chroot dir.
- documented 'gcc: unrecognized -KPIC option' errors on Solaris.
- example.conf values changed to /usr/local/etc/unbound
+ - DSA test work.
14 April 2008: Wouter
- got update for parseunbound.pl statistics script from Kai Storbeck.
{
printf("verify test\n");
verifytest_file("testdata/test_signatures.1", "20070818005004");
+ log_info("test_signatures.2");
verifytest_file("testdata/test_signatures.2", "20080414005004");
+ log_info("test_signatures.3");
+ verifytest_file("testdata/test_signatures.3", "20080416005004");
+ /*
+ log_info("test_signatures.4");
+ verifytest_file("testdata/test_signatures.4", "20080416005004");
+ log_info("test_signatures.5");
+ verifytest_file("testdata/test_signatures.5", "20080416005004");
+ log_info("test_signatures.6");
+ verifytest_file("testdata/test_signatures.6", "20080416005004");
+ */
dstest_file("testdata/test_ds_sig.1");
nsectest();
nsec3_hash_test("testdata/test_nsec3_hash.1");
--- /dev/null
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+; created test keys with bind tools:
+; dnssec-keygen 9.4.2: /usr/sbin/dnssec-keygen -a DSA -b 512 -n ZONE nlnetlabs.nl
+; Knlnetlabs.nl.+003+03510
+
+; private key file:
+; Private-key-format: v1.2
+; Algorithm: 3 (DSA)
+; Prime(p): 4nziv5P4tsXwaf71EoyKFoLzFq0/wN5fb6yb8IY5uwmVh5hvO0M4lR8LAjwimCIo3SYEdCnUPkl8WbJYHkRm9w==
+; Subprime(q): 3ueDKL3Jc2Ue1G/ZCfhwMEyR4v0=
+; Base(g): Ji9iYukmprX5qXO7V0MALKCTsfvz3kef2TsZdpM/VdetDK53OwKE1NRTMU6PSPGyumedOrkSD2BLa7CT1dJRJQ==
+; Private_value(x): wlEfaVwW10q6Re/ZOBL9PLJJb20=
+; Public_value(y): cHuTGyrkbj5QVkgmFm3KEpLnb5c7jH6tapeU5ugEIJiacbroPhfz/9vPw8tkZedBGImuYPSohRPfHIQPMxfxAg==
+
+
+; DSA key from bind tool 9.4.2
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nlnetlabs.nl. IN DNSKEY 256 3 3 AN7ngyi9yXNlHtRv2Qn4cDBMkeL94nziv5P4tsXwaf71EoyKFoLzFq0/ wN5fb6yb8IY5uwmVh5hvO0M4lR8LAjwimCIo3SYEdCnUPkl8WbJYHkRm 9yYvYmLpJqa1+alzu1dDACygk7H7895Hn9k7GXaTP1XXrQyudzsChNTU UzFOj0jxsrpnnTq5Eg9gS2uwk9XSUSVwe5MbKuRuPlBWSCYWbcoSkudv lzuMfq1ql5Tm6AQgmJpxuug+F/P/28/Dy2Rl50EYia5g9KiFE98chA8z F/EC
+ENTRY_END
+
+; entry to test
+; from
+; /usr/sbin/dnssec-signzone nlnetlabs.nl
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN SOA
+SECTION ANSWER
+nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 )
+nlnetlabs.nl. 10200 RRSIG SOA 3 2 10200 20080515132632 ( 20080415132632 3510 nlnetlabs.nl. ACYwIl9GQofKJ2xdgx1YelKbtmLrWRl8f+eC ToRnfyQ+gvdUIX3mTTw= )
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN NS
+SECTION ANSWER
+nlnetlabs.nl. 10200 NS omval.tednet.nl.
+nlnetlabs.nl. 10200 NS ns7.domain-registry.nl.
+nlnetlabs.nl. 10200 NS open.nlnetlabs.nl.
+nlnetlabs.nl. 10200 RRSIG NS 3 2 10200 20080515132632 ( 20080415132632 3510 nlnetlabs.nl. AEYy9ZN3KEDHybhZbL3PoR71jMQuufKM1lej +obA6uL6CjYQAPrL9tk= )
+ENTRY_END
+
--- /dev/null
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+; dnssec-keygen 9.4.2: /usr/sbin/dnssec-keygen -a DSA -b 768 -n ZONE nlnetlabs.nl
+; Knlnetlabs.nl.+003+03793
+
+; private key file
+; Private-key-format: v1.2
+; Algorithm: 3 (DSA)
+; Prime(p): lHKDKRMhV1yBk/gXk3IL29jkPwWwOqEskebo/hC0ieobdQkeuf9B3AgzCdn2hQOWVGoIMWyxChhqHVLwnQzUGY/uAhTZgSXBG47eHZC+Pj1hgX9tkB+9kzoK5jKhstR9
+; Subprime(q): 6u+5FI/H5WmwyTPWB5K0LjegVb0=
+; Base(g): hWj33Fnu7b9vhIriw6nXnJKpeus9pffjSaKzVJBNnlWTMXbo3+w3rObnJlbkVLfRsY4F8boWn1EbUUHCaRIW3bsqziE739S8HBJDDwxYx85n0xRqkg0djWoCG2e4uv4o
+; Private_value(x): xSLjPW1PE6twDgObqfkUk6EXO+g=
+; Public_value(y): ORFJhDQMHGQNdWXlh05vAJJ8Fqm6u+72qsIY2pnSgWL7vQIL6sKKJL14oIVJbsZW9FIjQCFpqe19leUdzUDQa9AxB8WSRAzmh4S6tWkmbAGpUjoAUJSLtqV1NgvH8ESg
+
+
+; DSA key from bind tool 9.4.2
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nlnetlabs.nl. IN DNSKEY 256 3 3 BOrvuRSPx+VpsMkz1geStC43oFW9lHKDKRMhV1yBk/gXk3IL29jkPwWw OqEskebo/hC0ieobdQkeuf9B3AgzCdn2hQOWVGoIMWyxChhqHVLwnQzU GY/uAhTZgSXBG47eHZC+Pj1hgX9tkB+9kzoK5jKhstR9hWj33Fnu7b9v hIriw6nXnJKpeus9pffjSaKzVJBNnlWTMXbo3+w3rObnJlbkVLfRsY4F 8boWn1EbUUHCaRIW3bsqziE739S8HBJDDwxYx85n0xRqkg0djWoCG2e4 uv4oORFJhDQMHGQNdWXlh05vAJJ8Fqm6u+72qsIY2pnSgWL7vQIL6sKK JL14oIVJbsZW9FIjQCFpqe19leUdzUDQa9AxB8WSRAzmh4S6tWkmbAGp UjoAUJSLtqV1NgvH8ESg
+ENTRY_END
+
+; entry to test
+; from
+; /usr/sbin/dnssec-signzone nlnetlabs.nl
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN SOA
+SECTION ANSWER
+nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 )
+nlnetlabs.nl. 10200 RRSIG SOA 3 2 10200 20080515133546 ( 20080415133546 3793 nlnetlabs.nl. BHMt1eWN8HzfFOqrqL1PrsED43JVCrybDYL1 GJXymKlkWRAjar0wT6o= )
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN NS
+SECTION ANSWER
+nlnetlabs.nl. 10200 NS omval.tednet.nl.
+nlnetlabs.nl. 10200 NS ns7.domain-registry.nl.
+nlnetlabs.nl. 10200 NS open.nlnetlabs.nl.
+nlnetlabs.nl. 10200 RRSIG NS 3 2 10200 20080515133546 ( 20080415133546 3793 nlnetlabs.nl. BJZaThgkBaF3k6t2q+tr0ngKcF2EntSOn9gX Ut9Xipj3CdioZl8b0cY= )
+ENTRY_END
+
--- /dev/null
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+; ldns-keygen (svn trunk 1.3.0, 15 april 2008)
+; ./ldns-keygen -a DSAMD5 -b 512 nlnetlabs.nl
+; Knlnetlabs.nl.+003+16467
+
+; nlnetlabs.nl. 3600 IN DS 16467 3 1 fd67ce8624a0ffd16fa77e132551355f39d38b80
+; Private-key-format: v1.2
+; Algorithm: 3 (DSA)
+; Prime(p): uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLRw==
+; Subprime(q): 6/5A4SgUoay9q6XCMhEBkbCZ8/s=
+; Base(g): rxqQtIKg4IM/Krp6/thbc6fPKvsbNnACZk4SouhQR+Khx2sp+VuXuuZ38IfUoD77GL4eEWBe0M6DH2huG/9wQA==
+; Private_value(x): n8FhvxOt6xy5d3S9A3RulEHYrw0=
+; Public_value(y): pLcgTYyGMcYD1JTEibEbvZaLRNc8S1sYKTR2DG4zf3PZtzqpFMrph8sNdnfy7K3EH30WgxS7yibZrrgUNZ5oUA==
+
+
+; DSA key from ldns tool
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 AOv+QOEoFKGsvaulwjIRAZGwmfP7uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLR68akLSCoOCDPyq6ev7YW3Onzyr7GzZwAmZOEqLoUEfiocdrKflbl7rmd/CH1KA++xi+HhFgXtDOgx9obhv/cECktyBNjIYxxgPUlMSJsRu9lotE1zxLWxgpNHYMbjN/c9m3OqkUyumHyw12d/LsrcQffRaDFLvKJtmuuBQ1nmg= ;{id = 16467 (zsk), size = 512b}
+ENTRY_END
+
+; entry to test
+; from
+; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+16467
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN SOA
+SECTION ANSWER
+nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 )
+nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MCwCFDnsiLNKQoJXnHNrz6aWN+6lA/nSAhQWmlSk9TF84ab1Sm6k9gRZVR5eKg== ;{id = 16467}
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN NS
+SECTION ANSWER
+nlnetlabs.nl. 10200 NS omval.tednet.nl.
+nlnetlabs.nl. 10200 NS ns7.domain-registry.nl.
+nlnetlabs.nl. 10200 NS open.nlnetlabs.nl.
+nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MC4CFQCZ2AIkBczph4rI+EPSWsNT54Y5+gIVAJ4UxEbgD0FKNRFNHQ7SBy0g0lHz ;{id = 16467}
+ENTRY_END
+
--- /dev/null
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+; ldns-keygen (svn trunk 1.3.0, 15 april 2008)
+; ./ldns-keygen -a DSAMD5 -b 768 nlnetlabs.nl
+; Knlnetlabs.nl.+003+46572
+
+; nlnetlabs.nl. 3600 IN DS 46572 3 1 f4d76788032fe53f69021e408df2d99688e1804a
+; Private-key-format: v1.2
+; Algorithm: 3 (DSA)
+; Prime(p): 5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnH
+; Subprime(q): 2Hc5Scs3iApxThBkQi13NpogZec=
+; Base(g): ugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npN
+; Private_value(x): x4jMbAt0XBIqZMMQpL3EphYPbNQ=
+; Public_value(y): g+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNsv
+
+; DSA key from ldns tool
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 BNh3OUnLN4gKcU4QZEItdzaaIGXn5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnHugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npNg+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNs= ;{id = 46572 (zsk), size = 768b}
+ENTRY_END
+
+; entry to test
+; from
+; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+46572
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN SOA
+SECTION ANSWER
+nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 )
+nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MCwCFFiVJdL2mGM2mhHDqjdwfmujIPUQAhRGJm4G+6c+CEr80iC4cIRLbkAjtA== ;{id = 46572}
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN NS
+SECTION ANSWER
+nlnetlabs.nl. 10200 NS omval.tednet.nl.
+nlnetlabs.nl. 10200 NS ns7.domain-registry.nl.
+nlnetlabs.nl. 10200 NS open.nlnetlabs.nl.
+nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MC0CFHGST66bXko/skkeP0A7SQb4u6tGAhUAu6VeC40sFUN5WOFfIjyQQoK/wv4= ;{id = 46572}
+ENTRY_END
+
switch(algo) {
case LDNS_DSA:
case LDNS_DSA_NSEC3:
- EVP_PKEY_assign_DSA(evp_key,
- ldns_key_buf2dsa_raw(key, keylen));
+ if(EVP_PKEY_assign_DSA(evp_key,
+ ldns_key_buf2dsa_raw(key, keylen)) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_DSA failed");
+ return 0;
+ }
*digest_type = EVP_dss1();
break;
case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3:
- EVP_PKEY_assign_RSA(evp_key,
- ldns_key_buf2rsa_raw(key, keylen));
+ if(EVP_PKEY_assign_RSA(evp_key,
+ ldns_key_buf2rsa_raw(key, keylen)) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_RSA SHA1 failed");
+ return 0;
+ }
*digest_type = EVP_sha1();
break;
case LDNS_RSAMD5:
- EVP_PKEY_assign_RSA(evp_key,
- ldns_key_buf2rsa_raw(key, keylen));
+ if(EVP_PKEY_assign_RSA(evp_key,
+ ldns_key_buf2rsa_raw(key, keylen)) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_RSA MD5 failed");
+ return 0;
+ }
*digest_type = EVP_md5();
break;
/* if it is a DSA signature in XXX format, convert to DER format */
if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
sigblock_len > 0 && sigblock[0] == 0) {
+ log_info("setup_dsa_sig_needed");
if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
verbose(VERB_QUERY, "verify: failed to setup DSA sig");
return sec_status_bogus;
}
dofree = 1;
- }
+ } else if(algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)
+ log_info("setup_dsa_sig_nope");
/* do the signature cryptography work */
EVP_MD_CTX_init(&ctx);
- EVP_VerifyInit(&ctx, digest_type);
- EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf),
- (unsigned int)ldns_buffer_limit(buf));
+ if(EVP_VerifyInit(&ctx, digest_type) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+ if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf),
+ (unsigned int)ldns_buffer_limit(buf)) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+
res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
- EVP_MD_CTX_cleanup(&ctx);
+ if(EVP_MD_CTX_cleanup(&ctx) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
EVP_PKEY_free(evp_key);
if(dofree)
projects / thirdparty / unbound.git / commitdiff
