upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Test for ECC support for libNSS.

Browse source 
git-svn-id: file:///svn/unbound/trunk@2700 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2012-06-22 15:20:56 +00:00
parent 25096aa3ab
commit b9ed797a22
2 changed files with 17 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
testcode/unitverify.c
View file

@ -521,8 +521,11 @@ verify_test(void)
else printf("Warning: skipped GOST, openssl does not provide gost.\n"); else printf("Warning: skipped GOST, openssl does not provide gost.\n");
#endif #endif
#ifdef USE_ECDSA #ifdef USE_ECDSA
/* test for support in case we use libNSS and ECC is removed */
if(dnskey_algo_id_is_supported(LDNS_ECDSAP256SHA256)) {
verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439"); verifytest_file("testdata/test_sigs.ecdsa_p256", "20100908100439");
verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439"); verifytest_file("testdata/test_sigs.ecdsa_p384", "20100908100439");
}
dstest_file("testdata/test_ds.sha384"); dstest_file("testdata/test_ds.sha384");
#endif #endif
dstest_file("testdata/test_ds.sha1"); dstest_file("testdata/test_ds.sha1");

16
validator/val_secalgo.c
View file

@ -623,11 +623,12 @@ dnskey_algo_id_is_supported(int id)
#ifdef USE_SHA2 #ifdef USE_SHA2
case LDNS_RSASHA512: case LDNS_RSASHA512:
#endif #endif
return 1;
#ifdef USE_ECDSA #ifdef USE_ECDSA
case LDNS_ECDSAP256SHA256: case LDNS_ECDSAP256SHA256:
case LDNS_ECDSAP384SHA384: case LDNS_ECDSAP384SHA384:
return PK11_TokenExists(CKM_ECDSA);
#endif #endif
return 1;
case LDNS_ECC_GOST: case LDNS_ECC_GOST:
default: default:
return 0; return 0;
@ -848,8 +849,10 @@ nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
/* from RFC6234 */ /* from RFC6234 */
/* for future RSASHA384 ..
unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
*/
switch(algo) { switch(algo) {
case LDNS_DSA: case LDNS_DSA:
@ -1031,11 +1034,16 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
} }
err = PORT_GetError(); err = PORT_GetError();
if(err != SEC_ERROR_BAD_SIGNATURE) { if(err != SEC_ERROR_BAD_SIGNATURE) {
/* failed to verify, but other errors are commonly returned /* failed to verify */
* for a bad signature from NSS. Thus we return bogus,
* not unchecked*/
verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
PORT_ErrorToString(err)); PORT_ErrorToString(err));
/* if it is not supported, like ECC is removed, we get,
* SEC_ERROR_NO_MODULE */
if(err == SEC_ERROR_NO_MODULE)
return sec_status_unchecked;
/* but other errors are commonly returned
* for a bad signature from NSS. Thus we return bogus,
* not unchecked */
*reason = "signature crypto failed"; *reason = "signature crypto failed";
return sec_status_bogus; return sec_status_bogus;
} }