Пример #1
0
void str_from_uint8_hex(uint8_t input_value, char *output_str)
	{
	str_merge("0x", output_str, 0);
	get_hex_string(input_value>>4, output_str+2);
	get_hex_string(input_value, output_str+3);
	output_str[4] = '\0';
	}
Пример #2
0
void str_from_uint32_hex(uint32_t input_value, char *output_str)
	{
	str_merge("0x", output_str, 0);
	get_hex_string(input_value>>28, output_str+2);
	get_hex_string(input_value>>24, output_str+3);
	get_hex_string(input_value>>20, output_str+4);
	get_hex_string(input_value>>16, output_str+5);
	get_hex_string(input_value>>12, output_str+6);
	get_hex_string(input_value>>8, output_str+7);
	get_hex_string(input_value>>4, output_str+8);
	get_hex_string(input_value, output_str+9);
	output_str[10] = '\0';
	}
Пример #3
0
void
rsamd5_sigverify(val_context_t * ctx,
                 const u_char *data,
                 size_t data_len,
                 const val_dnskey_rdata_t * dnskey,
                 const val_rrsig_rdata_t * rrsig,
                 val_astatus_t * key_status, val_astatus_t * sig_status)
{
    char            buf[1028];
    size_t          buflen = 1024;
    RSA            *rsa = NULL;
    u_char   md5_hash[MD5_DIGEST_LENGTH];

    val_log(ctx, LOG_DEBUG,
            "rsamd5_sigverify(): parsing the public key...");
    if ((rsa = RSA_new()) == NULL) {
        val_log(ctx, LOG_INFO,
                "rsamd5_sigverify(): could not allocate rsa structure.");
        *key_status = VAL_AC_INVALID_KEY;
        return;
    };

    if (rsamd5_parse_public_key(dnskey->public_key, dnskey->public_key_len,
                                rsa) != VAL_NO_ERROR) {
        val_log(ctx, LOG_INFO,
                "rsamd5_sigverify(): Error in parsing public key.");
        RSA_free(rsa);
        *key_status = VAL_AC_INVALID_KEY;
        return;
    }

    memset(md5_hash, 0, MD5_DIGEST_LENGTH);
    MD5(data, data_len, (u_char *) md5_hash);
    val_log(ctx, LOG_DEBUG, "rsamd5_sigverify(): MD5 hash = %s",
            get_hex_string(md5_hash, MD5_DIGEST_LENGTH, buf, buflen));

    val_log(ctx, LOG_DEBUG,
            "rsamd5_sigverify(): verifying RSA signature...");

    if (RSA_verify(NID_md5, (u_char *) md5_hash, MD5_DIGEST_LENGTH,
                   rrsig->signature, rrsig->signature_len, rsa) == 1) {
        val_log(ctx, LOG_INFO, "rsamd5_sigverify(): returned SUCCESS");
        RSA_free(rsa);
        *sig_status = VAL_AC_RRSIG_VERIFIED;
    } else {
        val_log(ctx, LOG_INFO, "rsamd5_sigverify(): returned FAILURE");
        RSA_free(rsa);
        *sig_status = VAL_AC_RRSIG_VERIFY_FAILED;
    }
    return;
}
Пример #4
0
static char    *
get_rr_string(struct val_rr_rec *rr, char *buf, size_t buflen)
{
    char           *ptr = buf;
    char           *endptr = ptr + buflen;
    while (rr) {
        get_hex_string(rr->rr_rdata, rr->rr_rdata_length, ptr,
                       endptr - ptr);
        ptr += strlen(ptr);
        rr = rr->rr_next;
    }

    return buf;
}
Пример #5
0
/*
 * print a subset of fields from "struct nfs_args" that are otherwise
 * not being provided anywhere else.
 */
void
print_nfs_args(const nfs_args_t *nap, u_long nfs_version)
{
  int fhlen = 32;	/* default: NFS V.2 file handle length is 32 */
#ifdef HAVE_TRANSPORT_TYPE_TLI
  struct netbuf *nbp;
  struct knetconfig *kncp;
#else /* not HAVE_TRANSPORT_TYPE_TLI */
  struct sockaddr_in *sap;
#endif /* not HAVE_TRANSPORT_TYPE_TLI */

  if (!nap) {
    plog(XLOG_DEBUG, "NULL nfs_args!");
    return;
  }

  /* override default file handle size */
#ifdef FHSIZE
   fhlen = FHSIZE;
#endif /* FHSIZE */
#ifdef NFS_FHSIZE
   fhlen = NFS_FHSIZE;
#endif /* NFS_FHSIZE */

#ifdef HAVE_TRANSPORT_TYPE_TLI
  nbp = nap->addr;
  plog(XLOG_DEBUG, "NA->addr {netbuf} (maxlen=%d, len=%d) = \"%s\"",
       nbp->maxlen, nbp->len,
       get_hex_string(nbp->len, nbp->buf));
  nbp = nap->syncaddr;
  plog(XLOG_DEBUG, "NA->syncaddr {netbuf} %p", nbp);
  kncp = nap->knconf;
  plog(XLOG_DEBUG, "NA->knconf->semantics %lu", (u_long) kncp->knc_semantics);
  plog(XLOG_DEBUG, "NA->knconf->protofmly \"%s\"", kncp->knc_protofmly);
  plog(XLOG_DEBUG, "NA->knconf->proto \"%s\"", kncp->knc_proto);
  plog(XLOG_DEBUG, "NA->knconf->rdev %lu", (u_long) kncp->knc_rdev);
  /* don't print knconf->unused field */
#else /* not HAVE_TRANSPORT_TYPE_TLI */
# ifdef NFS_ARGS_T_ADDR_IS_POINTER
    sap = (struct sockaddr_in *) nap->addr;
# else /* not NFS_ARGS_T_ADDR_IS_POINTER */
    sap = (struct sockaddr_in *) &nap->addr;
# endif /* not NFS_ARGS_T_ADDR_IS_POINTER */
  plog(XLOG_DEBUG, "NA->addr {sockaddr_in} (len=%d) = \"%s\"",
       (int) sizeof(struct sockaddr_in),
       get_hex_string(sizeof(struct sockaddr_in), (const char *)sap));
#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
  /* as per POSIX, sin_len need not be set (used internally by kernel) */
  plog(XLOG_DEBUG, "NA->addr.sin_len = %d", sap->sin_len);
#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */
  plog(XLOG_DEBUG, "NA->addr.sin_family = %d", sap->sin_family);
  plog(XLOG_DEBUG, "NA->addr.sin_port = %d", sap->sin_port);
  plog(XLOG_DEBUG, "NA->addr.sin_addr = \"%s\"",
       get_hex_string(sizeof(struct in_addr), (const char *) &sap->sin_addr));
#endif /* not HAVE_TRANSPORT_TYPE_TLI */
#ifdef HAVE_NFS_ARGS_T_ADDRLEN
  plog(XLOG_DEBUG, "NA->addrlen = %d", nap->addrlen);
#endif /* ifdef HAVE_NFS_ARGS_T_ADDRLEN */

  plog(XLOG_DEBUG, "NA->hostname = \"%s\"", nap->hostname ? nap->hostname : "null");
#ifdef HAVE_NFS_ARGS_T_NAMLEN
  plog(XLOG_DEBUG, "NA->namlen = %d", nap->namlen);
#endif /* HAVE_NFS_ARGS_T_NAMLEN */

#ifdef MNT2_NFS_OPT_FSNAME
  plog(XLOG_DEBUG, "NA->fsname = \"%s\"", nap->fsname ? nap->fsname : "null");
#endif /* MNT2_NFS_OPT_FSNAME */

#ifdef HAVE_NFS_ARGS_T_FHSIZE
  plog(XLOG_DEBUG, "NA->fhsize = %d", nap->fhsize);
  fhlen = nap->fhsize;
#endif /* HAVE_NFS_ARGS_T_FHSIZE */
#ifdef HAVE_NFS_ARGS_T_FH_LEN
  plog(XLOG_DEBUG, "NA->fh_len = %d", nap->fh_len);
  fhlen = nap->fh_len;
#endif /* HAVE_NFS_ARGS_T_FH_LEN */

  /*
   * XXX: need to figure out how to correctly print file handles,
   * since some times they are pointers, and sometimes the real structure
   * is stored in nfs_args.  Even if it is a pointer, it can be the actual
   * char[] array, or a structure containing multiple fields.
   */
  plog(XLOG_DEBUG, "NA->filehandle = \"%s\"",
       get_hex_string(fhlen, (const char *) &nap->NFS_FH_FIELD));

#ifdef HAVE_NFS_ARGS_T_SOTYPE
  plog(XLOG_DEBUG, "NA->sotype = %d", nap->sotype);
#endif /* HAVE_NFS_ARGS_T_SOTYPE */
#ifdef HAVE_NFS_ARGS_T_PROTO
  plog(XLOG_DEBUG, "NA->proto = %d", (int) nap->proto);
#endif /* HAVE_NFS_ARGS_T_PROTO */
#ifdef HAVE_NFS_ARGS_T_VERSION
  plog(XLOG_DEBUG, "NA->version = %d", nap->version);
#endif /* HAVE_NFS_ARGS_T_VERSION */

  plog(XLOG_DEBUG, "NA->flags = 0x%x", (int) nap->flags);

  plog(XLOG_DEBUG, "NA->rsize = %d", (int) nap->rsize);
  plog(XLOG_DEBUG, "NA->wsize = %d", (int) nap->wsize);
#ifdef HAVE_NFS_ARGS_T_BSIZE
  plog(XLOG_DEBUG, "NA->bsize = %d", nap->bsize);
#endif /* HAVE_NFS_ARGS_T_BSIZE */
  plog(XLOG_DEBUG, "NA->timeo = %d", (int) nap->timeo);
  plog(XLOG_DEBUG, "NA->retrans = %d", (int) nap->retrans);

#ifdef HAVE_NFS_ARGS_T_ACREGMIN
  plog(XLOG_DEBUG, "NA->acregmin = %d", (int) nap->acregmin);
  plog(XLOG_DEBUG, "NA->acregmax = %d", (int) nap->acregmax);
  plog(XLOG_DEBUG, "NA->acdirmin = %d", (int) nap->acdirmin);
  plog(XLOG_DEBUG, "NA->acdirmax = %d", (int) nap->acdirmax);
#endif /* HAVE_NFS_ARGS_T_ACREGMIN */
#ifdef MNTTAB_OPT_SYMTTL
  plog(XLOG_DEBUG, "NA->symttl = %d", nap->symttl);
#endif /* MNTTAB_OPT_SYMTTL */
#ifdef MNTTAB_OPT_PG_THRESH
  plog(XLOG_DEBUG, "NA->pg_thresh = %d", nap->pg_thresh);
#endif /* MNTTAB_OPT_PG_THRESH */

#ifdef MNT2_NFS_OPT_BIODS
  plog(XLOG_DEBUG, "NA->biods = %d", nap->biods);
#endif /* MNT2_NFS_OPT_BIODS */

}
Пример #6
0
void
dsasha1_sigverify(val_context_t * ctx,
                  const u_char *data,
                  size_t data_len,
                  const val_dnskey_rdata_t * dnskey,
                  const val_rrsig_rdata_t * rrsig,
                  val_astatus_t * key_status, val_astatus_t * sig_status)
{
    char            buf[1028];
    size_t          buflen = 1024;
    DSA            *dsa = NULL;
    u_char   sha1_hash[SHA_DIGEST_LENGTH];
    u_char   sig_asn1[2+2*(3+SHA_DIGEST_LENGTH)];

    val_log(ctx, LOG_DEBUG,
            "dsasha1_sigverify(): parsing the public key...");
    if ((dsa = DSA_new()) == NULL) {
        val_log(ctx, LOG_INFO,
                "dsasha1_sigverify(): could not allocate dsa structure.");
        *key_status = VAL_AC_INVALID_KEY;
        return;
    };

    if (dsasha1_parse_public_key
        (dnskey->public_key, dnskey->public_key_len,
         dsa) != VAL_NO_ERROR) {
        val_log(ctx, LOG_INFO,
                "dsasha1_sigverify(): Error in parsing public key.");
        DSA_free(dsa);
        *key_status = VAL_AC_INVALID_KEY;
        return;
    }

    memset(sha1_hash, 0, SHA_DIGEST_LENGTH);
    SHA1(data, data_len, sha1_hash);
    val_log(ctx, LOG_DEBUG, "dsasha1_sigverify(): SHA-1 hash = %s",
            get_hex_string(sha1_hash, SHA_DIGEST_LENGTH, buf, buflen));

    val_log(ctx, LOG_DEBUG,
            "dsasha1_sigverify(): verifying DSA signature...");

    /*
     * Fix: courtesy tom.fowler
     * First convert the signature into its DER representation
     *  0x30, 0x2E,       -  ASN1 sequence 
     *   0x02, 0x15,      - ASN integer, length 21 bytes
     *   0x00, <R bytes>  - 1 + 20 bytes per 2536 
     *   0x02, 0x15,      - ASN integer 
     *   0x00, <S bytes>  - 1 + 20 bytes per 2536
     */
    if (rrsig->signature_len < (1 + 2*SHA_DIGEST_LENGTH)) {
        /* dont have enough data */
        val_log(ctx, LOG_INFO,
                "dsasha1_sigverify(): Error parsing DSA rrsig.");
        DSA_free(dsa);
        *sig_status = VAL_AC_INVALID_RRSIG;
        return;
    }
    memcpy(sig_asn1, "\x30\x2E\x02\x15\x00", 5);
    memcpy(sig_asn1+5, rrsig->signature+1, SHA_DIGEST_LENGTH);
    memcpy(sig_asn1+5+SHA_DIGEST_LENGTH, "\x02\x15\x00", 3);
    memcpy(sig_asn1+5+SHA_DIGEST_LENGTH+3,
           rrsig->signature+1+SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH);

    if (DSA_verify
        (NID_sha1, (u_char *) sha1_hash, SHA_DIGEST_LENGTH,
         sig_asn1, sizeof(sig_asn1), dsa)  == 1) {
        val_log(ctx, LOG_INFO, "dsasha1_sigverify(): returned SUCCESS");
        DSA_free(dsa);
        *sig_status = VAL_AC_RRSIG_VERIFIED;
    } else {
        val_log(ctx, LOG_INFO, "dsasha1_sigverify(): returned FAILURE");
        DSA_free(dsa);
        *sig_status = VAL_AC_RRSIG_VERIFY_FAILED;
    }
    return;
}
Пример #7
0
void
ecdsa_sigverify(val_context_t * ctx,
                const u_char *data,
                size_t data_len,
                const val_dnskey_rdata_t * dnskey,
                const val_rrsig_rdata_t * rrsig,
                val_astatus_t * key_status, val_astatus_t * sig_status)
{
    char            buf[1028];
    size_t          buflen = 1024;
    u_char   sha_hash[MAX_DIGEST_LENGTH];
    EC_KEY   *eckey = NULL;
    BIGNUM *bn_x = NULL;
    BIGNUM *bn_y = NULL;
    ECDSA_SIG *ecdsa_sig;
    size_t   hashlen = 0;

    ecdsa_sig = ECDSA_SIG_new();
    memset(sha_hash, 0, sizeof(sha_hash));

    val_log(ctx, LOG_DEBUG,
            "ecdsa_sigverify(): parsing the public key...");

    if (rrsig->algorithm == ALG_ECDSAP256SHA256) {
        hashlen = SHA256_DIGEST_LENGTH; 
        SHA256(data, data_len, sha_hash);
        eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); /* P-256 */
    } else if (rrsig->algorithm == ALG_ECDSAP384SHA384) {
        hashlen = SHA384_DIGEST_LENGTH; 
        SHA384(data, data_len, sha_hash);
        eckey = EC_KEY_new_by_curve_name(NID_secp384r1); /* P-384 */
    } 

    if (eckey == NULL) {
        val_log(ctx, LOG_INFO,
                "ecdsa_sigverify(): could not create key for ECDSA group.");
        *key_status = VAL_AC_INVALID_KEY;
        goto err;
    };

    /* 
     * contruct an EC_POINT from the "Q" field in the 
     * dnskey->public_key, dnskey->public_key_len
     */
    if (dnskey->public_key_len != 2*hashlen) {
        val_log(ctx, LOG_INFO,
                "ecdsa_sigverify(): dnskey length does not match expected size.");
        *key_status = VAL_AC_INVALID_KEY;
        goto err;
    }
    bn_x = BN_bin2bn(dnskey->public_key, hashlen, NULL);
    bn_y = BN_bin2bn(&dnskey->public_key[hashlen], hashlen, NULL);
    if (1 != EC_KEY_set_public_key_affine_coordinates(eckey, bn_x, bn_y)) {
        val_log(ctx, LOG_INFO,
                "ecdsa_sigverify(): Error associating ECSA structure with key.");
        *key_status = VAL_AC_INVALID_KEY;
        goto err;
    }


    val_log(ctx, LOG_DEBUG, "ecdsa_sigverify(): SHA hash = %s",
            get_hex_string(sha_hash, hashlen, buf, buflen));
    val_log(ctx, LOG_DEBUG,
            "ecdsa_sigverify(): verifying ECDSA signature...");

    /* 
     * contruct ECDSA signature from the "r" and "s" fileds in 
     * rrsig->signature, rrsig->signature_len
     */
    if (rrsig->signature_len != 2*hashlen) {
        val_log(ctx, LOG_INFO,
                "ecdsa_sigverify(): Signature length does not match expected size.");
        *sig_status = VAL_AC_RRSIG_VERIFY_FAILED;
        goto err;
    }

    ECDSA_SIG_set0(ecdsa_sig, BN_bin2bn(rrsig->signature, hashlen, NULL),
                   BN_bin2bn(&rrsig->signature[hashlen], hashlen, NULL));

    if (ECDSA_do_verify(sha_hash, hashlen, ecdsa_sig, eckey) == 1) {
        val_log(ctx, LOG_INFO, "ecdsa_sigverify(): returned SUCCESS");
        *sig_status = VAL_AC_RRSIG_VERIFIED;
    } else {
        val_log(ctx, LOG_INFO, "ecdsa_sigverify(): returned FAILURE");
        *sig_status = VAL_AC_RRSIG_VERIFY_FAILED;
    }

    /* Free all structures allocated */
err:
    if (ecdsa_sig)
        ECDSA_SIG_free(ecdsa_sig);
    if (bn_x)
        BN_free(bn_x);
    if (bn_y)
        BN_free(bn_y);
    if (eckey)
        EC_KEY_free(eckey);

    return;

}
Пример #8
0
void
rsasha_sigverify(val_context_t * ctx,
                  const u_char *data,
                  size_t data_len,
                  const val_dnskey_rdata_t * dnskey,
                  const val_rrsig_rdata_t * rrsig,
                  val_astatus_t * key_status, val_astatus_t * sig_status)
{
    char            buf[1028];
    size_t          buflen = 1024;
    RSA            *rsa = NULL;
    u_char   sha_hash[MAX_DIGEST_LENGTH];
    size_t   hashlen = 0;
    int nid = 0;

    val_log(ctx, LOG_DEBUG,
            "rsasha_sigverify(): parsing the public key...");
    if ((rsa = RSA_new()) == NULL) {
        val_log(ctx, LOG_INFO,
                "rsasha_sigverify(): could not allocate rsa structure.");
        *key_status = VAL_AC_INVALID_KEY;
        return;
    };

    if (rsa_parse_public_key
        (dnskey->public_key, (size_t)dnskey->public_key_len,
         rsa) != VAL_NO_ERROR) {
        val_log(ctx, LOG_INFO,
                "rsasha_sigverify(): Error in parsing public key.");
        RSA_free(rsa);
        *key_status = VAL_AC_INVALID_KEY;
        return;
    }

    memset(sha_hash, 0, sizeof(sha_hash));
    if (rrsig->algorithm == ALG_RSASHA1
#ifdef LIBVAL_NSEC3
        || rrsig->algorithm == ALG_NSEC3_RSASHA1
#endif
       ) {
        SHA1(data, data_len, sha_hash);
        hashlen = SHA_DIGEST_LENGTH; 
        nid = NID_sha1; 
    } else if (rrsig->algorithm == ALG_RSASHA256) {
        SHA256(data, data_len, sha_hash);
        hashlen = SHA256_DIGEST_LENGTH; 
        nid = NID_sha256; 
    } else if (rrsig->algorithm == ALG_RSASHA512) {
        SHA512(data, data_len, sha_hash);
        hashlen = SHA512_DIGEST_LENGTH; 
        nid = NID_sha512; 
    } else {
        val_log(ctx, LOG_INFO,
                "rsasha_sigverify(): Unkown algorithm.");
        RSA_free(rsa);
        *key_status = VAL_AC_INVALID_KEY;
        return;
    } 

    val_log(ctx, LOG_DEBUG, "rsasha_sigverify(): SHA hash = %s",
            get_hex_string(sha_hash, hashlen, buf, buflen));
    val_log(ctx, LOG_DEBUG,
            "rsasha_sigverify(): verifying RSA signature...");

    if (RSA_verify
        (nid, sha_hash, hashlen,
         rrsig->signature, rrsig->signature_len, rsa) == 1) {
        val_log(ctx, LOG_INFO, "rsasha_sigverify(): returned SUCCESS");
        RSA_free(rsa);
        *sig_status = VAL_AC_RRSIG_VERIFIED;
    } else {
        val_log(ctx, LOG_INFO, "rsasha_sigverify(): returned FAILURE");
        RSA_free(rsa);
        *sig_status = VAL_AC_RRSIG_VERIFY_FAILED;
    }
    return;
}