mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
SHA256 support.
git-svn-id: file:///svn/unbound/trunk@1275 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
2e5c620f2c
commit
5e1193f19d
@ -1,6 +1,8 @@
|
||||
30 September 2008: Wouter
|
||||
- fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
|
||||
- tests for sha256 support and downgrade resistance.
|
||||
- RSASHA256 and RSASHA512 support (using the draft in dnsext),
|
||||
using the drafted protocol numbers.
|
||||
|
||||
29 September 2008: Wouter
|
||||
- EDNS lameness detection, if EDNS packets are dropped this is
|
||||
|
@ -140,6 +140,9 @@ should_be_bogus(struct ub_packed_rrset_key* rrset)
|
||||
entry.data;
|
||||
if(d->rrsig_count == 0)
|
||||
return 1;
|
||||
/* name 'bogus' as first label signals bogus */
|
||||
if(rrset->rk.dname_len > 6 && memcmp(rrset->rk.dname+1, "bogus", 5)==0)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -468,6 +471,13 @@ verify_test()
|
||||
verifytest_file("testdata/test_signatures.6", "20080416005004");
|
||||
verifytest_file("testdata/test_signatures.7", "20070829144150");
|
||||
verifytest_file("testdata/test_signatures.8", "20070829144150");
|
||||
#ifdef SHA256_DIGEST_LENGTH
|
||||
verifytest_file("testdata/test_signatures.9", "20070829144150");
|
||||
verifytest_file("testdata/test_signatures.11", "20070829144150");
|
||||
#endif
|
||||
#ifdef SHA512_DIGEST_LENGTH
|
||||
verifytest_file("testdata/test_signatures.10", "20070829144150");
|
||||
#endif
|
||||
dstest_file("testdata/test_ds_sig.1");
|
||||
nsectest();
|
||||
nsec3_hash_test("testdata/test_nsec3_hash.1");
|
||||
|
1
testdata/Kexample.com.+008+01443.ds
vendored
Normal file
1
testdata/Kexample.com.+008+01443.ds
vendored
Normal file
@ -0,0 +1 @@
|
||||
example.com. 3600 IN DS 1443 8 1 54f8ccd08089fd8b7c1b51d487eadf1c527dece4 ; xihaz-mufit-bybem-nezam-ryzuc-rugyt-gucyv-pulec-sygyl-tiriv-goxox
|
1
testdata/Kexample.com.+008+01443.key
vendored
Normal file
1
testdata/Kexample.com.+008+01443.key
vendored
Normal file
@ -0,0 +1 @@
|
||||
example.com. 3600 IN DNSKEY 256 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1443 (zsk), size = 1024b}
|
10
testdata/Kexample.com.+008+01443.private
vendored
Normal file
10
testdata/Kexample.com.+008+01443.private
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
Private-key-format: v1.2
|
||||
Algorithm: 8 (RSASHA256)
|
||||
Modulus: t31aqPMTY/KfPbU4bl2hJ/2EXMyvl2HPPbBpne9Nr7SjmvsCNMCqYDXIf8Hf5oAyKFSbm5xlJ9Wqjv6Q5pETzIWP1qK86YDWfX4kt68mr+jK9DKPFA3ZBvz0vJo1RPmgpkiIv67LKE1bcoNHdJJtD8YHBA0MdVxmL4kNHdELSvs=
|
||||
PublicExponent: AQAB
|
||||
PrivateExponent: azCanqnpgPDCX90Wyzp9I4xxH3kfdrLXyzTcbjvWyTcggC/0WPbYUP36U8/hSZlIM9FBWgVh/oROb9x8r4S+6DT5k3tdhI303AL6bC8x1PBCzHjXBmYa9JvPKx/7a1hpSVOw9iJJh0Y4IclrfA8Ssdqxkj5QdNvR1CqDYTvIH/E=
|
||||
Prime1: 4yIEKoY9ew1mX7+MUA8T1sGp64VzTiFpnn/8eomwdYVEsX6Sg563qLEn6IuORxrqCz8Ae3qfgVkT0J96ArURsw==
|
||||
Prime2: zs9dU2j2jlToxIXtKu+YeO7QCKd1gVP6beI9IxjMYm21opsVvJ/xMlHu9aocGuCgvfmFyu/ShhsF/IPlFkvtmQ==
|
||||
Exponent1: EAy8TKD1wTc+L6/iY1ndZgSDVFA2yKOVygxzM9l87aEALKasBb72bWYvUsBhymZ9eVP3XcJZeRNpUgmi3oQa/w==
|
||||
Exponent2: nukr9wmyWo/YBBo8sT9F07b9V4kFe4jB52luPOezNPbEGNw+CaCEv3vBuDcsPWLZYOC488Tv6WgeY3gdsdJKEQ==
|
||||
Coefficient: Fr7ARq2yRTv8+1ZAAwv2gbDa92RZxdZzj9hpC+/64kjCxq5//2haIhU/wtgDbBlr99Uk90cXf6F8AeaqCYgjLQ==
|
1
testdata/Kexample.com.+009+54034.ds
vendored
Normal file
1
testdata/Kexample.com.+009+54034.ds
vendored
Normal file
@ -0,0 +1 @@
|
||||
example.com. 3600 IN DS 54034 9 1 59793aa41c0bfb8d71c686761370d29af7a9ae9b ; xikel-nyvap-gelyb-ryvom-teses-kecul-kegel-begon-potap-nuron-roxex
|
1
testdata/Kexample.com.+009+54034.key
vendored
Normal file
1
testdata/Kexample.com.+009+54034.key
vendored
Normal file
@ -0,0 +1 @@
|
||||
example.com. 3600 IN DNSKEY 256 3 9 AwEAAeHRRbGrk8zEVeSLNlELTGcvJLEiv+OJp1HWhq+kitN3p+IjLT2YmV2p43ReRiPSBDjzsf/8VPKCsGaDeli0/cq3u0s54ft8KB9lYbMDKg0LQkDdjVY2Ah5l7FRZGDn+AnmxWlZ3mp8ZREs2NCtQW5GOiKzZtJfftUZ9f8PXemIV ;{id = 54034 (zsk), size = 1024b}
|
10
testdata/Kexample.com.+009+54034.private
vendored
Normal file
10
testdata/Kexample.com.+009+54034.private
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
Private-key-format: v1.2
|
||||
Algorithm: 9 (RSASHA512)
|
||||
Modulus: 4dFFsauTzMRV5Is2UQtMZy8ksSK/44mnUdaGr6SK03en4iMtPZiZXanjdF5GI9IEOPOx//xU8oKwZoN6WLT9yre7Sznh+3woH2VhswMqDQtCQN2NVjYCHmXsVFkYOf4CebFaVneanxlESzY0K1BbkY6IrNm0l9+1Rn1/w9d6YhU=
|
||||
PublicExponent: AQAB
|
||||
PrivateExponent: ODgdncoVldkbeTafYzXo45d9DwyTsVZH7bv29CuG1HbpuQcA8GDZbdQp6IK/+5MBshwZqJ1tmKKowBzjjMoilKnEZcn8ca9/L9Vr0Mgv5L7UDHkcAYa3rTmvXEowCJ7lrZYxiV/VFa5lMdRhuJPwffV2r8PxcRdNOIT7cNROMlE=
|
||||
Prime1: 9MoMzIuhQzBpVxKKoxVVpWaDoFS5iTiSuHay5jS9gu8uffPap6utGuyz24pWcPkEd1wrOdgMoGbzZq+RI/Azyw==
|
||||
Prime2: 7CjLOWY8aYfR2WhaVSZmdPieuClR4m26WZowZJL7tolGnwxdyo9mbCC8K3l9rBfGC93pM2R3h2GoWJY94G3Fnw==
|
||||
Exponent1: WvzfVQhxoK/V9++EaKn9c8VvF6FmdYL5xmcYiEkCSDDvbxG9LKW7ak6ha/E3wDZPWq5/wrhzuQuLXZfUsy8NkQ==
|
||||
Exponent2: bHXT2BnXNxR00We2zRKkzaX9p1D61YZVpp9FCHvk9RGZCKTyUnyHqrNiGIlkqWwFvh994eeLafb1DTJ7Wp6vuw==
|
||||
Coefficient: as42vfVFq5hx39EOBiOS1m+2CYzLLIPI7vh8xAi1lOJiTEzmujGVZ9VYETFenAp/S1ZfDznZU47hoWqtImxJ3g==
|
24
testdata/test_signatures.10
vendored
Normal file
24
testdata/test_signatures.10
vendored
Normal file
@ -0,0 +1,24 @@
|
||||
; Signature test file
|
||||
|
||||
; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
|
||||
; later entries are verified with it.
|
||||
|
||||
; Test RSASHA512 signatures.
|
||||
|
||||
; RSA key from ldns tool
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
sub.example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 9 AwEAAeHRRbGrk8zEVeSLNlELTGcvJLEiv+OJp1HWhq+kitN3p+IjLT2YmV2p43ReRiPSBDjzsf/8VPKCsGaDeli0/cq3u0s54ft8KB9lYbMDKg0LQkDdjVY2Ah5l7FRZGDn+AnmxWlZ3mp8ZREs2NCtQW5GOiKzZtJfftUZ9f8PXemIV ;{id = 54034 (zsk), size = 1024b}
|
||||
ENTRY_END
|
||||
|
||||
; entry to test
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 192.0.2.66
|
||||
www.example.com. 3600 IN RRSIG A 9 3 3600 20070926134150 20070829134150 54034 example.com. FASMRTKfNKrj4o5gEkwfIjlqw2o03ZaoT95TcEdhBW80iyhi3cN3FESX7cquyqQ3AoA3i7OU5bqFVeLoQq9zeE8G2qHklpSPjrEFPHB/HKPtweb5rk4+yZqo9b0G375We12sZWHY5/gpaL2zVgX5A3j2H78rlfM7EMVnOEOIc0Y= ;{id = 54034}
|
||||
ENTRY_END
|
||||
|
23
testdata/test_signatures.9
vendored
Normal file
23
testdata/test_signatures.9
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
; Signature test file
|
||||
|
||||
; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
|
||||
; later entries are verified with it.
|
||||
|
||||
; Test RSASHA256 signatures.
|
||||
|
||||
; RSA key from ldns tool
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
sub.example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1443 (zsk), size = 1024b}
|
||||
ENTRY_END
|
||||
|
||||
; entry to test
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 192.0.2.66
|
||||
www.example.com. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 1443 example.com. sX+BZ6Qdq0Td/THR1HgOnWh9URNP03KMEgjpnRGbS74NqlmlqLU3HcimOT/lUD7xsZTeOIWw5kAcQePxU3UrjS5gsIttIXAfrHFmOtTsyb0O4w0/RpR0QYxRl1hk4zQRPzHeEkgxNTe+y9V9gYe7iv9OddXsfwEnmqQiXk+tdsU= ;{id = 1443}
|
||||
ENTRY_END
|
@ -370,6 +370,12 @@ dnskey_algo_id_is_supported(int id)
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
case LDNS_RSAMD5:
|
||||
#ifdef SHA256_DIGEST_LENGTH
|
||||
case LDNS_RSASHA256:
|
||||
#endif
|
||||
#ifdef SHA512_DIGEST_LENGTH
|
||||
case LDNS_RSASHA512:
|
||||
#endif
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
@ -400,26 +406,65 @@ int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
dnskey_idx));
|
||||
}
|
||||
|
||||
/**
|
||||
* Fillup needed algorithm array for DNSKEY set
|
||||
* @param dnskey: the key
|
||||
* @param num: number of DNSKEY RRs.
|
||||
* @param needs: array per algorithm.
|
||||
* @return the number of algorithms that need valid signatures
|
||||
*/
|
||||
static size_t
|
||||
dnskeyset_needs(struct ub_packed_rrset_key* dnskey, size_t num,
|
||||
uint8_t needs[])
|
||||
{
|
||||
uint8_t algo;
|
||||
size_t i, total = 0;
|
||||
|
||||
memset(needs, 0, sizeof(uint8_t)*256);
|
||||
for(i=0; i<num; i++) {
|
||||
algo = (uint8_t)dnskey_get_algo(dnskey, i);
|
||||
if(needs[algo] == 0) {
|
||||
needs[algo] = 1;
|
||||
total++;
|
||||
}
|
||||
}
|
||||
return total;
|
||||
}
|
||||
|
||||
enum sec_status
|
||||
dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey)
|
||||
{
|
||||
enum sec_status sec;
|
||||
size_t i, num;
|
||||
size_t i, num, numneeds;
|
||||
rbtree_t* sortree = NULL;
|
||||
/* make sure that for all DNSKEY algorithms there are valid sigs */
|
||||
uint8_t needs[256]; /* 1 if need sig for that algorithm */
|
||||
|
||||
num = rrset_get_sigcount(rrset);
|
||||
if(num == 0) {
|
||||
verbose(VERB_QUERY, "rrset failed to verify due to a lack of "
|
||||
"signatures");
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
numneeds = dnskeyset_needs(dnskey, num, needs);
|
||||
for(i=0; i<num; i++) {
|
||||
sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset,
|
||||
dnskey, i, &sortree);
|
||||
if(sec == sec_status_secure)
|
||||
return sec;
|
||||
/* see which algorithm has been fixed up */
|
||||
if(sec == sec_status_secure) {
|
||||
uint8_t a = (uint8_t)dnskey_get_algo(dnskey, i);
|
||||
if(needs[a] == 1) {
|
||||
needs[a] = 0;
|
||||
numneeds --;
|
||||
if(numneeds == 0) /* done! */
|
||||
return sec;
|
||||
}
|
||||
}
|
||||
}
|
||||
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
|
||||
verbose(VERB_ALGO, "rrset failed to verify: no valid signatures for "
|
||||
"%d algorithms", (int)numneeds);
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
@ -1256,18 +1301,36 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
|
||||
break;
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
#ifdef SHA256_DIGEST_LENGTH
|
||||
case LDNS_RSASHA256:
|
||||
#endif
|
||||
#ifdef SHA512_DIGEST_LENGTH
|
||||
case LDNS_RSASHA512:
|
||||
#endif
|
||||
rsa = ldns_key_buf2rsa_raw(key, keylen);
|
||||
if(!rsa) {
|
||||
verbose(VERB_QUERY, "verify: "
|
||||
"ldns_key_buf2rsa_raw SHA1 failed");
|
||||
"ldns_key_buf2rsa_raw SHA failed");
|
||||
return 0;
|
||||
}
|
||||
if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
|
||||
verbose(VERB_QUERY, "verify: "
|
||||
"EVP_PKEY_assign_RSA SHA1 failed");
|
||||
"EVP_PKEY_assign_RSA SHA failed");
|
||||
return 0;
|
||||
}
|
||||
*digest_type = EVP_sha1();
|
||||
|
||||
/* select SHA version */
|
||||
#ifdef SHA256_DIGEST_LENGTH
|
||||
if(algo == LDNS_RSASHA256)
|
||||
*digest_type = EVP_sha256();
|
||||
else
|
||||
#endif
|
||||
#ifdef SHA512_DIGEST_LENGTH
|
||||
if(algo == LDNS_RSASHA512)
|
||||
*digest_type = EVP_sha512();
|
||||
else
|
||||
#endif
|
||||
*digest_type = EVP_sha1();
|
||||
|
||||
break;
|
||||
case LDNS_RSAMD5:
|
||||
|
Loading…
Reference in New Issue
Block a user