From: Wouter Wijngaards Date: Fri, 22 Jun 2012 15:20:56 +0000 (+0000) Subject: Test for ECC support for libNSS. X-Git-Tag: release-1.4.18rc1~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9ed797a22c527758cace8170e6e7939b9f898ac;p=thirdparty%2Funbound.git Test for ECC support for libNSS. git-svn-id: file:///svn/unbound/trunk@2700 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/testcode/unitverify.c b/testcode/unitverify.c index ce1bbd1f5..5cf347f31 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -521,8 +521,11 @@ verify_test(void) else printf("Warning: skipped GOST, openssl does not provide gost.\n"); #endif #ifdef USE_ECDSA - verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439"); - verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439"); + /* test for support in case we use libNSS and ECC is removed */ + if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) { + verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439"); + verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439"); + } dstest_file("testdata/test_ds.sha384"); #endif dstest_file("testdata/test_ds.sha1"); diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 8549c6165..5cd8cb704 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -623,11 +623,12 @@ dnskey_algo_id_is_supported(int id) #ifdef USE_SHA2 case LDNS_RSASHA512: #endif + return 1; #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: case LDNS_ECDSAP384SHA384: + return PK11_TokenExists(CKM_ECDSA); #endif - return 1; case LDNS_ECC_GOST: default: return 0; @@ -848,8 +849,10 @@ nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; /* from RFC6234 */ + /* for future RSASHA384 .. unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; + */ switch(algo) { case LDNS_DSA: @@ -1031,11 +1034,16 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, } err = PORT_GetError(); if(err != SEC_ERROR_BAD_SIGNATURE) { - /* failed to verify, but other errors are commonly returned - * for a bad signature from NSS. Thus we return bogus, - * not unchecked*/ + /* failed to verify */ verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", PORT_ErrorToString(err)); + /* if it is not supported, like ECC is removed, we get, + * SEC_ERROR_NO_MODULE */ + if(err == SEC_ERROR_NO_MODULE) + return sec_status_unchecked; + /* but other errors are commonly returned + * for a bad signature from NSS. Thus we return bogus, + * not unchecked */ *reason = "signature crypto failed"; return sec_status_bogus; }