + const EVP_MD* md = EVP_get_digestbyname("md_gost12_256"); if(!md) return 0; return sldns_digest_evp(data, (unsigned int)len, dest, md); @@@@ -302,8 +302,8 @@@@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, return 1; #endif #ifdef USE_GOST - case LDNS_HASH_GOST: - if(do_gost94(buf, len, res)) + case LDNS_HASH_GOST12: + if(do_gost12(buf, len, res)) return 1; break; #endif @@@@ -384,7 +384,7 @@@@ dnskey_algo_id_is_supported(int id) #endif #ifdef USE_GOST - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: /* we support GOST if it can be loaded */ return sldns_key_EVP_load_gost_id(); #endif @@@@ -612,17 +612,17 @@@@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, break; #ifdef USE_GOST - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: *evp_key = sldns_gost2pkey_raw(key, keylen); if(!*evp_key) { verbose(VERB_QUERY, "verify: " "sldns_gost2pkey_raw failed"); return 0; } - *digest_type = EVP_get_digestbyname("md_gost94"); + *digest_type = EVP_get_digestbyname("md_gost12_256"); if(!*digest_type) { verbose(VERB_QUERY, "verify: " - "EVP_getdigest md_gost94 failed"); + "EVP_getdigest md_gost12_256 failed"); return 0; } break; @@@@ -964,7 +964,7 @@@@ ds_digest_size_supported(int algo) return SHA384_LENGTH; #endif /* GOST not supported in NSS */ - case LDNS_HASH_GOST: + case LDNS_HASH_GOST12: default: break; } return 0; @@@@ -991,7 +991,7 @@@@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) == SECSuccess; #endif - case LDNS_HASH_GOST: + case LDNS_HASH_GOST12: default: verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); @@@@ -1031,7 +1031,7 @@@@ dnskey_algo_id_is_supported(int id) case LDNS_ECDSAP384SHA384: return PK11_TokenExists(CKM_ECDSA); #endif - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: return 0; } @@@@ -1352,7 +1352,7 @@@@ nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, /* no prefix for DSA verification */ break; #endif /* USE_ECDSA */ - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: verbose(VERB_QUERY, "verify: unknown algorithm %d", algo); @@@@ -1675,7 +1675,7 @@@@ ds_digest_size_supported(int algo) return SHA384_DIGEST_SIZE; #endif /* GOST not supported */ - case LDNS_HASH_GOST: + case LDNS_ECC_GOST12: default: break; } @@@@ -1700,7 +1700,7 @@@@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len, return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); #endif - case LDNS_HASH_GOST: + case LDNS_ECC_GOST12: default: verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); @@@@ -1744,7 +1744,7 @@@@ dnskey_algo_id_is_supported(int id) return 1; #endif case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: return 0; } @@@@ -2103,7 +2103,7 @@@@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, return sec_status_secure; #endif case LDNS_RSAMD5: - case LDNS_ECC_GOST: + case LDNS_ECC_GOST12: default: *reason = "unable to verify signature, unknown algorithm"; return sec_status_bogus; @