From 20ff1dcd090ee1ddb6df488d0285ef8fbcb147d4 Mon Sep 17 00:00:00 2001
From: Marek Vavrusa <mvavrusa@cloudflare.com>
Date: Wed, 15 Dec 2021 13:31:41 -0800
Subject: [PATCH] validate: ensure scan canonicalizes SecAlg and validation as
 well

The SecAlg variant must be canonicalized to be used in a `match {}`,
otherwise it's not going math the same algorithm numbers correctly
using PartialEq.
---
 src/base/iana/macros.rs |  8 +++++---
 src/validate.rs         | 13 ++++++++++---
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/base/iana/macros.rs b/src/base/iana/macros.rs
index 766edd217..8d690c194 100644
--- a/src/base/iana/macros.rs
+++ b/src/base/iana/macros.rs
@@ -360,9 +360,11 @@ macro_rules! int_enum_str_with_decimal {
                 scanner: &mut $crate::master::scan::Scanner<C>,
             ) -> Result<Self, $crate::master::scan::ScanError> {
                 scanner.scan_string_word(|word| {
-                    core::str::FromStr::from_str(&word).map_err(|_| {
-                        $crate::master::scan::SyntaxError::UnknownMnemonic
-                    })
+                    core::str::FromStr::from_str(&word)
+                        .map_err(|_| {
+                            $crate::master::scan::SyntaxError::UnknownMnemonic
+                        })
+                        .map($ianatype::from_int)
                 })
             }
         }
diff --git a/src/validate.rs b/src/validate.rs
index 26b9defa1..972e21dc7 100644
--- a/src/validate.rs
+++ b/src/validate.rs
@@ -209,12 +209,19 @@ impl<Octets: AsRef<[u8]>, Name: Compose> RrsigExt for Rrsig<Octets, Name> {
         let signature = self.signature().as_ref();
         let signed_data = signed_data.as_ref();
 
-        match self.algorithm() {
+        // Caller needs to ensure that the signature matches the key, but enforce the algorithm match
+        if self.algorithm() != dnskey.algorithm() {
+            return Err(AlgorithmError::InvalidData);
+        }
+
+        // Note: Canonicalize the algorithm, otherwise matching named variants against Int(_) is not going to work
+        let sec_alg = SecAlg::from_int(self.algorithm().to_int());
+        match sec_alg {
             SecAlg::RsaSha1
             | SecAlg::RsaSha1Nsec3Sha1
             | SecAlg::RsaSha256
             | SecAlg::RsaSha512 => {
-                let (algorithm, min_bytes) = match self.algorithm() {
+                let (algorithm, min_bytes) = match sec_alg {
                     SecAlg::RsaSha1 | SecAlg::RsaSha1Nsec3Sha1 => (
                         &signature::RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY,
                         1024 / 8,
@@ -240,7 +247,7 @@ impl<Octets: AsRef<[u8]>, Name: Compose> RrsigExt for Rrsig<Octets, Name> {
                     .map_err(|_| AlgorithmError::BadSig)
             }
             SecAlg::EcdsaP256Sha256 | SecAlg::EcdsaP384Sha384 => {
-                let algorithm = match self.algorithm() {
+                let algorithm = match sec_alg {
                     SecAlg::EcdsaP256Sha256 => {
                         &signature::ECDSA_P256_SHA256_FIXED
                     }