From: Wouter Wijngaards Date: Tue, 15 Apr 2008 19:51:28 +0000 (+0000) Subject: DSA signature compatibility. X-Git-Tag: release-0.11~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9fd2676f91632459640238b2895b85825b63f9a;p=thirdparty%2Funbound.git DSA signature compatibility. git-svn-id: file:///svn/unbound/trunk@1053 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 3f3612852..f245351fa 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -7,6 +7,8 @@ - documented 'gcc: unrecognized -KPIC option' errors on Solaris. - example.conf values changed to /usr/local/etc/unbound - DSA test work. + - DSA signatures: unbound is compatible with both encodings found. + It will detect and convert when necessary. 14 April 2008: Wouter - got update for parseunbound.pl statistics script from Kai Storbeck. diff --git a/testcode/unitmain.c b/testcode/unitmain.c index 651859ab4..f109ad5e9 100644 --- a/testcode/unitmain.c +++ b/testcode/unitmain.c @@ -394,6 +394,7 @@ main(int argc, char* argv[]) return 1; } printf("Start of %s unit test.\n", PACKAGE_STRING); + ERR_load_crypto_strings(); checklock_start(); rnd_test(); verify_test(); @@ -411,5 +412,7 @@ main(int argc, char* argv[]) printf("%d checks ok.\n", testcount); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); + ERR_remove_state(0); + ERR_free_strings(); return 0; } diff --git a/testcode/unitverify.c b/testcode/unitverify.c index 8d8ee200c..43ec4a1c6 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -461,22 +461,12 @@ verify_test() { printf("verify test\n"); verifytest_file("testdata/test_signatures.1", "20070818005004"); - log_info("test_signatures.2"); - verbosity=3; - /* verifytest_file("testdata/test_signatures.2", "20080414005004"); - log_info("test_signatures.3"); verifytest_file("testdata/test_signatures.3", "20080416005004"); - log_info("test_signatures.4"); verifytest_file("testdata/test_signatures.4", "20080416005004"); - */ - log_info("test_signatures.5"); verifytest_file("testdata/test_signatures.5", "20080416005004"); - log_info("test_signatures.6"); verifytest_file("testdata/test_signatures.6", "20080416005004"); - log_info("test_signatures.7"); verifytest_file("testdata/test_signatures.7", "20070829144150"); - log_info("test_signatures.8"); verifytest_file("testdata/test_signatures.8", "20070829144150"); dstest_file("testdata/test_ds_sig.1"); nsectest(); diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 00c704fdd..8dd5a6891 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -1329,17 +1329,16 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, EVP_PKEY_free(evp_key); return sec_status_bogus; } - /* if it is a DSA signature in XXX format, convert to DER format */ + /* if it is a DSA signature in bind format, convert to DER format */ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && - 0) { /*sigblock_len > 0 && sigblock[0] == 0) {*/ - log_info("setup_dsa_sig_needed"); + sigblock_len == 1+2*SHA_DIGEST_LENGTH) { if(!setup_dsa_sig(&sigblock, &sigblock_len)) { verbose(VERB_QUERY, "verify: failed to setup DSA sig"); + EVP_PKEY_free(evp_key); return sec_status_bogus; } dofree = 1; - } else if(algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) - log_info("setup_dsa_sig_nope"); + } /* do the signature cryptography work */ EVP_MD_CTX_init(&ctx);