From c858743222ab0b4575a25728b02d815237c8a1a9 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 15 Apr 2008 18:01:14 +0000 Subject: [PATCH] Fixup unbound. Now still a switch DSA(ldns) DSA(bind) ... git-svn-id: file:///svn/unbound/trunk@1052 be551aaa-1e26-0410-a405-d3ace91eadb9 --- testcode/unitverify.c | 9 +++++++-- testdata/test_signatures.5 | 24 ++++++++++++------------ testdata/test_signatures.6 | 23 ++++++++++++----------- testdata/test_signatures.7 | 32 ++++++++++++++++++++++++++++++++ testdata/test_signatures.8 | 24 ++++++++++++++++++++++++ validator/val_sigcrypt.c | 33 ++++++++++++++++++++++++++------- 6 files changed, 113 insertions(+), 32 deletions(-) create mode 100644 testdata/test_signatures.7 create mode 100644 testdata/test_signatures.8 diff --git a/testcode/unitverify.c b/testcode/unitverify.c index 7b37c0e92..8d8ee200c 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -462,17 +462,22 @@ verify_test() printf("verify test\n"); verifytest_file("testdata/test_signatures.1", "20070818005004"); log_info("test_signatures.2"); + verbosity=3; + /* verifytest_file("testdata/test_signatures.2", "20080414005004"); log_info("test_signatures.3"); verifytest_file("testdata/test_signatures.3", "20080416005004"); - /* log_info("test_signatures.4"); verifytest_file("testdata/test_signatures.4", "20080416005004"); + */ log_info("test_signatures.5"); verifytest_file("testdata/test_signatures.5", "20080416005004"); log_info("test_signatures.6"); verifytest_file("testdata/test_signatures.6", "20080416005004"); - */ + log_info("test_signatures.7"); + verifytest_file("testdata/test_signatures.7", "20070829144150"); + log_info("test_signatures.8"); + verifytest_file("testdata/test_signatures.8", "20070829144150"); dstest_file("testdata/test_ds_sig.1"); nsectest(); nsec3_hash_test("testdata/test_nsec3_hash.1"); diff --git a/testdata/test_signatures.5 b/testdata/test_signatures.5 index e2204c628..2e9c55c1d 100644 --- a/testdata/test_signatures.5 +++ b/testdata/test_signatures.5 @@ -5,35 +5,34 @@ ; ldns-keygen (svn trunk 1.3.0, 15 april 2008) ; ./ldns-keygen -a DSAMD5 -b 512 nlnetlabs.nl -; Knlnetlabs.nl.+003+16467 +; Knlnetlabs.nl.+003+08866 -; nlnetlabs.nl. 3600 IN DS 16467 3 1 fd67ce8624a0ffd16fa77e132551355f39d38b80 +; nlnetlabs.nl. 3600 IN DS 8866 3 1 1300e7258af98cef40a47e6ac1e34ea79cb4b27f ; Private-key-format: v1.2 ; Algorithm: 3 (DSA) -; Prime(p): uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLRw== -; Subprime(q): 6/5A4SgUoay9q6XCMhEBkbCZ8/s= -; Base(g): rxqQtIKg4IM/Krp6/thbc6fPKvsbNnACZk4SouhQR+Khx2sp+VuXuuZ38IfUoD77GL4eEWBe0M6DH2huG/9wQA== -; Private_value(x): n8FhvxOt6xy5d3S9A3RulEHYrw0= -; Public_value(y): pLcgTYyGMcYD1JTEibEbvZaLRNc8S1sYKTR2DG4zf3PZtzqpFMrph8sNdnfy7K3EH30WgxS7yibZrrgUNZ5oUA== - +; Prime(p): qp/0xtfW76CbSH29kZmI0iUEhJ9cIs/52WsgqogqBwrY/HpT+D6G2jd66WLi88DF0z/We3/YIjZYkR5PH03IRQ== +; Subprime(q): iTRl4piaQvy9yxIsz/c5pAaVIeM= +; Base(g): RJhjYU22ooiTKltbGmIR6OfXZjKDBfSODrT3e3/IrwiT8oQZriDFZkExYKrKqoqZFn7y0esTf9Bwvx2IhGabQw== +; Private_value(x): gYjuQexf8JiiVBvCcxpXO+QaD88= +; Public_value(y): aPtEU9ui/w2+9aFnCrWUB/fGvMEyAyLyGCCaT/N+l8bPYDPCv+wDxEKHoM3HT/ZOf3RuCE/CYKVK7CDX6+AZrA== ; DSA key from ldns tool ENTRY_BEGIN SECTION QUESTION nlnetlabs.nl. IN DNSKEY SECTION ANSWER -nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 AOv+QOEoFKGsvaulwjIRAZGwmfP7uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLR68akLSCoOCDPyq6ev7YW3Onzyr7GzZwAmZOEqLoUEfiocdrKflbl7rmd/CH1KA++xi+HhFgXtDOgx9obhv/cECktyBNjIYxxgPUlMSJsRu9lotE1zxLWxgpNHYMbjN/c9m3OqkUyumHyw12d/LsrcQffRaDFLvKJtmuuBQ1nmg= ;{id = 16467 (zsk), size = 512b} +nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 AIk0ZeKYmkL8vcsSLM/3OaQGlSHjqp/0xtfW76CbSH29kZmI0iUEhJ9cIs/52WsgqogqBwrY/HpT+D6G2jd66WLi88DF0z/We3/YIjZYkR5PH03IRUSYY2FNtqKIkypbWxpiEejn12YygwX0jg6093t/yK8Ik/KEGa4gxWZBMWCqyqqKmRZ+8tHrE3/QcL8diIRmm0No+0RT26L/Db71oWcKtZQH98a8wTIDIvIYIJpP836Xxs9gM8K/7APEQoegzcdP9k5/dG4IT8JgpUrsINfr4Bms ;{id = 8866 (zsk), size = 512b} ENTRY_END ; entry to test ; from -; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+16467 +; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+08866 ENTRY_BEGIN SECTION QUESTION nlnetlabs.nl. IN SOA SECTION ANSWER nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 ) -nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MCwCFDnsiLNKQoJXnHNrz6aWN+6lA/nSAhQWmlSk9TF84ab1Sm6k9gRZVR5eKg== ;{id = 16467} +nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513173901 20080415173901 8866 nlnetlabs.nl. MC0CFFI7JB0x4xaO0qhe9iQGk0eot8zGAhUAg/SFtf5MrR7DEkmd6vm2xf+SN9M= ;{id = 8866} ENTRY_END ENTRY_BEGIN @@ -43,6 +42,7 @@ SECTION ANSWER nlnetlabs.nl. 10200 NS omval.tednet.nl. nlnetlabs.nl. 10200 NS ns7.domain-registry.nl. nlnetlabs.nl. 10200 NS open.nlnetlabs.nl. -nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MC4CFQCZ2AIkBczph4rI+EPSWsNT54Y5+gIVAJ4UxEbgD0FKNRFNHQ7SBy0g0lHz ;{id = 16467} +nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513173901 20080415173901 8866 nlnetlabs.nl. MCwCFFHwxz9Kx7Un60vLMMoOrZizagNrAhR6OskQNF/KVL5/xanbOmK3ZUj0vw== ;{id = 8866} + ENTRY_END diff --git a/testdata/test_signatures.6 b/testdata/test_signatures.6 index ee8fd648c..be6f09092 100644 --- a/testdata/test_signatures.6 +++ b/testdata/test_signatures.6 @@ -5,34 +5,34 @@ ; ldns-keygen (svn trunk 1.3.0, 15 april 2008) ; ./ldns-keygen -a DSAMD5 -b 768 nlnetlabs.nl -; Knlnetlabs.nl.+003+46572 +; Knlnetlabs.nl.+003+51124 -; nlnetlabs.nl. 3600 IN DS 46572 3 1 f4d76788032fe53f69021e408df2d99688e1804a +; nlnetlabs.nl. 3600 IN DS 51124 3 1 6f7e3ea1d525f3428ce342596f7375b1c3a71c51 ; Private-key-format: v1.2 ; Algorithm: 3 (DSA) -; Prime(p): 5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnH -; Subprime(q): 2Hc5Scs3iApxThBkQi13NpogZec= -; Base(g): ugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npN -; Private_value(x): x4jMbAt0XBIqZMMQpL3EphYPbNQ= -; Public_value(y): g+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNsv +; Prime(p): 1kpY0hU98SJrpDCTKHv9TQyN6EGcY9FJ8bw0QiQdcm3nx3fkS298V9Y7ZRzjCQmkxVwNrwdhtNpz4MvrByHKy+YE/hSJamNhwKHAtiIAHNggqfutGQwUkfqHmybFO8Kx +; Subprime(q): 3GwgwvHRyOeXNgZqR/5XpaNs6Pc= +; Base(g): Rw1YckcZ/Es07FYrNV6soRTbcQ5NEDj7ITSUdGSLKRPQT0k4ofR3L8aslTeOJESR2s2sIay/ZHoYmdQuwLZ93HLEq5MooPO19c/GnVkOWZm1Ab9H7zttNcoKgzQ64dhT +; Private_value(x): OoN8CQisHVjCIET7B3WdAwERRro= +; Public_value(y): 08zY8i9l5qn1xC829beHq2Hhb8MUIvGHyW+eBchQa4S5XIRwf1rVpnw1iengslp/Y1Kx28/a9GEQbIESQORfxllPV23Uv2OJ3aNV0jP7kI2a7VLVSDSJrCh2wBCFj8tY ; DSA key from ldns tool ENTRY_BEGIN SECTION QUESTION nlnetlabs.nl. IN DNSKEY SECTION ANSWER -nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 BNh3OUnLN4gKcU4QZEItdzaaIGXn5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnHugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npNg+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNs= ;{id = 46572 (zsk), size = 768b} +nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 BNxsIMLx0cjnlzYGakf+V6WjbOj31kpY0hU98SJrpDCTKHv9TQyN6EGcY9FJ8bw0QiQdcm3nx3fkS298V9Y7ZRzjCQmkxVwNrwdhtNpz4MvrByHKy+YE/hSJamNhwKHAtiIAHNggqfutGQwUkfqHmybFO8KxRw1YckcZ/Es07FYrNV6soRTbcQ5NEDj7ITSUdGSLKRPQT0k4ofR3L8aslTeOJESR2s2sIay/ZHoYmdQuwLZ93HLEq5MooPO19c/GnVkOWZm1Ab9H7zttNcoKgzQ64dhT08zY8i9l5qn1xC829beHq2Hhb8MUIvGHyW+eBchQa4S5XIRwf1rVpnw1iengslp/Y1Kx28/a9GEQbIESQORfxllPV23Uv2OJ3aNV0jP7kI2a7VLVSDSJrCh2wBCFj8tY ;{id = 51124 (zsk), size = 768b} ENTRY_END ; entry to test ; from -; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+46572 +; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+51124 ENTRY_BEGIN SECTION QUESTION nlnetlabs.nl. IN SOA SECTION ANSWER nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 ) -nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MCwCFFiVJdL2mGM2mhHDqjdwfmujIPUQAhRGJm4G+6c+CEr80iC4cIRLbkAjtA== ;{id = 46572} +nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513174626 20080415174626 51124 nlnetlabs.nl. MC0CFB3cRDHQROzkGp4NtLNc4jDA1lhWAhUAgsbb8VMxGqifShEzuCNgczxDHHg= ;{id = 51124} ENTRY_END ENTRY_BEGIN @@ -42,6 +42,7 @@ SECTION ANSWER nlnetlabs.nl. 10200 NS omval.tednet.nl. nlnetlabs.nl. 10200 NS ns7.domain-registry.nl. nlnetlabs.nl. 10200 NS open.nlnetlabs.nl. -nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MC0CFHGST66bXko/skkeP0A7SQb4u6tGAhUAu6VeC40sFUN5WOFfIjyQQoK/wv4= ;{id = 46572} +nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513174626 20080415174626 51124 nlnetlabs.nl. MCwCFEzgEjT0n/ooV/xZkRMzKNqeF4pkAhQxEPFtMt5LbIlsi9mSi0HS4+RZuA== ;{id = 51124} + ENTRY_END diff --git a/testdata/test_signatures.7 b/testdata/test_signatures.7 new file mode 100644 index 000000000..8c629980d --- /dev/null +++ b/testdata/test_signatures.7 @@ -0,0 +1,32 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; DSA Key from ldns tool, key used in the testbound tests. + +; DSA key from ldns tool +ENTRY_BEGIN +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} +ENTRY_END + +; entry to test +ENTRY_BEGIN +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + diff --git a/testdata/test_signatures.8 b/testdata/test_signatures.8 new file mode 100644 index 000000000..4afd5ebd2 --- /dev/null +++ b/testdata/test_signatures.8 @@ -0,0 +1,24 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; RSA Key from ldns tool, key used in the testbound tests. + +; RSA key from ldns tool +ENTRY_BEGIN +SECTION QUESTION +sub.example.com. IN DNSKEY +SECTION ANSWER +sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +ENTRY_END + +; entry to test +ENTRY_BEGIN +SECTION QUESTION +www.sub.example.com. IN A +SECTION ANSWER +www.sub.example.com. 3600 IN A 11.11.11.11 +www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} +ENTRY_END + diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 9a55c4b8e..00c704fdd 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -1240,11 +1240,19 @@ static int setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, unsigned char* key, size_t keylen) { + DSA* dsa; + RSA* rsa; + switch(algo) { case LDNS_DSA: case LDNS_DSA_NSEC3: - if(EVP_PKEY_assign_DSA(evp_key, - ldns_key_buf2dsa_raw(key, keylen)) == 0) { + dsa = ldns_key_buf2dsa_raw(key, keylen); + if(!dsa) { + verbose(VERB_QUERY, "verify: " + "ldns_key_buf2dsa_raw failed"); + return 0; + } + if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) { verbose(VERB_QUERY, "verify: " "EVP_PKEY_assign_DSA failed"); return 0; @@ -1254,8 +1262,13 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, break; case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: - if(EVP_PKEY_assign_RSA(evp_key, - ldns_key_buf2rsa_raw(key, keylen)) == 0) { + rsa = ldns_key_buf2rsa_raw(key, keylen); + if(!rsa) { + verbose(VERB_QUERY, "verify: " + "ldns_key_buf2rsa_raw SHA1 failed"); + return 0; + } + if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) { verbose(VERB_QUERY, "verify: " "EVP_PKEY_assign_RSA SHA1 failed"); return 0; @@ -1264,8 +1277,13 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, break; case LDNS_RSAMD5: - if(EVP_PKEY_assign_RSA(evp_key, - ldns_key_buf2rsa_raw(key, keylen)) == 0) { + rsa = ldns_key_buf2rsa_raw(key, keylen); + if(!rsa) { + verbose(VERB_QUERY, "verify: " + "ldns_key_buf2rsa_raw MD5 failed"); + return 0; + } + if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) { verbose(VERB_QUERY, "verify: " "EVP_PKEY_assign_RSA MD5 failed"); return 0; @@ -1313,7 +1331,7 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, } /* if it is a DSA signature in XXX format, convert to DER format */ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && - sigblock_len > 0 && sigblock[0] == 0) { + 0) { /*sigblock_len > 0 && sigblock[0] == 0) {*/ log_info("setup_dsa_sig_needed"); if(!setup_dsa_sig(&sigblock, &sigblock_len)) { verbose(VERB_QUERY, "verify: failed to setup DSA sig"); @@ -1354,6 +1372,7 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, if(res == 1) { return sec_status_secure; } else if(res == 0) { + verbose(VERB_QUERY, "verify: signature mismatch"); return sec_status_bogus; } -- 2.47.2