Fixup unbound. Now still a switch DSA(ldns) DSA(bind) ...

git-svn-id: file:///svn/unbound/trunk@1052 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 06:37:08 +00:00 · 2008-04-15 18:01:14 +00:00 · 2008-04-15 18:01:14 +00:00 · c858743222
commit c858743222
parent 9ab79dc0dc
6 changed files with 113 additions and 32 deletions
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@ -462,17 +462,22 @@ verify_test()
 	printf("verify test\n");
 	verifytest_file("testdata/test_signatures.1", "20070818005004");
 	log_info("test_signatures.2");
+	verbosity=3;
+	/*
 	verifytest_file("testdata/test_signatures.2", "20080414005004");
 	log_info("test_signatures.3");
 	verifytest_file("testdata/test_signatures.3", "20080416005004");
-	/*
 	log_info("test_signatures.4");
 	verifytest_file("testdata/test_signatures.4", "20080416005004");
+	*/
 	log_info("test_signatures.5");
 	verifytest_file("testdata/test_signatures.5", "20080416005004");
 	log_info("test_signatures.6");
 	verifytest_file("testdata/test_signatures.6", "20080416005004");
-	*/
+	log_info("test_signatures.7");
+	verifytest_file("testdata/test_signatures.7", "20070829144150");
+	log_info("test_signatures.8");
+	verifytest_file("testdata/test_signatures.8", "20070829144150");
 	dstest_file("testdata/test_ds_sig.1");
 	nsectest();
 	nsec3_hash_test("testdata/test_nsec3_hash.1");
--- a/testdata/test_signatures.5
+++ b/testdata/test_signatures.5
@ -5,35 +5,34 @@

 ; ldns-keygen (svn trunk 1.3.0, 15 april 2008)
 ; ./ldns-keygen -a DSAMD5 -b 512 nlnetlabs.nl
-; Knlnetlabs.nl.+003+16467
+; Knlnetlabs.nl.+003+08866

-; nlnetlabs.nl.   3600    IN      DS      16467 3 1 fd67ce8624a0ffd16fa77e132551355f39d38b80
+; nlnetlabs.nl.   3600    IN      DS      8866 3 1 1300e7258af98cef40a47e6ac1e34ea79cb4b27f
 ; Private-key-format: v1.2
 ; Algorithm: 3 (DSA)
-; Prime(p): uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLRw==
-; Subprime(q): 6/5A4SgUoay9q6XCMhEBkbCZ8/s=
-; Base(g): rxqQtIKg4IM/Krp6/thbc6fPKvsbNnACZk4SouhQR+Khx2sp+VuXuuZ38IfUoD77GL4eEWBe0M6DH2huG/9wQA==
-; Private_value(x): n8FhvxOt6xy5d3S9A3RulEHYrw0=
-; Public_value(y): pLcgTYyGMcYD1JTEibEbvZaLRNc8S1sYKTR2DG4zf3PZtzqpFMrph8sNdnfy7K3EH30WgxS7yibZrrgUNZ5oUA==
-
+; Prime(p): qp/0xtfW76CbSH29kZmI0iUEhJ9cIs/52WsgqogqBwrY/HpT+D6G2jd66WLi88DF0z/We3/YIjZYkR5PH03IRQ==
+; Subprime(q): iTRl4piaQvy9yxIsz/c5pAaVIeM=
+; Base(g): RJhjYU22ooiTKltbGmIR6OfXZjKDBfSODrT3e3/IrwiT8oQZriDFZkExYKrKqoqZFn7y0esTf9Bwvx2IhGabQw==
+; Private_value(x): gYjuQexf8JiiVBvCcxpXO+QaD88=
+; Public_value(y): aPtEU9ui/w2+9aFnCrWUB/fGvMEyAyLyGCCaT/N+l8bPYDPCv+wDxEKHoM3HT/ZOf3RuCE/CYKVK7CDX6+AZrA==

 ; DSA key from ldns tool
 ENTRY_BEGIN
 SECTION QUESTION
 nlnetlabs.nl.	IN DNSKEY
 SECTION ANSWER
-nlnetlabs.nl.   3600    IN      DNSKEY  256 3 3 AOv+QOEoFKGsvaulwjIRAZGwmfP7uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLR68akLSCoOCDPyq6ev7YW3Onzyr7GzZwAmZOEqLoUEfiocdrKflbl7rmd/CH1KA++xi+HhFgXtDOgx9obhv/cECktyBNjIYxxgPUlMSJsRu9lotE1zxLWxgpNHYMbjN/c9m3OqkUyumHyw12d/LsrcQffRaDFLvKJtmuuBQ1nmg= ;{id = 16467 (zsk), size = 512b}
+nlnetlabs.nl.   3600    IN      DNSKEY  256 3 3 AIk0ZeKYmkL8vcsSLM/3OaQGlSHjqp/0xtfW76CbSH29kZmI0iUEhJ9cIs/52WsgqogqBwrY/HpT+D6G2jd66WLi88DF0z/We3/YIjZYkR5PH03IRUSYY2FNtqKIkypbWxpiEejn12YygwX0jg6093t/yK8Ik/KEGa4gxWZBMWCqyqqKmRZ+8tHrE3/QcL8diIRmm0No+0RT26L/Db71oWcKtZQH98a8wTIDIvIYIJpP836Xxs9gM8K/7APEQoegzcdP9k5/dG4IT8JgpUrsINfr4Bms ;{id = 8866 (zsk), size = 512b}
 ENTRY_END

 ; entry to test
 ; from
-; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+16467
+; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+08866
 ENTRY_BEGIN
 SECTION QUESTION
 nlnetlabs.nl. IN SOA
 SECTION ANSWER
 nlnetlabs.nl.   10200   IN SOA  open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800      7200       604800     3600       )
-nlnetlabs.nl.   10200   IN      RRSIG   SOA 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MCwCFDnsiLNKQoJXnHNrz6aWN+6lA/nSAhQWmlSk9TF84ab1Sm6k9gRZVR5eKg== ;{id = 16467}
+nlnetlabs.nl.   10200   IN      RRSIG   SOA 3 2 10200 20080513173901 20080415173901 8866 nlnetlabs.nl. MC0CFFI7JB0x4xaO0qhe9iQGk0eot8zGAhUAg/SFtf5MrR7DEkmd6vm2xf+SN9M= ;{id = 8866}
 ENTRY_END

 ENTRY_BEGIN
@ -43,6 +42,7 @@ SECTION ANSWER
 nlnetlabs.nl. 10200   NS      omval.tednet.nl.
 nlnetlabs.nl. 10200   NS      ns7.domain-registry.nl.
 nlnetlabs.nl. 10200 NS      open.nlnetlabs.nl.
-nlnetlabs.nl.   10200   IN      RRSIG   NS 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MC4CFQCZ2AIkBczph4rI+EPSWsNT54Y5+gIVAJ4UxEbgD0FKNRFNHQ7SBy0g0lHz ;{id = 16467}
+nlnetlabs.nl.   10200   IN      RRSIG   NS 3 2 10200 20080513173901 20080415173901 8866 nlnetlabs.nl. MCwCFFHwxz9Kx7Un60vLMMoOrZizagNrAhR6OskQNF/KVL5/xanbOmK3ZUj0vw== ;{id = 8866}
+
 ENTRY_END

--- a/testdata/test_signatures.6
+++ b/testdata/test_signatures.6
@ -5,34 +5,34 @@

 ; ldns-keygen (svn trunk 1.3.0, 15 april 2008)
 ; ./ldns-keygen -a DSAMD5 -b 768 nlnetlabs.nl
-; Knlnetlabs.nl.+003+46572
+; Knlnetlabs.nl.+003+51124

-; nlnetlabs.nl.   3600    IN      DS      46572 3 1 f4d76788032fe53f69021e408df2d99688e1804a
+; nlnetlabs.nl.   3600    IN      DS      51124 3 1 6f7e3ea1d525f3428ce342596f7375b1c3a71c51
 ; Private-key-format: v1.2
 ; Algorithm: 3 (DSA)
-; Prime(p): 5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnH
-; Subprime(q): 2Hc5Scs3iApxThBkQi13NpogZec=
-; Base(g): ugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npN
-; Private_value(x): x4jMbAt0XBIqZMMQpL3EphYPbNQ=
-; Public_value(y): g+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNsv
+; Prime(p): 1kpY0hU98SJrpDCTKHv9TQyN6EGcY9FJ8bw0QiQdcm3nx3fkS298V9Y7ZRzjCQmkxVwNrwdhtNpz4MvrByHKy+YE/hSJamNhwKHAtiIAHNggqfutGQwUkfqHmybFO8Kx
+; Subprime(q): 3GwgwvHRyOeXNgZqR/5XpaNs6Pc=
+; Base(g): Rw1YckcZ/Es07FYrNV6soRTbcQ5NEDj7ITSUdGSLKRPQT0k4ofR3L8aslTeOJESR2s2sIay/ZHoYmdQuwLZ93HLEq5MooPO19c/GnVkOWZm1Ab9H7zttNcoKgzQ64dhT
+; Private_value(x): OoN8CQisHVjCIET7B3WdAwERRro=
+; Public_value(y): 08zY8i9l5qn1xC829beHq2Hhb8MUIvGHyW+eBchQa4S5XIRwf1rVpnw1iengslp/Y1Kx28/a9GEQbIESQORfxllPV23Uv2OJ3aNV0jP7kI2a7VLVSDSJrCh2wBCFj8tY

 ; DSA key from ldns tool
 ENTRY_BEGIN
 SECTION QUESTION
 nlnetlabs.nl.	IN DNSKEY
 SECTION ANSWER
-nlnetlabs.nl.   3600    IN      DNSKEY  256 3 3 BNh3OUnLN4gKcU4QZEItdzaaIGXn5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnHugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npNg+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNs= ;{id = 46572 (zsk), size = 768b}
+nlnetlabs.nl.   3600    IN      DNSKEY  256 3 3 BNxsIMLx0cjnlzYGakf+V6WjbOj31kpY0hU98SJrpDCTKHv9TQyN6EGcY9FJ8bw0QiQdcm3nx3fkS298V9Y7ZRzjCQmkxVwNrwdhtNpz4MvrByHKy+YE/hSJamNhwKHAtiIAHNggqfutGQwUkfqHmybFO8KxRw1YckcZ/Es07FYrNV6soRTbcQ5NEDj7ITSUdGSLKRPQT0k4ofR3L8aslTeOJESR2s2sIay/ZHoYmdQuwLZ93HLEq5MooPO19c/GnVkOWZm1Ab9H7zttNcoKgzQ64dhT08zY8i9l5qn1xC829beHq2Hhb8MUIvGHyW+eBchQa4S5XIRwf1rVpnw1iengslp/Y1Kx28/a9GEQbIESQORfxllPV23Uv2OJ3aNV0jP7kI2a7VLVSDSJrCh2wBCFj8tY ;{id = 51124 (zsk), size = 768b}
 ENTRY_END

 ; entry to test
 ; from
-; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+46572
+; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+51124
 ENTRY_BEGIN
 SECTION QUESTION
 nlnetlabs.nl. IN SOA
 SECTION ANSWER
 nlnetlabs.nl.   10200   IN SOA  open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800      7200       604800     3600       )
-nlnetlabs.nl.   10200   IN      RRSIG   SOA 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MCwCFFiVJdL2mGM2mhHDqjdwfmujIPUQAhRGJm4G+6c+CEr80iC4cIRLbkAjtA== ;{id = 46572}
+nlnetlabs.nl.   10200   IN      RRSIG   SOA 3 2 10200 20080513174626 20080415174626 51124 nlnetlabs.nl. MC0CFB3cRDHQROzkGp4NtLNc4jDA1lhWAhUAgsbb8VMxGqifShEzuCNgczxDHHg= ;{id = 51124}
 ENTRY_END

 ENTRY_BEGIN
@ -42,6 +42,7 @@ SECTION ANSWER
 nlnetlabs.nl. 10200   NS      omval.tednet.nl.
 nlnetlabs.nl. 10200   NS      ns7.domain-registry.nl.
 nlnetlabs.nl. 10200 NS      open.nlnetlabs.nl.
-nlnetlabs.nl.   10200   IN      RRSIG   NS 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MC0CFHGST66bXko/skkeP0A7SQb4u6tGAhUAu6VeC40sFUN5WOFfIjyQQoK/wv4= ;{id = 46572}
+nlnetlabs.nl.   10200   IN      RRSIG   NS 3 2 10200 20080513174626 20080415174626 51124 nlnetlabs.nl. MCwCFEzgEjT0n/ooV/xZkRMzKNqeF4pkAhQxEPFtMt5LbIlsi9mSi0HS4+RZuA== ;{id = 51124}
+
 ENTRY_END

--- a/testdata/test_signatures.7
+++ b/testdata/test_signatures.7
@ -0,0 +1,32 @@
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. 
+; later entries are verified with it.
+
+; DSA Key from ldns tool, key used in the testbound tests.
+
+; DSA key from ldns tool
+ENTRY_BEGIN
+SECTION QUESTION
+example.com.	IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+example.com.    IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+ns.example.com.         IN      A
+SECTION ANSWER
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
--- a/testdata/test_signatures.8
+++ b/testdata/test_signatures.8
@ -0,0 +1,24 @@
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. 
+; later entries are verified with it.
+
+; RSA Key from ldns tool, key used in the testbound tests.
+
+; RSA key from ldns tool
+ENTRY_BEGIN
+SECTION QUESTION
+sub.example.com.	IN DNSKEY
+SECTION ANSWER
+sub.example.com.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+www.sub.example.com.    IN      A 
+SECTION ANSWER
+www.sub.example.com.    3600    IN      A       11.11.11.11
+www.sub.example.com.    3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899}
+ENTRY_END
+
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@ -1240,11 +1240,19 @@ static int
 setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, 
 	unsigned char* key, size_t keylen)
 {
+	DSA* dsa;
+	RSA* rsa;
+
 	switch(algo) {
 		case LDNS_DSA:
 		case LDNS_DSA_NSEC3:
-			if(EVP_PKEY_assign_DSA(evp_key, 
-				ldns_key_buf2dsa_raw(key, keylen)) == 0) {
+			dsa = ldns_key_buf2dsa_raw(key, keylen);
+			if(!dsa) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_key_buf2dsa_raw failed");
+				return 0;
+			}
+			if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
 				verbose(VERB_QUERY, "verify: "
 					"EVP_PKEY_assign_DSA failed");
 				return 0;
@ -1254,8 +1262,13 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
 			break;
 		case LDNS_RSASHA1:
 		case LDNS_RSASHA1_NSEC3:
-			if(EVP_PKEY_assign_RSA(evp_key, 
-				ldns_key_buf2rsa_raw(key, keylen)) == 0) {
+			rsa = ldns_key_buf2rsa_raw(key, keylen);
+			if(!rsa) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_key_buf2rsa_raw SHA1 failed");
+				return 0;
+			}
+			if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
 				verbose(VERB_QUERY, "verify: "
 					"EVP_PKEY_assign_RSA SHA1 failed");
 				return 0;
@ -1264,8 +1277,13 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,

 			break;
 		case LDNS_RSAMD5:
-			if(EVP_PKEY_assign_RSA(evp_key, 
-				ldns_key_buf2rsa_raw(key, keylen)) == 0) {
+			rsa = ldns_key_buf2rsa_raw(key, keylen);
+			if(!rsa) {
+				verbose(VERB_QUERY, "verify: "
+					"ldns_key_buf2rsa_raw MD5 failed");
+				return 0;
+			}
+			if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
 				verbose(VERB_QUERY, "verify: "
 					"EVP_PKEY_assign_RSA MD5 failed");
 				return 0;
@ -1313,7 +1331,7 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
 	}
 	/* if it is a DSA signature in XXX format, convert to DER format */
 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 
-		sigblock_len > 0 && sigblock[0] == 0) {
+		0) { /*sigblock_len > 0 && sigblock[0] == 0) {*/
 		log_info("setup_dsa_sig_needed");
 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
@ -1354,6 +1372,7 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
 	if(res == 1) {
 		return sec_status_secure;
 	} else if(res == 0) {
+		verbose(VERB_QUERY, "verify: signature mismatch");
 		return sec_status_bogus;
 	}