From: Kees Monshouwer Date: Fri, 18 Mar 2016 12:31:38 +0000 (+0100) Subject: remove unnecessary botan signers X-Git-Tag: dnsdist-1.0.0-beta1~78^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F3596%2Fhead;p=thirdparty%2Fpdns.git remove unnecessary botan signers --- diff --git a/pdns/Makefile.am b/pdns/Makefile.am index b2ab32b468..15ccfbd279 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -210,7 +210,7 @@ pdns_server_LDADD = \ $(OPENSSL_LIBS) if BOTAN110 -pdns_server_SOURCES += botan110signers.cc botansigners.cc +pdns_server_SOURCES += botan110signers.cc pdns_server_LDADD += $(BOTAN110_LIBS) endif @@ -301,7 +301,7 @@ pdnsutil_LDADD = \ $(OPENSSL_LIBS) if BOTAN110 -pdnsutil_SOURCES += botan110signers.cc botansigners.cc +pdnsutil_SOURCES += botan110signers.cc pdnsutil_LDADD += $(BOTAN110_LIBS) endif @@ -663,7 +663,7 @@ toysdig_LDADD += $(GSS_LIBS) endif if BOTAN110 -toysdig_SOURCES += botan110signers.cc botansigners.cc +toysdig_SOURCES += botan110signers.cc toysdig_LDADD += $(BOTAN110_LIBS) endif diff --git a/pdns/botan110signers.cc b/pdns/botan110signers.cc index 9c3ecbe78f..3f4535d6b0 100644 --- a/pdns/botan110signers.cc +++ b/pdns/botan110signers.cc @@ -1,15 +1,9 @@ -// utf-8 UTF-8 utf8 UTF8 #ifdef HAVE_CONFIG_H #include "config.h" #endif #include -#include #include #include -#include -#include -#include -#include #include "dnssecinfra.hh" using namespace Botan; @@ -251,194 +245,16 @@ bool GOSTDNSCryptoKeyEngine::verify(const std::string& message, const std::strin ////////////////////////////// -class ECDSADNSCryptoKeyEngine : public DNSCryptoKeyEngine -{ -public: - explicit ECDSADNSCryptoKeyEngine(unsigned int algo) : DNSCryptoKeyEngine(algo) - {} - - ~ECDSADNSCryptoKeyEngine() {} - // XXX FIXME NEEDS DEEP COPY CONSTRUCTOR SO WE DON'T SHARE KEYS - string getName() const { return "Botan 1.10 ECDSA"; } - void create(unsigned int bits); - storvector_t convertToISCVector() const; - std::string getPubKeyHash() const; - std::string sign(const std::string& hash) const; - std::string hash(const std::string& hash) const; - bool verify(const std::string& hash, const std::string& signature) const; - std::string getPublicKeyString() const; - int getBits() const; - void fromISCMap(DNSKEYRecordContent& drc, std::map& stormap); - void fromPublicKeyString(const std::string& content); - void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw) - {} - - static DNSCryptoKeyEngine* maker(unsigned int algorithm) - { - return new ECDSADNSCryptoKeyEngine(algorithm); - } - -private: - static EC_Domain_Params getECParams(unsigned int algorithm); - shared_ptr d_key; - shared_ptr d_pubkey; -}; - -EC_Domain_Params ECDSADNSCryptoKeyEngine::getECParams(unsigned int algorithm) -{ - if(algorithm==13) - return EC_Domain_Params("1.2.840.10045.3.1.7"); - else if(algorithm == 14) - return EC_Domain_Params("1.3.132.0.34"); - else - throw runtime_error("Requested for unknown EC domain parameters for algorithm "+to_string(algorithm)); -} - -void ECDSADNSCryptoKeyEngine::create(unsigned int bits) -{ - AutoSeeded_RNG rng; - EC_Domain_Params params; - if(bits==256) { - params = getECParams(13); - } - else if(bits == 384){ - params = getECParams(14); - } - else { - throw runtime_error("Unknown key length of "+to_string(bits)+" bits requested from ECDSA class"); - } - d_key = shared_ptr(new ECDSA_PrivateKey(rng, params)); -} - -int ECDSADNSCryptoKeyEngine::getBits() const -{ - if(d_algorithm == 13) - return 256; - else if(d_algorithm == 14) - return 384; - return -1; -} - -DNSCryptoKeyEngine::storvector_t ECDSADNSCryptoKeyEngine::convertToISCVector() const -{ - /* Algorithm: 13 (ECDSAP256SHA256) - PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ= */ - storvector_t storvect; - - string algorithm; - if(getBits()==256) - algorithm = "13 (ECDSAP256SHA256)"; - else if(getBits()==384) - algorithm ="14 (ECDSAP384SHA384)"; - else - algorithm =" ? (?)"; - storvect.push_back(make_pair("Algorithm", algorithm)); - - const BigInt&x = d_key->private_value(); - SecureVector buffer=BigInt::encode(x); - storvect.push_back(make_pair("PrivateKey", string((char*)&*buffer.begin(), (char*)&*buffer.end()))); - - return storvect; -} - -void ECDSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) -{ - /*Private-key-format: v1.2 - Algorithm: 13 (ECDSAP256SHA256) - PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ= */ - - drc.d_algorithm = pdns_stou(stormap["algorithm"]); - if(drc.d_algorithm != d_algorithm) - throw runtime_error("Tried to feed an algorithm "+to_string(drc.d_algorithm)+" to a "+to_string(d_algorithm)+" key!"); - string privateKey=stormap["privatekey"]; - - BigInt bigint((byte*)privateKey.c_str(), privateKey.length()); - EC_Domain_Params params=getECParams(d_algorithm); - AutoSeeded_RNG rng; - - d_key=shared_ptr(new ECDSA_PrivateKey(rng, params, bigint)); -} - -std::string ECDSADNSCryptoKeyEngine::getPubKeyHash() const -{ - const BigInt&x = d_key->private_value(); // um, this is not the 'pubkeyhash', ahu - SecureVector buffer=BigInt::encode(x); - return string((const char*)buffer.begin(), (const char*)buffer.end()); -} - -std::string ECDSADNSCryptoKeyEngine::getPublicKeyString() const -{ - const BigInt&x =d_key->public_point().get_affine_x(); - const BigInt&y =d_key->public_point().get_affine_y(); - - size_t part_size = std::max(x.bytes(), y.bytes()); - MemoryVector bits(2*part_size); - - x.binary_encode(&bits[part_size - x.bytes()]); - y.binary_encode(&bits[2*part_size - y.bytes()]); - return string((const char*)bits.begin(), (const char*)bits.end()); -} - -void ECDSADNSCryptoKeyEngine::fromPublicKeyString(const std::string&input) -{ - BigInt x, y; - - x.binary_decode((const byte*)input.c_str(), input.length()/2); - y.binary_decode((const byte*)input.c_str() + input.length()/2, input.length()/2); - - EC_Domain_Params params=getECParams(d_algorithm); - PointGFp point(params.get_curve(), x,y); - d_pubkey = shared_ptr(new ECDSA_PublicKey(params, point)); - d_key.reset(); -} - - -std::string ECDSADNSCryptoKeyEngine::sign(const std::string& msg) const -{ - string hash = this->hash(msg); - ECDSA_Signature_Operation ops(*d_key); - AutoSeeded_RNG rng; - SecureVector signature=ops.sign((byte*)hash.c_str(), hash.length(), rng); - - return string((const char*)signature.begin(), (const char*) signature.end()); -} - -std::string ECDSADNSCryptoKeyEngine::hash(const std::string& orig) const -{ - SecureVector result; - if(getBits() == 256) { // SHA256 - SHA_256 hasher; - result= hasher.process(orig); - } - else { // SHA384 - SHA_384 hasher; - result = hasher.process(orig); - } - - return string((const char*)result.begin(), (const char*) result.end()); -} - -bool ECDSADNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const -{ - string hash = this->hash(msg); - ECDSA_PublicKey* key; - if(d_key) - key = d_key.get(); - else - key = d_pubkey.get(); - ECDSA_Verification_Operation ops(*key); - return ops.verify ((byte*)hash.c_str(), hash.length(), (byte*)signature.c_str(), signature.length()); -} - namespace { struct LoaderStruct { LoaderStruct() { - // 'botansigners' inits Botan for us + new Botan::LibraryInitializer("thread_safe=true"); + // this leaks, but is fine + Botan::global_state().set_default_allocator("malloc"); // the other Botan allocator slows down for us + DNSCryptoKeyEngine::report(12, &GOSTDNSCryptoKeyEngine::maker); - DNSCryptoKeyEngine::report(13, &ECDSADNSCryptoKeyEngine::maker, true); - DNSCryptoKeyEngine::report(14, &ECDSADNSCryptoKeyEngine::maker, true); } -} loaderBotan19; +} loaderBotan110; } diff --git a/pdns/botansigners.cc b/pdns/botansigners.cc deleted file mode 100644 index f637a85572..0000000000 --- a/pdns/botansigners.cc +++ /dev/null @@ -1,271 +0,0 @@ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "dnssecinfra.hh" -#include - -using namespace Botan; - -class BotanRSADNSCryptoKeyEngine : public DNSCryptoKeyEngine -{ -public: - explicit BotanRSADNSCryptoKeyEngine(unsigned int algo) : DNSCryptoKeyEngine(algo) - { - // cerr<<"Called"< d_key; - shared_ptr d_pubkey; -}; - -void BotanRSADNSCryptoKeyEngine::create(unsigned int bits) -{ - AutoSeeded_RNG rng; - d_key = shared_ptr(new RSA_PrivateKey(rng, bits)); -} - -int BotanRSADNSCryptoKeyEngine::getBits() const -{ - return d_key->max_input_bits() + 1; -} - -namespace { -string asRaw(const BigInt& x) -{ - SecureVector buffer=BigInt::encode(x); - return string((const char*)&*buffer.begin(), (const char*)&*buffer.end()); -} - -BigInt fromRaw(const std::string& raw) -{ - if(raw.empty()) - throw runtime_error("Unable to decode empty value"); - return BigInt::decode((byte*)raw.c_str(), raw.length()); -} -} - -DNSCryptoKeyEngine::storvector_t BotanRSADNSCryptoKeyEngine::convertToISCVector() const -{ - storvector_t storvect; - string algorithm = std::to_string(d_algorithm); - if(d_algorithm == 5 || d_algorithm ==7 ) - algorithm += " (RSASHA1)"; - else if(d_algorithm == 8) - algorithm += " (RSASHA256)"; - else if(d_algorithm == 10) - algorithm += " (RSASHA512)"; - else - algorithm += " (?)"; - storvect.push_back(make_pair("Algorithm", algorithm)); - storvect.push_back(make_pair("Modulus", asRaw(d_key->get_n()))); - storvect.push_back(make_pair("PublicExponent",asRaw(d_key->get_e()))); - storvect.push_back(make_pair("PrivateExponent",asRaw(d_key->get_d()))); - storvect.push_back(make_pair("Prime1",asRaw(d_key->get_p()))); - storvect.push_back(make_pair("Prime2",asRaw(d_key->get_q()))); - -#if BOTAN_VERSION_CODE < BOTAN_VERSION_CODE_FOR(1,9,0) - BigInt d1 = d_key->get_d() % (d_key->get_p() - 1); - BigInt d2 = d_key->get_d() % (d_key->get_q() - 1); - BigInt c = inverse_mod(d_key->get_q(), d_key->get_p()); -#else - BigInt d1 = d_key->get_d1(); - BigInt d2 = d_key->get_d2(); - BigInt c = d_key->get_c(); -#endif - storvect.push_back(make_pair("Exponent1", asRaw(d1))); - storvect.push_back(make_pair("Exponent2", asRaw(d2))); - storvect.push_back(make_pair("Coefficient", asRaw(c))); - return storvect; -} - -void BotanRSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap ) -{ - // wants p (Prime1), q (Prime2), d (PrivateExponent), e (PublicExponent) & n Modulus - BigInt n, e, d, p, q; - - p=fromRaw(stormap["prime1"]); - q=fromRaw(stormap["prime2"]); - d=fromRaw(stormap["privateexponent"]); - e=fromRaw(stormap["publicexponent"]); - n=fromRaw(stormap["modulus"]); - - drc.d_algorithm = pdns_stou(stormap["algorithm"]); - if(drc.d_algorithm != d_algorithm) - throw runtime_error("Unpossible, loaded a key from storage with wrong algorithm!"); - - AutoSeeded_RNG rng; - d_key = shared_ptr(new RSA_PrivateKey(rng, p, q, e, d, n)); // this calculates d1, d2 & other stuff, plus does load checks.. - - d_pubkey.reset(); -} - -std::string BotanRSADNSCryptoKeyEngine::getPubKeyHash() const -{ - const BigInt& n = d_key->get_n(); - const BigInt& e = d_key->get_e(); - SecureVector buffer=BigInt::encode(n); - - SHA_160 hasher; - hasher.update(buffer); - buffer=BigInt::encode(e); - hasher.update(buffer); - SecureVector hash=hasher.final(); - return string((const char*)hash.begin(), (const char*)hash.end()); -} - -std::string BotanRSADNSCryptoKeyEngine::getPublicKeyString() const -{ - MemoryVector bits = BigInt::encode(d_key->get_e()); - string exponent(&*bits.begin(), &*bits.end()); - bits = BigInt::encode(d_key->get_n()); - string modulus(&*bits.begin(), &*bits.end()); - - string keystring; - if(exponent.length() < 255) - keystring.assign(1, (char) (unsigned int) exponent.length()); - else { - keystring.assign(1, 0); - uint16_t len=htons(exponent.length()); - keystring.append((char*)&len, 2); - } - keystring.append(exponent); - keystring.append(modulus); - return keystring; -} - -void BotanRSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& rawString) -{ - string exponent, modulus; - const unsigned char* raw = (const unsigned char*)rawString.c_str(); - - if(raw[0] != 0) { - exponent=rawString.substr(1, raw[0]); - modulus=rawString.substr(raw[0]+1); - } else { - exponent=rawString.substr(3, raw[1]*0xff + raw[2]); - modulus = rawString.substr(3+ raw[1]*0xff + raw[2]); - } - BigInt e = BigInt::decode((const byte*)exponent.c_str(), exponent.length()); - BigInt n = BigInt::decode((const byte*)modulus.c_str(), modulus.length()); - - d_pubkey = shared_ptr(new RSA_PublicKey(n, e)); - d_key.reset(); -} - -std::string BotanRSADNSCryptoKeyEngine::sign(const std::string& msg) const -{ -#if BOTAN_VERSION_CODE < BOTAN_VERSION_CODE_FOR(1,9,0) - EMSA* emsaptr; - if(d_algorithm == 5 || d_algorithm ==7) - emsaptr=new EMSA3(new SHA_160); - else if(d_algorithm==8) - emsaptr=new EMSA3(new SHA_256); - else - emsaptr=new EMSA3(new SHA_512); - PK_Signer pks(*d_key, emsaptr); -#else - string emsa; - if(d_algorithm == 5 || d_algorithm ==7) - emsa="EMSA3(SHA-160)"; - else if(d_algorithm==8) - emsa="EMSA3(SHA-256)"; - else - emsa="EMSA3(SHA-512)"; - PK_Signer pks(*d_key, emsa); -#endif - - AutoSeeded_RNG rng; - SecureVector signature= pks.sign_message((byte*)msg.c_str(), msg.length(), rng); - return string((const char*)signature.begin(), (const char*) signature.end()); -} - -std::string BotanRSADNSCryptoKeyEngine::hash(const std::string& orig) const -{ - SecureVector result; - if(d_algorithm == 5 || d_algorithm ==7 ) { // SHA160 - SHA_160 hasher; - result= hasher.process(orig); - } - if(d_algorithm == 8) { // SHA256 - SHA_256 hasher; - result= hasher.process(orig); - } - else if(d_algorithm==10) { // SHA512 - SHA_512 hasher; - result = hasher.process(orig); - } - - return string((const char*)result.begin(), (const char*) result.end()); -} - - -bool BotanRSADNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const -{ - RSA_PublicKey* key = d_key ? d_key.get() : d_pubkey.get(); - - string emsa; - - if(d_algorithm == 5 || d_algorithm ==7) - emsa = "EMSA3(SHA-1)"; - else if(d_algorithm==8) - emsa = "EMSA3(SHA-256)"; - else - emsa = "EMSA3(SHA-512)"; - -#if BOTAN_VERSION_CODE < BOTAN_VERSION_CODE_FOR(1,9,0) - std::auto_ptr ver(get_pk_verifier(*key, emsa)); - return ver->verify_message((byte*)msg.c_str(), msg.length(), (byte*)signature.c_str(), signature.length()); -#else - PK_Verifier pkv(*key, emsa); - return pkv.verify_message((byte*)msg.c_str(), msg.length(), (byte*)signature.c_str(), signature.length()); -#endif -} - -namespace { -struct LoaderBotanStruct -{ - LoaderBotanStruct() - { - new Botan::LibraryInitializer("thread_safe=true"); - // this leaks, but is fine - Botan::global_state().set_default_allocator("malloc"); // the other Botan allocator slows down for us - - DNSCryptoKeyEngine::report(5, &BotanRSADNSCryptoKeyEngine::maker); - DNSCryptoKeyEngine::report(7, &BotanRSADNSCryptoKeyEngine::maker); - DNSCryptoKeyEngine::report(8, &BotanRSADNSCryptoKeyEngine::maker); - DNSCryptoKeyEngine::report(10, &BotanRSADNSCryptoKeyEngine::maker); - } -} loaderBotan; -} - diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index 7b249c9105..24a64b7bdd 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -34,7 +34,7 @@ endif EXTRA_DIST = \ NOTICE \ .version \ - botan110signers.cc botansigners.cc \ + botan110signers.cc \ build-aux/gen-version \ contrib/* \ devpollmplexer.cc \ @@ -138,8 +138,7 @@ pdns_recursor_LDFLAGS = $(AM_LDFLAGS) \ if BOTAN110 pdns_recursor_SOURCES += \ - botan110signers.cc \ - botansigners.cc + botan110signers.cc pdns_recursor_LDADD += $(BOTAN110_LIBS) endif