From 9ab79dc0dc8d91194a3ed02b65536d2cc909395b Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 15 Apr 2008 15:19:25 +0000 Subject: [PATCH] DSA test git-svn-id: file:///svn/unbound/trunk@1051 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 1 + testcode/unitverify.c | 11 ++++++++ testdata/test_signatures.3 | 48 +++++++++++++++++++++++++++++++++++ testdata/test_signatures.4 | 47 ++++++++++++++++++++++++++++++++++ testdata/test_signatures.5 | 48 +++++++++++++++++++++++++++++++++++ testdata/test_signatures.6 | 47 ++++++++++++++++++++++++++++++++++ validator/val_sigcrypt.c | 52 ++++++++++++++++++++++++++++++-------- 7 files changed, 243 insertions(+), 11 deletions(-) create mode 100644 testdata/test_signatures.3 create mode 100644 testdata/test_signatures.4 create mode 100644 testdata/test_signatures.5 create mode 100644 testdata/test_signatures.6 diff --git a/doc/Changelog b/doc/Changelog index 789f698bf..3f3612852 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -6,6 +6,7 @@ chroot dir. - documented 'gcc: unrecognized -KPIC option' errors on Solaris. - example.conf values changed to /usr/local/etc/unbound + - DSA test work. 14 April 2008: Wouter - got update for parseunbound.pl statistics script from Kai Storbeck. diff --git a/testcode/unitverify.c b/testcode/unitverify.c index cd7a809ff..7b37c0e92 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -461,7 +461,18 @@ verify_test() { printf("verify test\n"); verifytest_file("testdata/test_signatures.1", "20070818005004"); + log_info("test_signatures.2"); verifytest_file("testdata/test_signatures.2", "20080414005004"); + log_info("test_signatures.3"); + verifytest_file("testdata/test_signatures.3", "20080416005004"); + /* + log_info("test_signatures.4"); + verifytest_file("testdata/test_signatures.4", "20080416005004"); + log_info("test_signatures.5"); + verifytest_file("testdata/test_signatures.5", "20080416005004"); + log_info("test_signatures.6"); + verifytest_file("testdata/test_signatures.6", "20080416005004"); + */ dstest_file("testdata/test_ds_sig.1"); nsectest(); nsec3_hash_test("testdata/test_nsec3_hash.1"); diff --git a/testdata/test_signatures.3 b/testdata/test_signatures.3 new file mode 100644 index 000000000..fddc462c2 --- /dev/null +++ b/testdata/test_signatures.3 @@ -0,0 +1,48 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; created test keys with bind tools: +; dnssec-keygen 9.4.2: /usr/sbin/dnssec-keygen -a DSA -b 512 -n ZONE nlnetlabs.nl +; Knlnetlabs.nl.+003+03510 + +; private key file: +; Private-key-format: v1.2 +; Algorithm: 3 (DSA) +; Prime(p): 4nziv5P4tsXwaf71EoyKFoLzFq0/wN5fb6yb8IY5uwmVh5hvO0M4lR8LAjwimCIo3SYEdCnUPkl8WbJYHkRm9w== +; Subprime(q): 3ueDKL3Jc2Ue1G/ZCfhwMEyR4v0= +; Base(g): Ji9iYukmprX5qXO7V0MALKCTsfvz3kef2TsZdpM/VdetDK53OwKE1NRTMU6PSPGyumedOrkSD2BLa7CT1dJRJQ== +; Private_value(x): wlEfaVwW10q6Re/ZOBL9PLJJb20= +; Public_value(y): cHuTGyrkbj5QVkgmFm3KEpLnb5c7jH6tapeU5ugEIJiacbroPhfz/9vPw8tkZedBGImuYPSohRPfHIQPMxfxAg== + + +; DSA key from bind tool 9.4.2 +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +nlnetlabs.nl. IN DNSKEY 256 3 3 AN7ngyi9yXNlHtRv2Qn4cDBMkeL94nziv5P4tsXwaf71EoyKFoLzFq0/ wN5fb6yb8IY5uwmVh5hvO0M4lR8LAjwimCIo3SYEdCnUPkl8WbJYHkRm 9yYvYmLpJqa1+alzu1dDACygk7H7895Hn9k7GXaTP1XXrQyudzsChNTU UzFOj0jxsrpnnTq5Eg9gS2uwk9XSUSVwe5MbKuRuPlBWSCYWbcoSkudv lzuMfq1ql5Tm6AQgmJpxuug+F/P/28/Dy2Rl50EYia5g9KiFE98chA8z F/EC +ENTRY_END + +; entry to test +; from +; /usr/sbin/dnssec-signzone nlnetlabs.nl +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN SOA +SECTION ANSWER +nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 ) +nlnetlabs.nl. 10200 RRSIG SOA 3 2 10200 20080515132632 ( 20080415132632 3510 nlnetlabs.nl. ACYwIl9GQofKJ2xdgx1YelKbtmLrWRl8f+eC ToRnfyQ+gvdUIX3mTTw= ) +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN NS +SECTION ANSWER +nlnetlabs.nl. 10200 NS omval.tednet.nl. +nlnetlabs.nl. 10200 NS ns7.domain-registry.nl. +nlnetlabs.nl. 10200 NS open.nlnetlabs.nl. +nlnetlabs.nl. 10200 RRSIG NS 3 2 10200 20080515132632 ( 20080415132632 3510 nlnetlabs.nl. AEYy9ZN3KEDHybhZbL3PoR71jMQuufKM1lej +obA6uL6CjYQAPrL9tk= ) +ENTRY_END + diff --git a/testdata/test_signatures.4 b/testdata/test_signatures.4 new file mode 100644 index 000000000..fbda8f9e6 --- /dev/null +++ b/testdata/test_signatures.4 @@ -0,0 +1,47 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; dnssec-keygen 9.4.2: /usr/sbin/dnssec-keygen -a DSA -b 768 -n ZONE nlnetlabs.nl +; Knlnetlabs.nl.+003+03793 + +; private key file +; Private-key-format: v1.2 +; Algorithm: 3 (DSA) +; Prime(p): lHKDKRMhV1yBk/gXk3IL29jkPwWwOqEskebo/hC0ieobdQkeuf9B3AgzCdn2hQOWVGoIMWyxChhqHVLwnQzUGY/uAhTZgSXBG47eHZC+Pj1hgX9tkB+9kzoK5jKhstR9 +; Subprime(q): 6u+5FI/H5WmwyTPWB5K0LjegVb0= +; Base(g): hWj33Fnu7b9vhIriw6nXnJKpeus9pffjSaKzVJBNnlWTMXbo3+w3rObnJlbkVLfRsY4F8boWn1EbUUHCaRIW3bsqziE739S8HBJDDwxYx85n0xRqkg0djWoCG2e4uv4o +; Private_value(x): xSLjPW1PE6twDgObqfkUk6EXO+g= +; Public_value(y): ORFJhDQMHGQNdWXlh05vAJJ8Fqm6u+72qsIY2pnSgWL7vQIL6sKKJL14oIVJbsZW9FIjQCFpqe19leUdzUDQa9AxB8WSRAzmh4S6tWkmbAGpUjoAUJSLtqV1NgvH8ESg + + +; DSA key from bind tool 9.4.2 +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +nlnetlabs.nl. IN DNSKEY 256 3 3 BOrvuRSPx+VpsMkz1geStC43oFW9lHKDKRMhV1yBk/gXk3IL29jkPwWw OqEskebo/hC0ieobdQkeuf9B3AgzCdn2hQOWVGoIMWyxChhqHVLwnQzU GY/uAhTZgSXBG47eHZC+Pj1hgX9tkB+9kzoK5jKhstR9hWj33Fnu7b9v hIriw6nXnJKpeus9pffjSaKzVJBNnlWTMXbo3+w3rObnJlbkVLfRsY4F 8boWn1EbUUHCaRIW3bsqziE739S8HBJDDwxYx85n0xRqkg0djWoCG2e4 uv4oORFJhDQMHGQNdWXlh05vAJJ8Fqm6u+72qsIY2pnSgWL7vQIL6sKK JL14oIVJbsZW9FIjQCFpqe19leUdzUDQa9AxB8WSRAzmh4S6tWkmbAGp UjoAUJSLtqV1NgvH8ESg +ENTRY_END + +; entry to test +; from +; /usr/sbin/dnssec-signzone nlnetlabs.nl +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN SOA +SECTION ANSWER +nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 ) +nlnetlabs.nl. 10200 RRSIG SOA 3 2 10200 20080515133546 ( 20080415133546 3793 nlnetlabs.nl. BHMt1eWN8HzfFOqrqL1PrsED43JVCrybDYL1 GJXymKlkWRAjar0wT6o= ) +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN NS +SECTION ANSWER +nlnetlabs.nl. 10200 NS omval.tednet.nl. +nlnetlabs.nl. 10200 NS ns7.domain-registry.nl. +nlnetlabs.nl. 10200 NS open.nlnetlabs.nl. +nlnetlabs.nl. 10200 RRSIG NS 3 2 10200 20080515133546 ( 20080415133546 3793 nlnetlabs.nl. BJZaThgkBaF3k6t2q+tr0ngKcF2EntSOn9gX Ut9Xipj3CdioZl8b0cY= ) +ENTRY_END + diff --git a/testdata/test_signatures.5 b/testdata/test_signatures.5 new file mode 100644 index 000000000..e2204c628 --- /dev/null +++ b/testdata/test_signatures.5 @@ -0,0 +1,48 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; ldns-keygen (svn trunk 1.3.0, 15 april 2008) +; ./ldns-keygen -a DSAMD5 -b 512 nlnetlabs.nl +; Knlnetlabs.nl.+003+16467 + +; nlnetlabs.nl. 3600 IN DS 16467 3 1 fd67ce8624a0ffd16fa77e132551355f39d38b80 +; Private-key-format: v1.2 +; Algorithm: 3 (DSA) +; Prime(p): uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLRw== +; Subprime(q): 6/5A4SgUoay9q6XCMhEBkbCZ8/s= +; Base(g): rxqQtIKg4IM/Krp6/thbc6fPKvsbNnACZk4SouhQR+Khx2sp+VuXuuZ38IfUoD77GL4eEWBe0M6DH2huG/9wQA== +; Private_value(x): n8FhvxOt6xy5d3S9A3RulEHYrw0= +; Public_value(y): pLcgTYyGMcYD1JTEibEbvZaLRNc8S1sYKTR2DG4zf3PZtzqpFMrph8sNdnfy7K3EH30WgxS7yibZrrgUNZ5oUA== + + +; DSA key from ldns tool +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 AOv+QOEoFKGsvaulwjIRAZGwmfP7uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLR68akLSCoOCDPyq6ev7YW3Onzyr7GzZwAmZOEqLoUEfiocdrKflbl7rmd/CH1KA++xi+HhFgXtDOgx9obhv/cECktyBNjIYxxgPUlMSJsRu9lotE1zxLWxgpNHYMbjN/c9m3OqkUyumHyw12d/LsrcQffRaDFLvKJtmuuBQ1nmg= ;{id = 16467 (zsk), size = 512b} +ENTRY_END + +; entry to test +; from +; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+16467 +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN SOA +SECTION ANSWER +nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 ) +nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MCwCFDnsiLNKQoJXnHNrz6aWN+6lA/nSAhQWmlSk9TF84ab1Sm6k9gRZVR5eKg== ;{id = 16467} +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN NS +SECTION ANSWER +nlnetlabs.nl. 10200 NS omval.tednet.nl. +nlnetlabs.nl. 10200 NS ns7.domain-registry.nl. +nlnetlabs.nl. 10200 NS open.nlnetlabs.nl. +nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MC4CFQCZ2AIkBczph4rI+EPSWsNT54Y5+gIVAJ4UxEbgD0FKNRFNHQ7SBy0g0lHz ;{id = 16467} +ENTRY_END + diff --git a/testdata/test_signatures.6 b/testdata/test_signatures.6 new file mode 100644 index 000000000..ee8fd648c --- /dev/null +++ b/testdata/test_signatures.6 @@ -0,0 +1,47 @@ +; Signature test file + +; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. +; later entries are verified with it. + +; ldns-keygen (svn trunk 1.3.0, 15 april 2008) +; ./ldns-keygen -a DSAMD5 -b 768 nlnetlabs.nl +; Knlnetlabs.nl.+003+46572 + +; nlnetlabs.nl. 3600 IN DS 46572 3 1 f4d76788032fe53f69021e408df2d99688e1804a +; Private-key-format: v1.2 +; Algorithm: 3 (DSA) +; Prime(p): 5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnH +; Subprime(q): 2Hc5Scs3iApxThBkQi13NpogZec= +; Base(g): ugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npN +; Private_value(x): x4jMbAt0XBIqZMMQpL3EphYPbNQ= +; Public_value(y): g+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNsv + +; DSA key from ldns tool +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 BNh3OUnLN4gKcU4QZEItdzaaIGXn5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnHugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npNg+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNs= ;{id = 46572 (zsk), size = 768b} +ENTRY_END + +; entry to test +; from +; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+46572 +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN SOA +SECTION ANSWER +nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 ) +nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MCwCFFiVJdL2mGM2mhHDqjdwfmujIPUQAhRGJm4G+6c+CEr80iC4cIRLbkAjtA== ;{id = 46572} +ENTRY_END + +ENTRY_BEGIN +SECTION QUESTION +nlnetlabs.nl. IN NS +SECTION ANSWER +nlnetlabs.nl. 10200 NS omval.tednet.nl. +nlnetlabs.nl. 10200 NS ns7.domain-registry.nl. +nlnetlabs.nl. 10200 NS open.nlnetlabs.nl. +nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MC0CFHGST66bXko/skkeP0A7SQb4u6tGAhUAu6VeC40sFUN5WOFfIjyQQoK/wv4= ;{id = 46572} +ENTRY_END + diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index e1f35eccb..9a55c4b8e 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -1243,21 +1243,33 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, switch(algo) { case LDNS_DSA: case LDNS_DSA_NSEC3: - EVP_PKEY_assign_DSA(evp_key, - ldns_key_buf2dsa_raw(key, keylen)); + if(EVP_PKEY_assign_DSA(evp_key, + ldns_key_buf2dsa_raw(key, keylen)) == 0) { + verbose(VERB_QUERY, "verify: " + "EVP_PKEY_assign_DSA failed"); + return 0; + } *digest_type = EVP_dss1(); break; case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: - EVP_PKEY_assign_RSA(evp_key, - ldns_key_buf2rsa_raw(key, keylen)); + if(EVP_PKEY_assign_RSA(evp_key, + ldns_key_buf2rsa_raw(key, keylen)) == 0) { + verbose(VERB_QUERY, "verify: " + "EVP_PKEY_assign_RSA SHA1 failed"); + return 0; + } *digest_type = EVP_sha1(); break; case LDNS_RSAMD5: - EVP_PKEY_assign_RSA(evp_key, - ldns_key_buf2rsa_raw(key, keylen)); + if(EVP_PKEY_assign_RSA(evp_key, + ldns_key_buf2rsa_raw(key, keylen)) == 0) { + verbose(VERB_QUERY, "verify: " + "EVP_PKEY_assign_RSA MD5 failed"); + return 0; + } *digest_type = EVP_md5(); break; @@ -1302,20 +1314,38 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, /* if it is a DSA signature in XXX format, convert to DER format */ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && sigblock_len > 0 && sigblock[0] == 0) { + log_info("setup_dsa_sig_needed"); if(!setup_dsa_sig(&sigblock, &sigblock_len)) { verbose(VERB_QUERY, "verify: failed to setup DSA sig"); return sec_status_bogus; } dofree = 1; - } + } else if(algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) + log_info("setup_dsa_sig_nope"); /* do the signature cryptography work */ EVP_MD_CTX_init(&ctx); - EVP_VerifyInit(&ctx, digest_type); - EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), - (unsigned int)ldns_buffer_limit(buf)); + if(EVP_VerifyInit(&ctx, digest_type) == 0) { + verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); + EVP_PKEY_free(evp_key); + if(dofree) free(sigblock); + return sec_status_unchecked; + } + if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), + (unsigned int)ldns_buffer_limit(buf)) == 0) { + verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); + EVP_PKEY_free(evp_key); + if(dofree) free(sigblock); + return sec_status_unchecked; + } + res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); - EVP_MD_CTX_cleanup(&ctx); + if(EVP_MD_CTX_cleanup(&ctx) == 0) { + verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); + EVP_PKEY_free(evp_key); + if(dofree) free(sigblock); + return sec_status_unchecked; + } EVP_PKEY_free(evp_key); if(dofree)