mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
Jelte found DSA sig solution, copied from ldns to fit into unbound validator.
git-svn-id: file:///svn/unbound/trunk@1042 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
adb8eda081
commit
77e7e73a32
@ -3,6 +3,7 @@
|
||||
- tpkg tests for udp wait list.
|
||||
- documented 0x20 status.
|
||||
- fixup chroot and checkconf, it is much smarter now.
|
||||
- fixup DSA EVP signature decoding. Solution that Jelte found copied.
|
||||
|
||||
11 April 2008: Wouter
|
||||
- random port selection out of the configged ports.
|
||||
|
@ -461,6 +461,7 @@ verify_test()
|
||||
{
|
||||
printf("verify test\n");
|
||||
verifytest_file("testdata/test_signatures.1", "20070818005004");
|
||||
verifytest_file("testdata/test_signatures.2", "20080414005004");
|
||||
dstest_file("testdata/test_ds_sig.1");
|
||||
nsectest();
|
||||
nsec3_hash_test("testdata/test_nsec3_hash.1");
|
||||
|
23
testdata/test_signatures.2
vendored
Normal file
23
testdata/test_signatures.2
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
; Signature test file
|
||||
|
||||
; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
|
||||
; later entries are verified with it.
|
||||
|
||||
|
||||
; DNSKEY used for testing, from april 2008
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
cesar.sec3.br. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
cesar.sec3.br. 43200 IN DNSKEY 257 3 3 AMAdw+X4IcinbsSOXamwV4BrJVbRjSJ63DYRV0NLR4W5cDMEQGmB3Lci ybjLvaEogs9RDmjhxQrQJRfaIVMG11LtOwlTPBr4yzyeK9zzeZPAQz2F 9yCCPqgUdts51v4XeK5evtn+b4AB7t/j+v7Vb+26k8No6hmJiRJAy59N Fpzrt5FoY5qFZ8QbPl59nzEcXTbOiXBNSu9mQbe/jFH5p9NP4KB0iNL/ oAthNIVVsDG8hQFh1hE5YlDNLxYY3U+TODjWx//DZvkn5Tyyvp7I6b33 oJiq
|
||||
ENTRY_END
|
||||
|
||||
; entry to test
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
cesar.sec3.br. IN SOA
|
||||
SECTION ANSWER
|
||||
cesar.sec3.br. 43200 IN SOA home.kuroiwa.eng.br. hostmaster.cesar.sec3.br. 2008040903 86400 86400 8640000 600
|
||||
cesar.sec3.br. 43200 IN RRSIG SOA 3 3 43200 20081010000000 20080410122550 14996 cesar.sec3.br. AJOGbuGOMggPspEBhIc58I8BXUHqR+DKiZqGZRwu9jMTgAX6JCPunSI= ;{id = 14996}
|
||||
ENTRY_END
|
||||
|
@ -1182,6 +1182,48 @@ log_crypto_error(const char* str, unsigned long e)
|
||||
log_err("%s crypto %s", str, buf);
|
||||
}
|
||||
|
||||
/**
|
||||
* Setup DSA key digest in DER encoding ...
|
||||
* @param sig: input is signature output alloced ptr (unless failure).
|
||||
* caller must free alloced ptr if this routine returns true.
|
||||
* @param len: intput is initial siglen, output is output len.
|
||||
* @return false on failure.
|
||||
*/
|
||||
static int
|
||||
setup_dsa_sig(unsigned char** sig, unsigned int* len)
|
||||
{
|
||||
unsigned char* orig = *sig;
|
||||
unsigned int origlen = *len;
|
||||
|
||||
uint8_t t;
|
||||
BIGNUM *R, *S;
|
||||
DSA_SIG *dsasig;
|
||||
|
||||
/* extract the R and S field from the sig buffer */
|
||||
if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
|
||||
return 0;
|
||||
t = orig[0];
|
||||
R = BN_new();
|
||||
if(!R) return 0;
|
||||
(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
|
||||
S = BN_new();
|
||||
if(!S) return 0;
|
||||
(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
|
||||
dsasig = DSA_SIG_new();
|
||||
if(!dsasig) return 0;
|
||||
|
||||
dsasig->r = R;
|
||||
dsasig->s = S;
|
||||
*sig = NULL;
|
||||
*len = i2d_DSA_SIG(dsasig, sig);
|
||||
if(*len == 0) {
|
||||
free(sig);
|
||||
return 0;
|
||||
}
|
||||
DSA_SIG_free(dsasig);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setup key and digest for verification. Adjust sig if necessary.
|
||||
*
|
||||
@ -1255,6 +1297,13 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
EVP_PKEY_free(evp_key);
|
||||
return sec_status_bogus;
|
||||
}
|
||||
if(algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) {
|
||||
if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
|
||||
verbose(VERB_QUERY, "verify: failed to setup DSA sig");
|
||||
EVP_PKEY_free(evp_key);
|
||||
return sec_status_bogus;
|
||||
}
|
||||
}
|
||||
|
||||
/* do the signature cryptography work */
|
||||
EVP_MD_CTX_init(&ctx);
|
||||
@ -1265,6 +1314,10 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
EVP_MD_CTX_cleanup(&ctx);
|
||||
EVP_PKEY_free(evp_key);
|
||||
|
||||
if(algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) {
|
||||
free(sigblock);
|
||||
}
|
||||
|
||||
if(res == 1) {
|
||||
return sec_status_secure;
|
||||
} else if(res == 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user