TEST(unbound, supported_algorithms)
{
// Monero causes these to be tried, but we don't have access
// to this internal unbound header here, so we use raw numbers
// LDNS_RSASHA1 = 5,
// LDNS_RSASHA1_NSEC3 = 7,
// LDNS_RSASHA256 = 8, /* RFC 5702 */
// LDNS_ECDSAP256SHA256 = 13, /* RFC 6605 */
ASSERT_TRUE(dnskey_algo_id_is_supported(5));
ASSERT_TRUE(dnskey_algo_id_is_supported(7));
ASSERT_TRUE(dnskey_algo_id_is_supported(8));
ASSERT_TRUE(dnskey_algo_id_is_supported(13));
}
void
verify_test(void)
{
unit_show_feature("signature verify");
#ifdef USE_SHA1
verifytest_file("testdata/test_signatures.1", "20070818005004");
#endif
#if defined(USE_DSA) && defined(USE_SHA1)
verifytest_file("testdata/test_signatures.2", "20080414005004");
verifytest_file("testdata/test_signatures.3", "20080416005004");
verifytest_file("testdata/test_signatures.4", "20080416005004");
verifytest_file("testdata/test_signatures.5", "20080416005004");
verifytest_file("testdata/test_signatures.6", "20080416005004");
verifytest_file("testdata/test_signatures.7", "20070829144150");
#endif /* USE_DSA */
#ifdef USE_SHA1
verifytest_file("testdata/test_signatures.8", "20070829144150");
#endif
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
verifytest_file("testdata/test_sigs.rsasha256", "20070829144150");
# ifdef USE_SHA1
verifytest_file("testdata/test_sigs.sha1_and_256", "20070829144150");
# endif
verifytest_file("testdata/test_sigs.rsasha256_draft", "20090101000000");
#endif
#if (defined(HAVE_EVP_SHA512) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
verifytest_file("testdata/test_sigs.rsasha512_draft", "20070829144150");
#endif
#ifdef USE_SHA1
verifytest_file("testdata/test_sigs.hinfo", "20090107100022");
verifytest_file("testdata/test_sigs.revoked", "20080414005004");
#endif
#ifdef USE_GOST
if(sldns_key_EVP_load_gost_id())
verifytest_file("testdata/test_sigs.gost", "20090807060504");
else printf("Warning: skipped GOST, openssl does not provide gost.\n");
#endif
#ifdef USE_ECDSA
/* test for support in case we use libNSS and ECC is removed */
if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) {
verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439");
verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439");
}
dstest_file("testdata/test_ds.sha384");
#endif
#ifdef USE_SHA1
dstest_file("testdata/test_ds.sha1");
#endif
nsectest();
nsec3_hash_test("testdata/test_nsec3_hash.1");
}
void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg)
{
uint8_t algo;
size_t total = 0;
memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
while( (algo=*sigalg++) != 0) {
log_assert(dnskey_algo_id_is_supported((int)algo));
log_assert(n->needs[algo] == 0);
n->needs[algo] = 1;
total++;
}
n->num = total;
}
void algo_needs_init_dnskey_add(struct algo_needs* n,
struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
{
uint8_t algo;
size_t i, total = n->num;
size_t num = rrset_get_count(dnskey);
for(i=0; i<num; i++) {
algo = (uint8_t)dnskey_get_algo(dnskey, i);
if(!dnskey_algo_id_is_supported((int)algo))
continue;
if(n->needs[algo] == 0) {
n->needs[algo] = 1;
sigalg[total] = algo;
total++;
}
}
sigalg[total] = 0;
n->num = total;
}
enum sec_status
dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
time_t now, struct ub_packed_rrset_key* rrset,
struct ub_packed_rrset_key* dnskey, size_t sig_idx,
struct rbtree_t** sortree, char** reason)
{
/* find matching keys and check them */
enum sec_status sec = sec_status_bogus;
uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx);
int algo = rrset_get_sig_algo(rrset, sig_idx);
size_t i, num = rrset_get_count(dnskey);
size_t numchecked = 0;
int buf_canon = 0;
verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
if(!dnskey_algo_id_is_supported(algo)) {
verbose(VERB_QUERY, "verify sig: unknown algorithm");
return sec_status_insecure;
}
for(i=0; i<num; i++) {
/* see if key matches keytag and algo */
if(algo != dnskey_get_algo(dnskey, i) ||
tag != dnskey_calc_keytag(dnskey, i))
continue;
numchecked ++;
/* see if key verifies */
sec = dnskey_verify_rrset_sig(env->scratch,
env->scratch_buffer, ve, now, rrset, dnskey, i,
sig_idx, sortree, &buf_canon, reason);
if(sec == sec_status_secure)
return sec;
}
if(numchecked == 0) {
*reason = "signatures from unknown keys";
verbose(VERB_QUERY, "verify: could not find appropriate key");
return sec_status_bogus;
}
return sec_status_bogus;
}
void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds,
int fav_ds_algo, uint8_t* sigalg)
{
uint8_t algo;
size_t i, total = 0;
size_t num = rrset_get_count(ds);
memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
for(i=0; i<num; i++) {
if(ds_get_digest_algo(ds, i) != fav_ds_algo)
continue;
algo = (uint8_t)ds_get_key_algo(ds, i);
if(!dnskey_algo_id_is_supported((int)algo))
continue;
log_assert(algo != 0); /* we do not support 0 and is EOS */
if(n->needs[algo] == 0) {
n->needs[algo] = 1;
sigalg[total] = algo;
total++;
}
}
sigalg[total] = 0;
n->num = total;
}
int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
size_t dnskey_idx)
{
return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset,
dnskey_idx));
}
