TEST(unbound, supported_algorithms) { // Monero causes these to be tried, but we don't have access // to this internal unbound header here, so we use raw numbers // LDNS_RSASHA1 = 5, // LDNS_RSASHA1_NSEC3 = 7, // LDNS_RSASHA256 = 8, /* RFC 5702 */ // LDNS_ECDSAP256SHA256 = 13, /* RFC 6605 */ ASSERT_TRUE(dnskey_algo_id_is_supported(5)); ASSERT_TRUE(dnskey_algo_id_is_supported(7)); ASSERT_TRUE(dnskey_algo_id_is_supported(8)); ASSERT_TRUE(dnskey_algo_id_is_supported(13)); }
void verify_test(void) { unit_show_feature("signature verify"); #ifdef USE_SHA1 verifytest_file("testdata/test_signatures.1", "20070818005004"); #endif #if defined(USE_DSA) && defined(USE_SHA1) verifytest_file("testdata/test_signatures.2", "20080414005004"); verifytest_file("testdata/test_signatures.3", "20080416005004"); verifytest_file("testdata/test_signatures.4", "20080416005004"); verifytest_file("testdata/test_signatures.5", "20080416005004"); verifytest_file("testdata/test_signatures.6", "20080416005004"); verifytest_file("testdata/test_signatures.7", "20070829144150"); #endif /* USE_DSA */ #ifdef USE_SHA1 verifytest_file("testdata/test_signatures.8", "20070829144150"); #endif #if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2) verifytest_file("testdata/test_sigs.rsasha256", "20070829144150"); # ifdef USE_SHA1 verifytest_file("testdata/test_sigs.sha1_and_256", "20070829144150"); # endif verifytest_file("testdata/test_sigs.rsasha256_draft", "20090101000000"); #endif #if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2) verifytest_file("testdata/test_sigs.rsasha512_draft", "20070829144150"); #endif #ifdef USE_SHA1 verifytest_file("testdata/test_sigs.hinfo", "20090107100022"); verifytest_file("testdata/test_sigs.revoked", "20080414005004"); #endif #ifdef USE_GOST if(sldns_key_EVP_load_gost_id()) verifytest_file("testdata/test_sigs.gost", "20090807060504"); else printf("Warning: skipped GOST, openssl does not provide gost.\n"); #endif #ifdef USE_ECDSA /* test for support in case we use libNSS and ECC is removed */ if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) { verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439"); verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439"); } dstest_file("testdata/test_ds.sha384"); #endif #ifdef USE_SHA1 dstest_file("testdata/test_ds.sha1"); #endif nsectest(); nsec3_hash_test("testdata/test_nsec3_hash.1"); }
void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg) { uint8_t algo; size_t total = 0; memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); while( (algo=*sigalg++) != 0) { log_assert(dnskey_algo_id_is_supported((int)algo)); log_assert(n->needs[algo] == 0); n->needs[algo] = 1; total++; } n->num = total; }
void algo_needs_init_dnskey_add(struct algo_needs* n, struct ub_packed_rrset_key* dnskey, uint8_t* sigalg) { uint8_t algo; size_t i, total = n->num; size_t num = rrset_get_count(dnskey); for(i=0; i<num; i++) { algo = (uint8_t)dnskey_get_algo(dnskey, i); if(!dnskey_algo_id_is_supported((int)algo)) continue; if(n->needs[algo] == 0) { n->needs[algo] = 1; sigalg[total] = algo; total++; } } sigalg[total] = 0; n->num = total; }
enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t sig_idx, struct rbtree_t** sortree, char** reason) { /* find matching keys and check them */ enum sec_status sec = sec_status_bogus; uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx); int algo = rrset_get_sig_algo(rrset, sig_idx); size_t i, num = rrset_get_count(dnskey); size_t numchecked = 0; int buf_canon = 0; verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo); if(!dnskey_algo_id_is_supported(algo)) { verbose(VERB_QUERY, "verify sig: unknown algorithm"); return sec_status_insecure; } for(i=0; i<num; i++) { /* see if key matches keytag and algo */ if(algo != dnskey_get_algo(dnskey, i) || tag != dnskey_calc_keytag(dnskey, i)) continue; numchecked ++; /* see if key verifies */ sec = dnskey_verify_rrset_sig(env->scratch, env->scratch_buffer, ve, now, rrset, dnskey, i, sig_idx, sortree, &buf_canon, reason); if(sec == sec_status_secure) return sec; } if(numchecked == 0) { *reason = "signatures from unknown keys"; verbose(VERB_QUERY, "verify: could not find appropriate key"); return sec_status_bogus; } return sec_status_bogus; }
void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds, int fav_ds_algo, uint8_t* sigalg) { uint8_t algo; size_t i, total = 0; size_t num = rrset_get_count(ds); memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); for(i=0; i<num; i++) { if(ds_get_digest_algo(ds, i) != fav_ds_algo) continue; algo = (uint8_t)ds_get_key_algo(ds, i); if(!dnskey_algo_id_is_supported((int)algo)) continue; log_assert(algo != 0); /* we do not support 0 and is EOS */ if(n->needs[algo] == 0) { n->needs[algo] = 1; sigalg[total] = algo; total++; } } sigalg[total] = 0; n->num = total; }
int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx) { return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset, dnskey_idx)); }