From e63a0bd73e46dd6cd03b36ae9aee96ac44ae8946 Mon Sep 17 00:00:00 2001
From: Francis Dupont <fdupont@isc.org>
Date: Mon, 8 Jun 2015 18:23:12 +0200
Subject: [PATCH] [sedhcpv6] Compare keys, fixed error message concats

---
 src/bin/dhcp6/dhcp6_srv.cc                    |  4 +-
 src/lib/dhcpsrv/parsers/sedhcp6_parser.cc     | 67 +++++++++++--------
 .../dhcpsrv/tests/sedhcp6_parser_unittest.cc  | 15 +++++
 src/lib/dhcpsrv/tests/testdata/README         |  8 +++
 src/lib/dhcpsrv/tests/testdata/priv2.pem      | 16 +++++
 5 files changed, 80 insertions(+), 30 deletions(-)
 create mode 100644 src/lib/dhcpsrv/tests/testdata/priv2.pem

diff --git a/src/bin/dhcp6/dhcp6_srv.cc b/src/bin/dhcp6/dhcp6_srv.cc
index 0d1e2dfbca..9869eb8eaa 100644
--- a/src/bin/dhcp6/dhcp6_srv.cc
+++ b/src/bin/dhcp6/dhcp6_srv.cc
@@ -3123,8 +3123,8 @@ bool Dhcpv6Srv::validateSeDhcpOptions(const Pkt6Ptr& query, Pkt6Ptr& answer,
         key->update(&tbs[0], tbs.size());
         valid = key->verify(&sig[0], sig_len, BASIC);
     } catch (const Exception& ex) {
-        vermsg.str("signature verify failed: ");
-        vermsg << ex.what();
+        vermsg.str("");
+        vermsg << "signature verify failed: " << ex.what();
     } catch (...) {
         vermsg.str("signature verify failed?!");
     }
diff --git a/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc b/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc
index 8c1a4c69f7..3b5aaf0573 100644
--- a/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc
+++ b/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc
@@ -230,21 +230,21 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
 
     // When signing is disabled this is almost done
     if (!sign_answers) {
-	try {
-	    return (CfgSeDhcp6(sign_answers,
-			       timestamp_answers,
-			       check_signatures,
-			       check_authorizations,
-			       check_timestamps,
-			       online_validation));
-	} catch (const std::exception& ex) {
-	    isc_throw(DhcpConfigError, "Failed to build the secure "
-		      "DHCPv6 configuration state: " << ex.what());
-	} catch (...) {
-	    isc_throw(DhcpConfigError, "Failed to build the secure "
-		      "DHCPv6 configuration state");
-	}
-	// unreachable
+        try {
+            return (CfgSeDhcp6(sign_answers,
+                               timestamp_answers,
+                               check_signatures,
+                               check_authorizations,
+                               check_timestamps,
+                               online_validation));
+        } catch (const std::exception& ex) {
+            isc_throw(DhcpConfigError, "Failed to build the secure "
+                      "DHCPv6 configuration state: " << ex.what());
+        } catch (...) {
+            isc_throw(DhcpConfigError, "Failed to build the secure "
+                      "DHCPv6 configuration state");
+        }
+        // unreachable
     }
 
     // Signing is enabled, we need more
@@ -291,7 +291,7 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
     CryptoLink& crypto = CryptoLink::getCryptoLink();
     std::ostringstream errmsg;
     try {
-        errmsg.str("Failed to get the private key from '");
+        errmsg << "Failed to get the private key from '";
         errmsg << private_key.c_str() << "'";
         AsymPtr priv_key(crypto.createAsym(private_key,
                                            "",
@@ -301,9 +301,10 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
                                            ASN1),
                          deleteAsym);
 
-        errmsg.str("Failed to get the ");
+        errmsg.str("");
+        errmsg << "Failed to get the ";
         errmsg << (public_key.empty() ? "certificate" : "public key")
-	       << " from '" << credential.c_str() << "'";
+               << " from '" << credential.c_str() << "'";
         AsymPtr cred(crypto.createAsym(credential,
                                        "",
                                        signature_algorithm,
@@ -312,19 +313,29 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
                                        ASN1),
                      deleteAsym);
 
-        errmsg.str("Failed to build the secure DHCPv6 configuration state");
-	return (CfgSeDhcp6(sign_answers,
-			   timestamp_answers,
-			   check_signatures,
-			   check_authorizations,
-			   check_timestamps,
-			   online_validation,
-			   priv_key,
-			   cred));
+        errmsg.str("");
+        errmsg << "Mismatch between the private key and the";
+        errmsg << (public_key.empty() ? "certificate" : "public key");
+        if (!priv_key->compare(cred.get(), PUBLIC)) {
+            isc_throw(DhcpConfigError, errmsg.str());
+        }
+
+        errmsg.str("");
+        errmsg << "Failed to build the secure DHCPv6 configuration state";
+        return (CfgSeDhcp6(sign_answers,
+                           timestamp_answers,
+                           check_signatures,
+                           check_authorizations,
+                           check_timestamps,
+                           online_validation,
+                           priv_key,
+                           cred));
+    } catch (const DhcpConfigError&) {
+        throw;
     } catch (const std::exception& ex) {
         isc_throw(DhcpConfigError, errmsg << ": " << ex.what());
     } catch (...) {
-	isc_throw(DhcpConfigError, errmsg);
+        isc_throw(DhcpConfigError, errmsg.str());
     }
     // unreachable
 }
diff --git a/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc b/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc
index 0d80e0700c..d2161c4f17 100644
--- a/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc
+++ b/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc
@@ -382,6 +382,21 @@ TEST_F(SeDhcp6ParserTest, fullPubKeySha512) {
     EXPECT_EQ(pub_key->getAsymKeyKind(), PUBLIC);
 }
 
+// This test checks another public key config
+TEST_F(SeDhcp6ParserTest, fullPubKeyBadKey) {
+    std::string config = "{ \"sign-answers\": true,"
+        " \"private-key\": \"" SEDHCP6_DATA_DIR "/priv2.pem\","
+        " \"public-key\": \"" SEDHCP6_DATA_DIR "/pub.pem\" }";
+
+    ElementPtr config_element = Element::fromJSON(config);
+
+    SeDhcp6Parser parser("secure-dhcp6", Option::V6);
+    ASSERT_NO_THROW(parser.build(config_element));
+
+    // Keys don't match
+    ASSERT_THROW(parser.commit(), DhcpConfigError);
+}
+
 // This test checks the parsing of a full config using a certificate
 TEST_F(SeDhcp6ParserTest, fullWithCertificate) {
     std::string config = "{ \"sign-answers\": true,"
diff --git a/src/lib/dhcpsrv/tests/testdata/README b/src/lib/dhcpsrv/tests/testdata/README
index c13258ff44..e2f9d5c054 100644
--- a/src/lib/dhcpsrv/tests/testdata/README
+++ b/src/lib/dhcpsrv/tests/testdata/README
@@ -34,3 +34,11 @@ cert2.pem: another X.509 certificate with a different serial
 $ openssl x509 -in cert.pem -text
 
 displays the certificate content
+
+$ openssl ecparam -genkey -name prime256v1 -out ec
+
+ec: P256 key pair
+
+$ openssl ecparam -list_curves
+
+lists available curves
diff --git a/src/lib/dhcpsrv/tests/testdata/priv2.pem b/src/lib/dhcpsrv/tests/testdata/priv2.pem
new file mode 100644
index 0000000000..ca841198ea
--- /dev/null
+++ b/src/lib/dhcpsrv/tests/testdata/priv2.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAK21g50Q7XXd8vuc
+D/irGG+qJaVOdnAYdzrCXgMv7yY0ViKYv49sI4qWkM7Yzx2mQpu6fkxRmShhIRyX
+HMlrE7swi6pLzb/ZXcH8yAM6gXtIOw97jiE8QQvawdZZ33kYThE/hd7N2uUAnejh
+iFHfLZSY9PIx5qfPhKKD1ZxudVXTAgMBAAECgYB83V5HF/TpZeqUrIDaifpdwhuf
+cQA34Y5LAY5ckidA+hv0cII6UUxXAZYD6dsvf+SfVnYU3A7Q9Mi9aW465qpeE1cZ
+AeshQvRrDNW5gz7pRmsQfoTlswQXuI4hKyOna1XnvI6OUTOLKh3Ohu/QBGtQbpqL
+a1ZWE/iB16Tdi47cUQJBAOFimVWoyQDjQCG4gSti2OORVgwsjN5fiG+4dJuvfRbK
+JIOoH4dQW5/BthZ/Tk6HRR+Dh8RP+B44Rcrl4N+VRikCQQDFTfZufrhUfooWT5pE
+w4sZtQcprKsQ3PBuIShwEPaBredRoZ5NVxE5d75d3DQmqLq+/XitXaQkqc3r6TBX
+omObAkEAm8Z6FCpEQsjOWoAbRtFa9m5M+r0P3+JHenASqEfyPP4ZnqVkpTF1IkXQ
+hFwY003LCKzv+U8MPlbGZiXb9qxFgQJBAIbgieL1K4tPSZSA7EOvrSpwrynVCMgp
+UQ7oCd26KtlxiV0rb60NJRA1BGTjgJ8g3zBq1BEnn2sUzVlE+rAdqZsCQQCk8yNm
+PGgVEd6dT2o9fTvJbOz3yHcFDga/e46/klm2aoEtZwFF+qIo8qiIRnbMJczgQL+Z
+3mT0bxrvypE3n6b4
+-----END PRIVATE KEY-----
-- 
2.47.2