program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n"
-" -a <algorithm> digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n"
+" -a <algorithm> digest algorithm (SHA-1 / SHA-256 / SHA-384)\n"
" -c <class> of domain (default IN)\n"
" -D prefer CDNSKEY records instead of CDS\n"
" -d <file|dir> where to find parent dsset- file\n"
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of SHA-1
- (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+ (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</para>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
- SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+ SHA-256 (SHA256) or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
<p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
- SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+ SHA-256 (SHA256) or SHA-384 (SHA384).
These values are case insensitive.
</p>
</dd>
fprintf(stderr, " -a algorithm: \n"
" RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
" NSEC3DSA | NSEC3RSASHA1 |\n"
- " RSASHA256 | RSASHA512 | ECCGOST |\n"
+ " RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
- case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para>
<para>
fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n");
- fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
+ fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <option>-T KEY</option>
strcasecmp(algname, "SHA-256") == 0)
{
return (DNS_DSDIGEST_SHA256);
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
- } else if (strcasecmp(algname, "GOST") == 0) {
- return (DNS_DSDIGEST_GOST);
-#endif
} else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
{
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
- 'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
+ 'RSASHA512', None, None, 'ECDSAP256SHA256',
'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None):
return t
def t_ALGNAME(self, t):
- r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
+ r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper()
return t
'NSEC3RSASHA1': [512, 4096],
'RSASHA256': [1024, 4096],
'RSASHA512': [1024, 4096],
- 'ECCGOST': None,
'ECDSAP256SHA256': None,
'ECDSAP384SHA384': None,
'ED25519': None,
('ZSK key size %d not divisible by 64 ' +
'as required for DSA') % self.zsk_keysize
- if self.algorithm in ['ECCGOST', \
- 'ECDSAP256SHA256', \
+ if self.algorithm in ['ECDSAP256SHA256', \
'ECDSAP384SHA384', \
'ED25519', \
'ED448']:
self.alg_policy['RSASHA512'].algorithm = "RSASHA512"
self.alg_policy['RSASHA512'].name = "RSASHA512"
- self.alg_policy['ECCGOST'] = copy(p)
- self.alg_policy['ECCGOST'].algorithm = "ECCGOST"
- self.alg_policy['ECCGOST'].name = "ECCGOST"
-
self.alg_policy['ECDSAP256SHA256'] = copy(p)
self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256"
self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256"
#
# List of tests hard-coded to use ports 5300 and 9953. For this
# reason, these must be run sequentially.
-SEQUENTIALDIRS="ecdsa eddsa gost @PKCS11_TEST@ tkey"
+SEQUENTIALDIRS="ecdsa eddsa @PKCS11_TEST@ tkey"
# List of tests that use ports assigned by caller (other than 5300
# and 9953). Because separate blocks of ports can be used for teach
database digdelv dlv dlvauto dlz dlzexternal dname \
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa \
ednscompliance emptyzones \
- fetchlimit filter-aaaa formerr forward geoip glue gost idna inline ixfr \
+ fetchlimit filter-aaaa formerr forward geoip glue idna inline ixfr \
keepalive @KEYMGR@ legacy limits logfileconfig masterfile \
masterformat metadata mkeys names notify nslookup nsupdate \
nzd2nzf padding pending pipelined @PKCS11_TEST@ reclimit \
supported=`cat ../supported`
case "$supported" in
- gost) algo=GOST ;;
*) algo=SHA-384 ;;
esac
dnssec-validation yes;
dnssec-must-be-secure . yes;
/* only SHA-256 is enabled */
- disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; };
+ disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
};
dnssec-enable yes;
dnssec-validation yes;
/* only SHA-256 is enabled */
- disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; };
+ disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
};
zone "." {
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
-gostfail=0 ecdsafail=0
-$SHELL ../testcrypto.sh -q gost || gostfail=1
+ecdsafail=0
$SHELL ../testcrypto.sh -q ecdsa || ecdsafail=1
-if [ $gostfail = 0 -a $ecdsafail = 0 ]; then
- echo both > supported
-elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then
- echo_i "This test requires support for ECDSA or GOST cryptography." >&2
+if [ $ecdsafail = 1 ]; then
+ echo_i "This test requires support for ECDSA cryptography." >&2
exit 255
-elif [ $gostfail = 0 ]; then
- echo gost > supported
else
echo ecdsa > supported
fi
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-rm -f */K* */dsset-* */*.signed */trusted.conf
-rm -f ns1/root.db
-rm -f ns1/signer.err
-rm -f dig.out*
-rm -f */named.run
-rm -f */named.memstats
-rm -f ns*/named.lock
-rm -f ns*/managed-keys.bind*
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS1
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.1;
- notify-source 10.53.0.1;
- transfer-source 10.53.0.1;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
- dnssec-enable yes;
- dnssec-validation yes;
-};
-
-zone "." {
- type master;
- file "root.db.signed";
-};
-
-include "trusted.conf";
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 300
-. IN SOA marka.isc.org. a.root.servers.nil. (
- 2010121600 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 600 ; minimum
- )
-. NS a.root-servers.nil.
-a.root-servers.nil. A 10.53.0.1
+++ /dev/null
-#!/bin/sh -e
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-zone=.
-infile=root.db.in
-zonefile=root.db
-
-key1=`$KEYGEN -q -a ECCGOST -n zone $zone`
-key2=`$KEYGEN -q -a ECCGOST -n zone -f KSK $zone`
-$DSFROMKEY -a gost $key2.key > dsset-gost
-
-cat $infile $key1.key $key2.key > $zonefile
-
-$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
-
-# Configure the resolving server with a trusted key.
-
-cat $key1.key | grep -v '^; ' | $PERL -n -e '
-local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
-local $key = join("", @rest);
-print <<EOF
-trusted-keys {
- "$dn" $flags $proto $alg "$key";
-};
-EOF
-' > trusted.conf
-cp trusted.conf ../ns2/trusted.conf
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS2
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- recursion yes;
- notify yes;
- dnssec-enable yes;
- dnssec-validation yes;
-};
-
-zone "." {
- type hint;
- file "../../common/root.hint";
-};
-
-include "trusted.conf";
+++ /dev/null
-#!/bin/sh -e
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-exec $SHELL ../testcrypto.sh gost
+++ /dev/null
-#!/bin/sh -e
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-cd ns1 && $SHELL sign.sh
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-status=0
-n=0
-
-rm -f dig.out.*
-
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
-
-# Check the example. domain
-
-echo "I:checking that positive validation works ($n)"
-ret=0
-$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
-$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
-$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:exit status: $status"
-[ $status -eq 0 ] || exit 1
rm -f ns3/test-?.bk.signed
rm -f ns3/test-?.bk.signed.jnl
rm -f import.key Kimport*
-rm -f checkgost checkdsa checkecdsa
+rm -f checkdsa checkecdsa
rm -f ns3/a-file
rm -f ns*/named.lock
rm -f dig.out.*
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
-for alg in ECCGOST ECDSAP256SHA256 NSEC3RSASHA1 DSA
+for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA
do
case $alg in
DSA)
$SHELL ../checkdsa.sh 2> /dev/null || continue
checkfile=../checkdsa
touch $checkfile ;;
- ECCGOST)
- fail=0
- $KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1
- rm -f Ktest*
- [ $fail != 0 ] && continue
- checkfile=../checkgost
- touch $checkfile ;;
ECDSAP256SHA256)
fail=0
$KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
echo_i "testing adding external keys to a inline zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
-for alg in 3 7 12 13
+for alg in 3 7 13
do
[ $alg = 3 -a ! -f checkdsa ] && continue;
- [ $alg = 12 -a ! -f checkgost ] && continue;
[ $alg = 13 -a ! -f checkecdsa ] && continue;
case $alg in
3) echo_i "checking DSA";;
7) echo_i "checking NSEC3RSASHA1";;
- 12) echo_i "checking GOST";;
13) echo_i "checking ECDSAP256SHA256";;
*) echo_i "checking $alg";;
esac
alg="-a RSASHA1"
msg1="RSA cryptography"
;;
- gost|GOST)
- alg="-a eccgost"
- msg1="GOST cryptography"
- msg2="--with-gost"
- ;;
ecdsa|ECDSA)
alg="-a ecdsap256sha256"
msg1="ECDSA cryptography"
/* Define if your OpenSSL version supports EVP AES */
#undef HAVE_OPENSSL_EVP_AES
-/* Define if your OpenSSL version supports GOST. */
-#undef HAVE_OPENSSL_GOST
-
/* Define if native PKCS#11 is used as cryptographic library provider */
#undef HAVE_PKCS11
/* Define if your PKCS11 provider supports Ed448. */
#undef HAVE_PKCS11_ED448
-/* Define if your PKCS11 provider supports GOST. */
-#undef HAVE_PKCS11_GOST
-
/* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
#undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
(O_NDELAY/O_NONBLOCK). */
#undef PORT_NONBLOCK
-/* Define if GOST private keys are encoded in ASN.1. */
-#undef PREFER_GOSTASN1
-
/* The size of `void *', as computed by sizeof. */
#undef SIZEOF_VOID_P
/* Define if OpenSSL includes Ed448 support */
@HAVE_OPENSSL_ED448@
-/* Define if your OpenSSL version supports GOST. */
-@HAVE_OPENSSL_GOST@
-
/* Define if your OpenSSL version supports DH functions. */
@HAVE_DH_GET0_KEY@
/* Define if your PKCS11 provider supports Ed448. */
@HAVE_PKCS11_ED448@
-/* Define if your PKCS11 provider supports GOST. */
-@HAVE_PKCS11_GOST@
-
-/* Define if GOST private keys are encoded in ASN.1. */
-@PREFER_GOSTASN1@
-
/* Define if OpenSSL is used as cryptographic library provider. */
@HAVE_OPENSSL@
NZD_TOOLS
PKCS11_TEST
PKCS11_ED25519
-PKCS11_GOST
PKCS11_ECDSA
PKCS11LINKSRCS
PKCS11LINKOBJS
ISC_OPENSSL_INC
ISC_PLATFORM_OPENSSLHASH
ISC_PLATFORM_WANTAES
-OPENSSL_GOST
OPENSSL_ED25519
OPENSSL_ECDSA
OPENSSLLINKSRCS
OPENSSLLINKOBJS
-OPENSSLGOSTLINKSRCS
-OPENSSLGOSTLINKOBJS
OPENSSLEDDSALINKSRCS
OPENSSLEDDSALINKOBJS
OPENSSLECDSALINKSRCS
with_openssl
with_pkcs11
with_ecdsa
-with_gost
with_eddsa
with_aes
with_cc_alg
--with-pkcs11=PATH Build with PKCS11 support [yes|no|path] (PATH is for
the PKCS11 provider)
--with-ecdsa Crypto ECDSA
- --with-gost Crypto GOST [yes|no|raw|asn1].
--with-eddsa Crypto EDDSA [yes|all|no].
--with-aes Crypto AES
--with-cc-alg=ALG choose the algorithm for Client Cookie
#
-# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
+# were --with-ecdsa, --with-eddsa, --with-aes specified
#
# Check whether --with-ecdsa was given.
fi
-# Check whether --with-gost was given.
-if test "${with_gost+set}" = set; then :
- withval=$with_gost; with_gost="$withval"
-else
- with_gost="auto"
-fi
-
-
# Check whether --with-eddsa was given.
if test "${with_eddsa+set}" = set; then :
withval=$with_eddsa; with_eddsa="$withval"
done
fi
OPENSSL_ECDSA=""
-OPENSSL_GOST=""
OPENSSL_ED25519=""
-gosttype="raw"
-case "$with_gost" in
- raw)
- with_gost="yes"
- ;;
- asn1)
-
-$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h
-
- gosttype="asn1"
- with_gost="yes"
- ;;
- auto|yes|no)
- ;;
- *)
- as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5
- ;;
-esac
case "$use_openssl" in
native_pkcs11)
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
;;
esac
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
-$as_echo_n "checking for OpenSSL GOST support... " >&6; }
- have_gost=""
- case "$use_pkcs11" in
- auto|no)
- ;;
- *)
- if $use_threads; then
- CC="$CC -pthread"
- fi
- ;;
- esac
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
-$as_echo "using --with-gost" >&6; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
- ENGINE *e;
- EC_KEY *ek;
-
- ek = NULL;
- OPENSSL_config(NULL);
-
- e = ENGINE_by_id("gost");
- if (e == NULL)
- return (1);
- if (ENGINE_init(e) <= 0)
- return (1);
- return (0);
-#else
- return (1);
-#endif
-}
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_gost="yes"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- have_gost="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
- case "$with_gost" in
- yes)
- case "$have_gost" in
- no) as_fn_error $? "gost not supported" "$LINENO" 5 ;;
- *) have_gost=yes ;;
- esac
- ;;
- no)
- have_gost=no ;;
- *)
- case "$have_gost" in
- yes|no) ;;
- *) as_fn_error $? "need --with-gost=[yes, no, raw or asn1]" "$LINENO" 5 ;;
- esac
- ;;
- esac
- case $have_gost in
- yes)
- OPENSSL_GOST="yes"
- OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
- OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
-
-$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
-
- ;;
- *)
- ;;
- esac
-
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
have_ed25519=""
-
-
-
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
then
PKCS11_ECDSA=""
-PKCS11_GOST=""
PKCS11_ED25519=""
set_pk11_flavor="no"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
;;
esac
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 GOST" >&5
-$as_echo_n "checking for PKCS11 GOST... " >&6; }
- case "$with_gost" in
- yes)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
-$as_echo "enabled" >&6; }
- PKCS11_GOST="yes"
-
-$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
-
- ;;
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- ;;
- esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5
$as_echo_n "checking for PKCS11 Ed25519... " >&6; }
case "$with_eddsa" in
-
if test "X$CRYPTO" = "X"; then
# cat << \EOF
as_fn_error $? "No cryptography library has been found or provided.
fi
echo " Provider library: $PKCS11_PROVIDER"
fi
- if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
- echo " GOST algorithm support (encoding: $gosttype) (--with-gost)"
- fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
fi
test "yes" = "$want_native_pkcs11" ||
echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
- test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
- echo " GOST algorithm support (--with-gost)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
use_pkcs11="$withval", use_pkcs11="auto")
#
-# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
+# were --with-ecdsa, --with-eddsa, --with-aes specified
#
AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]),
with_ecdsa="$withval", with_ecdsa="auto")
-AC_ARG_WITH(gost,
- AS_HELP_STRING([--with-gost], [Crypto GOST [yes|no|raw|asn1].]),
- with_gost="$withval", with_gost="auto")
AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]),
with_eddsa="$withval", with_eddsa="auto")
AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
done
fi
OPENSSL_ECDSA=""
-OPENSSL_GOST=""
OPENSSL_ED25519=""
-gosttype="raw"
-case "$with_gost" in
- raw)
- with_gost="yes"
- ;;
- asn1)
- AC_DEFINE(PREFER_GOSTASN1, 1,
- [Define if GOST private keys are encoded in ASN.1.])
- gosttype="asn1"
- with_gost="yes"
- ;;
- auto|yes|no)
- ;;
- *)
- AC_MSG_ERROR(unknown GOST private key encoding)
- ;;
-esac
case "$use_openssl" in
native_pkcs11)
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_DEFINE([HAVE_PKCS11],[1],[Define if native PKCS#11 is used as cryptographic library provider])
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
;;
esac
- AC_MSG_CHECKING(for OpenSSL GOST support)
- have_gost=""
- case "$use_pkcs11" in
- auto|no)
- ;;
- *)
- if $use_threads; then
- CC="$CC -pthread"
- fi
- ;;
- esac
- AC_TRY_RUN([
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
- ENGINE *e;
- EC_KEY *ek;
-
- ek = NULL;
- OPENSSL_config(NULL);
-
- e = ENGINE_by_id("gost");
- if (e == NULL)
- return (1);
- if (ENGINE_init(e) <= 0)
- return (1);
- return (0);
-#else
- return (1);
-#endif
-}
-],
- [AC_MSG_RESULT(yes)
- have_gost="yes"],
- [AC_MSG_RESULT(no)
- have_gost="no"],
- [AC_MSG_RESULT(using --with-gost)])
- case "$with_gost" in
- yes)
- case "$have_gost" in
- no) AC_MSG_ERROR([gost not supported]) ;;
- *) have_gost=yes ;;
- esac
- ;;
- no)
- have_gost=no ;;
- *)
- case "$have_gost" in
- yes|no) ;;
- *) AC_MSG_ERROR([need --with-gost=[[yes, no, raw or asn1]]]) ;;
- esac
- ;;
- esac
- case $have_gost in
- yes)
- OPENSSL_GOST="yes"
- OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
- OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
- AC_DEFINE(HAVE_OPENSSL_GOST, 1,
- [Define if your OpenSSL version supports GOST.])
- ;;
- *)
- ;;
- esac
-
AC_MSG_CHECKING(for OpenSSL Ed25519 support)
have_ed25519=""
have_ed448=""
AC_SUBST(OPENSSLECDSALINKSRCS)
AC_SUBST(OPENSSLEDDSALINKOBJS)
AC_SUBST(OPENSSLEDDSALINKSRCS)
-AC_SUBST(OPENSSLGOSTLINKOBJS)
-AC_SUBST(OPENSSLGOSTLINKSRCS)
AC_SUBST(OPENSSLLINKOBJS)
AC_SUBST(OPENSSLLINKSRCS)
AC_SUBST(OPENSSL_ECDSA)
AC_SUBST(OPENSSL_ED25519)
-AC_SUBST(OPENSSL_GOST)
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
AC_SUBST(PKCS11_PROVIDER)
PKCS11_ECDSA=""
-PKCS11_GOST=""
PKCS11_ED25519=""
set_pk11_flavor="no"
AC_MSG_CHECKING(for native PKCS11)
[Define if your PKCS11 provider supports ECDSA.])
;;
esac
- AC_MSG_CHECKING(for PKCS11 GOST)
- case "$with_gost" in
- yes)
- AC_MSG_RESULT(enabled)
- PKCS11_GOST="yes"
- AC_DEFINE(HAVE_PKCS11_GOST, 1,
- [Define if your PKCS11 provider supports GOST.])
- ;;
- *)
- AC_MSG_RESULT(disabled)
- ;;
- esac
AC_MSG_CHECKING(for PKCS11 Ed25519)
case "$with_eddsa" in
yes|all)
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(PKCS11_ECDSA)
-AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
AC_SUBST(PKCS11_TEST)
fi
echo " Provider library: $PKCS11_PROVIDER"
fi
- if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
- echo " GOST algorithm support (encoding: $gosttype) (--with-gost)"
- fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
fi
test "yes" = "$want_native_pkcs11" ||
echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
- test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
- echo " GOST algorithm support (--with-gost)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
</para>
<screen>
$ <userinput> cd SoftHSMv2 </userinput>
-$ <userinput> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </userinput>
+$ <userinput> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr </userinput>
$ <userinput> make </userinput>
$ <userinput> make install </userinput>
$ <userinput> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </userinput>
RFC5205
RFC5452 [11]
RFC5702
- RFC5933 [12]
RFC5936
RFC5952
RFC5966
RFC6052
- RFC6147 [13]
+ RFC6147 [12]
RFC6303
- RFC6605 [14]
+ RFC6605 [13]
RFC6672
RFC6698
RFC6742
- RFC6840 [15]
+ RFC6840 [14]
RFC6844
RFC6891
RFC7043
RFC7314
RFC7477
RFC7793
- RFC7830 [16]
+ RFC7830 [15]
The following DNS related RFC have been obsoleted
[11] Named only uses ports to extend the id space, address are not
used.
-[12] Conditional on the OpenSSL library being linked against
-supporting GOST.
-
-[13] Section 5.5 does not match reality. Named uses the presence
+[12] Section 5.5 does not match reality. Named uses the presence
of DO=1 to detect if validation may be occuring. CD has no bearing
on whether validation is occuring or not.
-[14] Conditional on the OpenSSL library being linked against
+[13] Conditional on the OpenSSL library being linked against
supporting ECDSA.
-[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as
+[14] Section 5.9 - Always set CD=1 on queries. This is *not* done as
it prevents DNSSEC working correctly through another recursive server.
When talking to a recurive server the best algorithm to do is send
can send CD=1 then CD=0 on validation failure in case the recursive
server is under attack or there is stale / bogus authoritative data.
-[16] Named doesn't currently encrypt DNS requests so the PAD option
+[15] Named doesn't currently encrypt DNS requests so the PAD option
is accepted but not returned in responses.
# Alphabetically
-OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@
OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
@OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \
- @OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
+ opensslrsa_link.@O@
PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
- pkcs11gost_link.@O@ pkcs11.@O@
+ pkcs11.@O@
DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
# Alphabetically
-OPENSSLGOSTLINKSRCS = opensslgost_link.c
OPENSSLECDSALINKSRCS = opensslecdsa_link.c
OPENSSLEDDSALINKSRCS = openssleddsa_link.c
OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
@OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \
- @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
+ opensslrsa_link.c
PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
pkcs11ecdsa_link.c pkcs11eddsa_link.c \
- pkcs11gost_link.c pkcs11.c
+ pkcs11.c
DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \
#include <dst/dst.h>
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
-#include "dst_gost.h"
-#endif
-
isc_result_t
dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
unsigned int digest_type, unsigned char *buffer,
isc_sha1_t sha1;
isc_sha256_t sha256;
isc_sha384_t sha384;
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
- isc_gost_t gost;
-#endif
REQUIRE(key != NULL);
REQUIRE(key->type == dns_rdatatype_dnskey);
isc_sha1_final(&sha1, digest);
break;
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
-#define RETERR(x) do { \
- isc_result_t ret = (x); \
- if (ret != ISC_R_SUCCESS) { \
- isc_gost_invalidate(&gost); \
- return (ret); \
- } \
-} while (0)
-
- case DNS_DSDIGEST_GOST:
- RETERR(isc_gost_init(&gost));
- dns_name_toregion(name, &r);
- RETERR(isc_gost_update(&gost, r.base, r.length));
- dns_rdata_toregion(key, &r);
- INSIST(r.length >= 4);
- RETERR(isc_gost_update(&gost, r.base, r.length));
- RETERR(isc_gost_final(&gost, digest));
- break;
-#endif
-
case DNS_DSDIGEST_SHA384:
isc_sha384_init(&sha384);
dns_name_toregion(name, &r);
ds.length = ISC_SHA1_DIGESTLENGTH;
break;
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
- case DNS_DSDIGEST_GOST:
- ds.length = ISC_GOST_DIGESTLENGTH;
- break;
-#endif
-
case DNS_DSDIGEST_SHA384:
ds.length = ISC_SHA384_DIGESTLENGTH;
break;
#ifndef PK11_DH_DISABLE
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#endif
-#ifdef HAVE_OPENSSL_GOST
- RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
-#endif
#ifdef HAVE_OPENSSL_ECDSA
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#ifdef HAVE_PKCS11_ED448
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
-#ifdef HAVE_PKCS11_GOST
- RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
-#endif
#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
isc_boolean_t
dst_ds_digest_supported(unsigned int digest_type) {
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
- return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
- digest_type == DNS_DSDIGEST_SHA256 ||
- digest_type == DNS_DSDIGEST_GOST ||
- digest_type == DNS_DSDIGEST_SHA384));
-#else
return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
digest_type == DNS_DSDIGEST_SHA256 ||
digest_type == DNS_DSDIGEST_SHA384));
-#endif
}
isc_result_t
*n = DNS_SIG_DSASIGSIZE;
break;
#endif
- case DST_ALG_ECCGOST:
- *n = DNS_SIG_GOSTSIGSIZE;
- break;
case DST_ALG_ECDSA256:
*n = DNS_SIG_ECDSA256SIZE;
break;
#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
#endif
- case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#ifndef DST_GOST_H
-#define DST_GOST_H 1
-
-#include <isc/lang.h>
-#include <isc/log.h>
-#include <dst/result.h>
-
-#define ISC_GOST_DIGESTLENGTH 32U
-
-#ifdef HAVE_OPENSSL_GOST
-#include <openssl/evp.h>
-
-typedef struct {
- EVP_MD_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- EVP_MD_CTX _ctx;
-#endif
-} isc_gost_t;
-
-#endif
-#ifdef HAVE_PKCS11_GOST
-#include <pk11/pk11.h>
-
-typedef pk11_context_t isc_gost_t;
-#endif
-
-ISC_LANG_BEGINDECLS
-
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
-
-isc_result_t
-isc_gost_init(isc_gost_t *ctx);
-
-void
-isc_gost_invalidate(isc_gost_t *ctx);
-
-isc_result_t
-isc_gost_update(isc_gost_t *ctx, const unsigned char *data, unsigned int len);
-
-isc_result_t
-isc_gost_final(isc_gost_t *ctx, unsigned char *digest);
-
-ISC_LANG_ENDDECLS
-
-#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */
-
-#endif /* DST_GOST_H */
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif
-#ifdef HAVE_OPENSSL_GOST
-isc_result_t dst__opensslgost_init(struct dst_func **funcp);
-#endif
-#ifdef HAVE_PKCS11_GOST
-isc_result_t dst__pkcs11gost_init(struct dst_func **funcp);
-#endif
/*%
* Destructors
{TAG_DSA_PUBLIC, "Public_value(y):"},
#endif
- {TAG_GOST_PRIVASN1, "GostAsn1:"},
- {TAG_GOST_PRIVRAW, "PrivateKey:"},
-
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
{TAG_ECDSA_ENGINE, "Engine:" },
{TAG_ECDSA_LABEL, "Label:" },
}
#endif
-static int
-check_gost(const dst_private_t *priv, isc_boolean_t external) {
-
- if (external)
- return ((priv->nelements == 0)? 0 : -1);
-
- if (priv->nelements != GOST_NTAGS)
- return (-1);
- if ((priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) &&
- (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 1)))
- return (-1);
- return (0);
-}
-
static int
check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
int i, j;
case DST_ALG_NSEC3DSA:
return (check_dsa(priv, external));
#endif
- case DST_ALG_ECCGOST:
- return (check_gost(priv, external));
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
case DST_ALG_RSASHA512:
fprintf(fp, "(RSASHA512)\n");
break;
- case DST_ALG_ECCGOST:
- fprintf(fp, "(ECC-GOST)\n");
- break;
case DST_ALG_ECDSA256:
fprintf(fp, "(ECDSAP256SHA256)\n");
break;
#define TAG_DSA_PRIVATE ((DST_ALG_DSA << TAG_SHIFT) + 3)
#define TAG_DSA_PUBLIC ((DST_ALG_DSA << TAG_SHIFT) + 4)
-#define GOST_NTAGS 1
-#define TAG_GOST_PRIVASN1 ((DST_ALG_ECCGOST << TAG_SHIFT) + 0)
-#define TAG_GOST_PRIVRAW ((DST_ALG_ECCGOST << TAG_SHIFT) + 1)
-
#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
#define DNS_SIG_DSAMINBYTES 213
#define DNS_SIG_DSAMAXBYTES 405
-#define DNS_SIG_GOSTSIGSIZE 64
-
#define DNS_SIG_ECDSA256SIZE 64
#define DNS_SIG_ECDSA384SIZE 96
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <config.h>
-
-#if HAVE_OPENSSL && HAVE_OPENSSL_GOST
-
-#include <isc/mem.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-#include "dst_gost.h"
-
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-#include <openssl/engine.h>
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-#define EVP_MD_CTX_new() &(ctx->_ctx), EVP_MD_CTX_init(&(ctx->_ctx))
-#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
-#endif
-
-static ENGINE *e = NULL;
-static const EVP_MD *opensslgost_digest;
-extern const EVP_MD *EVP_gost(void);
-
-const EVP_MD *EVP_gost(void) {
- return (opensslgost_digest);
-}
-
-/* ISC methods */
-
-isc_result_t
-isc_gost_init(isc_gost_t *ctx) {
- const EVP_MD *md;
- int ret;
-
- INSIST(ctx != NULL);
-
- md = EVP_gost();
- if (md == NULL)
- return (DST_R_CRYPTOFAILURE);
- ctx->ctx = EVP_MD_CTX_new();
- if (ctx->ctx == NULL)
- return (ISC_R_NOMEMORY);
- ret = EVP_DigestInit(ctx->ctx, md);
- if (ret != 1)
- return (DST_R_CRYPTOFAILURE);
- return (ISC_R_SUCCESS);
-}
-
-void
-isc_gost_invalidate(isc_gost_t *ctx) {
- EVP_MD_CTX_free(ctx->ctx);
- ctx->ctx = NULL;
-}
-
-isc_result_t
-isc_gost_update(isc_gost_t *ctx, const unsigned char *data,
- unsigned int len)
-{
- int ret;
-
- INSIST(ctx != NULL);
- INSIST(ctx->ctx != NULL);
- INSIST(data != NULL);
-
- ret = EVP_DigestUpdate(ctx->ctx, (const void *) data, (size_t) len);
- if (ret != 1)
- return (DST_R_CRYPTOFAILURE);
- return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
- int ret;
-
- INSIST(ctx != NULL);
- INSIST(ctx->ctx != NULL);
- INSIST(digest != NULL);
-
- ret = EVP_DigestFinal(ctx->ctx, digest, NULL);
- EVP_MD_CTX_free(ctx->ctx);
- ctx->ctx = NULL;
- if (ret != 1)
- return (DST_R_CRYPTOFAILURE);
- return (ISC_R_SUCCESS);
-}
-
-/* DST methods */
-
-#define DST_RET(a) {ret = a; goto err;}
-
-static isc_result_t opensslgost_todns(const dst_key_t *key,
- isc_buffer_t *data);
-
-static isc_result_t
-opensslgost_createctx(dst_key_t *key, dst_context_t *dctx) {
- EVP_MD_CTX *evp_md_ctx;
- const EVP_MD *md = EVP_gost();
-
- UNUSED(key);
-
- if (md == NULL)
- return (DST_R_OPENSSLFAILURE);
-
- evp_md_ctx = EVP_MD_CTX_create();
- if (evp_md_ctx == NULL)
- return (ISC_R_NOMEMORY);
-
- if (!EVP_DigestInit_ex(evp_md_ctx, md, NULL)) {
- EVP_MD_CTX_destroy(evp_md_ctx);
- return (ISC_R_FAILURE);
- }
- dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-
- return (ISC_R_SUCCESS);
-}
-
-static void
-opensslgost_destroyctx(dst_context_t *dctx) {
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
- if (evp_md_ctx != NULL) {
- EVP_MD_CTX_destroy(evp_md_ctx);
- dctx->ctxdata.evp_md_ctx = NULL;
- }
-}
-
-static isc_result_t
-opensslgost_adddata(dst_context_t *dctx, const isc_region_t *data) {
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
- if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
- return (ISC_R_FAILURE);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslgost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- dst_key_t *key = dctx->key;
- isc_region_t r;
- unsigned int siglen = 0;
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- EVP_PKEY *pkey = key->keydata.pkey;
-
- isc_buffer_availableregion(sig, &r);
-
- if (r.length < (unsigned int) EVP_PKEY_size(pkey))
- return (ISC_R_NOSPACE);
-
- if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey))
- return (ISC_R_FAILURE);
-
- isc_buffer_add(sig, siglen);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
- dst_key_t *key = dctx->key;
- int status = 0;
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- EVP_PKEY *pkey = key->keydata.pkey;
-
- status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
- switch (status) {
- case 1:
- return (ISC_R_SUCCESS);
- case 0:
- return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
- default:
- return (dst__openssl_toresult3(dctx->category,
- "EVP_VerifyFinal",
- DST_R_VERIFYFAILURE));
- }
-}
-
-static isc_boolean_t
-opensslgost_compare(const dst_key_t *key1, const dst_key_t *key2) {
- EVP_PKEY *pkey1, *pkey2;
-
- pkey1 = key1->keydata.pkey;
- pkey2 = key2->keydata.pkey;
-
- if (pkey1 == NULL && pkey2 == NULL)
- return (ISC_TRUE);
- else if (pkey1 == NULL || pkey2 == NULL)
- return (ISC_FALSE);
-
- if (EVP_PKEY_cmp(pkey1, pkey2) != 1)
- return (ISC_FALSE);
- return (ISC_TRUE);
-}
-
-static int
-progress_cb(EVP_PKEY_CTX *ctx)
-{
- union {
- void *dptr;
- void (*fptr)(int);
- } u;
- int p;
-
- u.dptr = EVP_PKEY_CTX_get_app_data(ctx);
- p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
- if (u.fptr != NULL)
- u.fptr(p);
- return (1);
-}
-
-static isc_result_t
-opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- EVP_PKEY_CTX *ctx;
- union {
- void *dptr;
- void (*fptr)(int);
- } u;
- EVP_PKEY *pkey = NULL;
- isc_result_t ret;
-
- UNUSED(unused);
- ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL);
- if (ctx == NULL)
- DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
- DST_R_OPENSSLFAILURE));
- if (callback != NULL) {
- u.fptr = callback;
- EVP_PKEY_CTX_set_app_data(ctx, u.dptr);
- EVP_PKEY_CTX_set_cb(ctx, &progress_cb);
- }
- if (EVP_PKEY_keygen_init(ctx) <= 0)
- DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
- DST_R_OPENSSLFAILURE));
- if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0)
- DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str",
- DST_R_OPENSSLFAILURE));
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
- DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
- DST_R_OPENSSLFAILURE));
- key->keydata.pkey = pkey;
- key->key_size = EVP_PKEY_bits(pkey);
- EVP_PKEY_CTX_free(ctx);
- return (ISC_R_SUCCESS);
-
-err:
- if (pkey != NULL)
- EVP_PKEY_free(pkey);
- if (ctx != NULL)
- EVP_PKEY_CTX_free(ctx);
- return (ret);
-}
-
-static isc_boolean_t
-opensslgost_isprivate(const dst_key_t *key) {
- EVP_PKEY *pkey = key->keydata.pkey;
- EC_KEY *ec;
-
- INSIST(pkey != NULL);
-
- ec = EVP_PKEY_get0(pkey);
- return (ISC_TF(ec != NULL && EC_KEY_get0_private_key(ec) != NULL));
-}
-
-static void
-opensslgost_destroy(dst_key_t *key) {
- EVP_PKEY *pkey = key->keydata.pkey;
-
- EVP_PKEY_free(pkey);
- key->keydata.pkey = NULL;
-}
-
-static const unsigned char gost_prefix[37] = {
- 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
- 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07,
- 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01, 0x06,
- 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01,
- 0x03, 0x43, 0x00, 0x04, 0x40
-};
-
-static isc_result_t
-opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) {
- EVP_PKEY *pkey;
- isc_region_t r;
- unsigned char der[37 + 64], *p;
- int len;
-
- REQUIRE(key->keydata.pkey != NULL);
-
- pkey = key->keydata.pkey;
-
- isc_buffer_availableregion(data, &r);
- if (r.length < 64)
- return (ISC_R_NOSPACE);
-
- p = der;
- len = i2d_PUBKEY(pkey, &p);
- INSIST(len == sizeof(der));
- INSIST(isc_safe_memequal(gost_prefix, der, 37));
- memmove(r.base, der + 37, 64);
- isc_buffer_add(data, 64);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
- isc_region_t r;
- EVP_PKEY *pkey = NULL;
- unsigned char der[37 + 64];
- const unsigned char *p;
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
- return (ISC_R_SUCCESS);
-
- if (r.length != 64)
- return (DST_R_INVALIDPUBLICKEY);
- memmove(der, gost_prefix, 37);
- memmove(der + 37, r.base, 64);
- isc_buffer_forward(data, 64);
-
- p = der;
- if (d2i_PUBKEY(&pkey, &p, (long) sizeof(der)) == NULL)
- return (dst__openssl_toresult2("d2i_PUBKEY",
- DST_R_OPENSSLFAILURE));
- key->keydata.pkey = pkey;
- key->key_size = EVP_PKEY_bits(pkey);
-
- return (ISC_R_SUCCESS);
-}
-
-#ifdef PREFER_GOSTASN1
-
-static isc_result_t
-opensslgost_tofile(const dst_key_t *key, const char *directory) {
- EVP_PKEY *pkey;
- dst_private_t priv;
- isc_result_t result;
- unsigned char *der, *p;
- int len;
-
- if (key->keydata.pkey == NULL)
- return (DST_R_NULLKEY);
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- pkey = key->keydata.pkey;
-
- len = i2d_PrivateKey(pkey, NULL);
- der = isc_mem_get(key->mctx, (size_t) len);
- if (der == NULL)
- return (ISC_R_NOMEMORY);
-
- p = der;
- if (i2d_PrivateKey(pkey, &p) != len) {
- result = dst__openssl_toresult2("i2d_PrivateKey",
- DST_R_OPENSSLFAILURE);
- goto fail;
- }
-
- priv.elements[0].tag = TAG_GOST_PRIVASN1;
- priv.elements[0].length = len;
- priv.elements[0].data = der;
- priv.nelements = 1;
-
- result = dst__privstruct_writefile(key, &priv, directory);
- fail:
- if (der != NULL)
- isc_mem_put(key->mctx, der, (size_t) len);
- return (result);
-}
-
-#else
-
-static isc_result_t
-opensslgost_tofile(const dst_key_t *key, const char *directory) {
- EVP_PKEY *pkey;
- EC_KEY *eckey;
- const BIGNUM *privkey;
- dst_private_t priv;
- isc_result_t ret;
- unsigned char *buf = NULL;
-
- if (key->keydata.pkey == NULL)
- return (DST_R_NULLKEY);
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- pkey = key->keydata.pkey;
- eckey = EVP_PKEY_get0(pkey);
- if (eckey == NULL)
- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- privkey = EC_KEY_get0_private_key(eckey);
- if (privkey == NULL)
- return (ISC_R_FAILURE);
-
- buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
- if (buf == NULL)
- return (ISC_R_NOMEMORY);
-
- priv.elements[0].tag = TAG_GOST_PRIVRAW;
- priv.elements[0].length = BN_num_bytes(privkey);
- BN_bn2bin(privkey, buf);
- priv.elements[0].data = buf;
- priv.nelements = 1;
-
- ret = dst__privstruct_writefile(key, &priv, directory);
-
- if (buf != NULL)
- isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
- return (ret);
-}
-#endif
-
-static unsigned char gost_dummy_key[71] = {
- 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
- 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
- 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
- 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
- 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
- 0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
- 0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
- 0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
- 0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
-};
-
-static isc_result_t
-opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- isc_mem_t *mctx = key->mctx;
- EVP_PKEY *pkey = NULL;
- EC_KEY *eckey;
- const EC_POINT *pubkey = NULL;
- BIGNUM *privkey = NULL;
- const unsigned char *p;
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_ECCGOST, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS)
- return (ret);
-
- if (key->external) {
- if (priv.nelements != 0)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- if (pub == NULL)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- key->keydata.pkey = pub->keydata.pkey;
- pub->keydata.pkey = NULL;
- key->key_size = pub->key_size;
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ISC_R_SUCCESS);
- }
-
- INSIST((priv.elements[0].tag == TAG_GOST_PRIVASN1) ||
- (priv.elements[0].tag == TAG_GOST_PRIVRAW));
-
- if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
- p = priv.elements[0].data;
- if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
- (long) priv.elements[0].length) == NULL)
- DST_RET(dst__openssl_toresult2(
- "d2i_PrivateKey",
- DST_R_INVALIDPRIVATEKEY));
- } else {
- if ((pub != NULL) && (pub->keydata.pkey != NULL)) {
- eckey = EVP_PKEY_get0(pub->keydata.pkey);
- pubkey = EC_KEY_get0_public_key(eckey);
- }
-
- privkey = BN_bin2bn(priv.elements[0].data,
- priv.elements[0].length, NULL);
- if (privkey == NULL)
- DST_RET(ISC_R_NOMEMORY);
-
- /* can't create directly the whole key */
- p = gost_dummy_key;
- if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
- (long) sizeof(gost_dummy_key)) == NULL)
- DST_RET(dst__openssl_toresult2(
- "d2i_PrivateKey",
- DST_R_INVALIDPRIVATEKEY));
-
- eckey = EVP_PKEY_get0(pkey);
- if (eckey == NULL)
- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- if (!EC_KEY_set_private_key(eckey, privkey))
- DST_RET(ISC_R_NOMEMORY);
-
- /* have to (re)set the public key */
-#ifdef notyet
- (void) gost2001_compute_public(eckey);
-#else
- if ((pubkey != NULL) && !EC_KEY_set_public_key(eckey, pubkey))
- DST_RET(ISC_R_NOMEMORY);
-#endif
- BN_clear_free(privkey);
- privkey = NULL;
- }
- key->keydata.pkey = pkey;
- key->key_size = EVP_PKEY_bits(pkey);
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ISC_R_SUCCESS);
-
- err:
- if (privkey != NULL)
- BN_clear_free(privkey);
- if (pkey != NULL)
- EVP_PKEY_free(pkey);
- opensslgost_destroy(key);
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ret);
-}
-
-static void
-opensslgost_cleanup(void) {
- if (e != NULL) {
- ENGINE_finish(e);
- ENGINE_free(e);
- e = NULL;
- }
-}
-
-static dst_func_t opensslgost_functions = {
- opensslgost_createctx,
- NULL, /*%< createctx2 */
- opensslgost_destroyctx,
- opensslgost_adddata,
- opensslgost_sign,
- opensslgost_verify,
- NULL, /*%< verify2 */
- NULL, /*%< computesecret */
- opensslgost_compare,
- NULL, /*%< paramcompare */
- opensslgost_generate,
- opensslgost_isprivate,
- opensslgost_destroy,
- opensslgost_todns,
- opensslgost_fromdns,
- opensslgost_tofile,
- opensslgost_parse,
- opensslgost_cleanup,
- NULL, /*%< fromlabel */
- NULL, /*%< dump */
- NULL /*%< restore */
-};
-
-isc_result_t
-dst__opensslgost_init(dst_func_t **funcp) {
- isc_result_t ret;
-
- REQUIRE(funcp != NULL);
-
- /* check if the gost engine works properly */
- e = ENGINE_by_id("gost");
- if (e == NULL)
- return (dst__openssl_toresult2("ENGINE_by_id",
- DST_R_OPENSSLFAILURE));
- if (ENGINE_init(e) <= 0) {
- ENGINE_free(e);
- e = NULL;
- return (dst__openssl_toresult2("ENGINE_init",
- DST_R_OPENSSLFAILURE));
- }
- /* better than to rely on digest_gost symbol */
- opensslgost_digest = ENGINE_get_digest(e, NID_id_GostR3411_94);
- if (opensslgost_digest == NULL)
- DST_RET(dst__openssl_toresult2("ENGINE_get_digest",
- DST_R_OPENSSLFAILURE));
- /* from openssl.cnf */
- if (ENGINE_register_pkey_asn1_meths(e) <= 0)
- DST_RET(dst__openssl_toresult2(
- "ENGINE_register_pkey_asn1_meths",
- DST_R_OPENSSLFAILURE));
- if (ENGINE_ctrl_cmd_string(e,
- "CRYPT_PARAMS",
- "id-Gost28147-89-CryptoPro-A-ParamSet",
- 0) <= 0)
- DST_RET(dst__openssl_toresult2("ENGINE_ctrl_cmd_string",
- DST_R_OPENSSLFAILURE));
-
- if (*funcp == NULL)
- *funcp = &opensslgost_functions;
- return (ISC_R_SUCCESS);
-
- err:
- ENGINE_finish(e);
- ENGINE_free(e);
- e = NULL;
- return (ret);
-}
-
-#else /* HAVE_OPENSSL && HAVE_OPENSSL_GOST */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_OPENSSL && HAVE_OPENSSL_GOST */
-/*! \file */
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <config.h>
-
-#if HAVE_PKCS11 && defined(HAVE_PKCS11_GOST)
-
-#include <isc/mem.h>
-#include <isc/safe.h>
-#include <isc/sha2.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-#include "dst_pkcs11.h"
-#include "dst_gost.h"
-
-#include <pk11/pk11.h>
-#include <pk11/internal.h>
-#define WANT_GOST_PARAMS
-#include <pk11/constants.h>
-
-#include <pkcs11/pkcs11.h>
-
-/*
- * RU CryptoPro GOST keys:
- * mechanisms:
- * CKM_GOSTR3411
- * CKM_GOSTR3410_WITH_GOSTR3411
- * CKM_GOSTR3410_KEY_PAIR_GEN
- * domain parameters:
- * CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1)
- * CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1)
- * CKA_GOST28147_PARAMS (optional, don't use)
- * public keys:
- * object class CKO_PUBLIC_KEY
- * key type CKK_GOSTR3410
- * attribute CKA_VALUE (point Q)
- * attribute CKA_GOSTR3410_PARAMS
- * attribute CKA_GOSTR3411_PARAMS
- * attribute CKA_GOST28147_PARAMS
- * private keys:
- * object class CKO_PRIVATE_KEY
- * key type CKK_GOSTR3410
- * attribute CKA_VALUE (big int d)
- * attribute CKA_GOSTR3410_PARAMS
- * attribute CKA_GOSTR3411_PARAMS
- * attribute CKA_GOST28147_PARAMS
- * point format: <x> <y> (little endian)
- */
-
-#define CKA_VALUE2 CKA_PRIVATE_EXPONENT
-
-#define ISC_GOST_SIGNATURELENGTH 64
-#define ISC_GOST_PUBKEYLENGTH 64
-#define ISC_GOST_KEYSIZE 256
-
-/* HASH methods */
-
-isc_result_t
-isc_gost_init(isc_gost_t *ctx) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 };
- int ret = ISC_R_SUCCESS;
-
- ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0);
- if (ret != ISC_R_SUCCESS)
- return (ret);
- PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE);
- return (ret);
-}
-
-void
-isc_gost_invalidate(isc_gost_t *ctx) {
- CK_BYTE garbage[ISC_GOST_DIGESTLENGTH];
- CK_ULONG len = ISC_GOST_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(ctx);
-}
-
-isc_result_t
-isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) {
- CK_RV rv;
- CK_BYTE_PTR pPart;
- int ret = ISC_R_SUCCESS;
-
- DE_CONST(buf, pPart);
- PK11_CALL(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len),
- ISC_R_FAILURE);
- return (ret);
-}
-
-isc_result_t
-isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
- CK_RV rv;
- CK_ULONG len = ISC_GOST_DIGESTLENGTH;
- int ret = ISC_R_SUCCESS;
-
- PK11_CALL(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) digest, &len),
- ISC_R_FAILURE);
- pk11_return_session(ctx);
- return (ret);
-}
-
-/* DST methods */
-
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-#define DST_RET(a) {ret = a; goto err;}
-
-static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data);
-static void pkcs11gost_destroy(dst_key_t *key);
-
-static isc_result_t
-pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_GOSTR3410;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, 0 },
- { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
- (CK_ULONG) sizeof(pk11_gost_a_paramset) },
- { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
- (CK_ULONG) sizeof(pk11_gost_paramset) }
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *gost;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- REQUIRE(key != NULL);
- gost = key->keydata.pkey;
- REQUIRE(gost != NULL);
-
- pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
- sizeof(*pk11_ctx));
- if (pk11_ctx == NULL)
- return (ISC_R_NOMEMORY);
- ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
- gost->reqlogon, NULL,
- pk11_get_best_token(OP_GOST));
- if (ret != ISC_R_SUCCESS)
- goto err;
-
- if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = gost->ontoken;
- pk11_ctx->object = gost->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(gost);
- attr != NULL;
- attr = pk11_attribute_next(gost, attr))
- switch (attr->type) {
- case CKA_VALUE2:
- INSIST(keyTemplate[6].type == CKA_VALUE);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[6].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = ISC_FALSE;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session,
- keyTemplate, (CK_ULONG) 9,
- &pk11_ctx->object),
- ISC_R_FAILURE);
-
- token_key:
-
- PK11_RET(pkcs_C_SignInit,
- (pk11_ctx->session, &mech, pk11_ctx->object),
- ISC_R_FAILURE);
-
- dctx->ctxdata.pk11_ctx = pk11_ctx;
-
- for (i = 6; i <= 6; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
-
- return (ISC_R_SUCCESS);
-
- err:
- if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
- for (i = 6; i <= 6; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_GOSTR3410;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, 0 },
- { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
- (CK_ULONG) sizeof(pk11_gost_a_paramset) },
- { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
- (CK_ULONG) sizeof(pk11_gost_paramset) }
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *gost;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- REQUIRE(key != NULL);
- gost = key->keydata.pkey;
- REQUIRE(gost != NULL);
-
- pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
- sizeof(*pk11_ctx));
- if (pk11_ctx == NULL)
- return (ISC_R_NOMEMORY);
- ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
- gost->reqlogon, NULL,
- pk11_get_best_token(OP_GOST));
- if (ret != ISC_R_SUCCESS)
- goto err;
-
- if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = gost->ontoken;
- pk11_ctx->object = gost->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(gost);
- attr != NULL;
- attr = pk11_attribute_next(gost, attr))
- switch (attr->type) {
- case CKA_VALUE:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[5].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = ISC_FALSE;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session,
- keyTemplate, (CK_ULONG) 8,
- &pk11_ctx->object),
- ISC_R_FAILURE);
-
- token_key:
-
- PK11_RET(pkcs_C_VerifyInit,
- (pk11_ctx->session, &mech, pk11_ctx->object),
- ISC_R_FAILURE);
-
- dctx->ctxdata.pk11_ctx = pk11_ctx;
-
- for (i = 5; i <= 5; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
-
- return (ISC_R_SUCCESS);
-
- err:
- if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
- for (i = 5; i <= 5; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) {
- if (dctx->use == DO_SIGN)
- return (pkcs11gost_createctx_sign(key, dctx));
- else
- return (pkcs11gost_createctx_verify(key, dctx));
-}
-
-static void
-pkcs11gost_destroyctx(dst_context_t *dctx) {
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
-
- if (pk11_ctx != NULL) {
- if (!pk11_ctx->ontoken &&
- (pk11_ctx->object != CK_INVALID_HANDLE))
- (void) pkcs_C_DestroyObject(pk11_ctx->session,
- pk11_ctx->object);
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
- }
-}
-
-static isc_result_t
-pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- if (dctx->use == DO_SIGN)
- PK11_CALL(pkcs_C_SignUpdate,
- (pk11_ctx->session,
- (CK_BYTE_PTR) data->base,
- (CK_ULONG) data->length),
- ISC_R_FAILURE);
- else
- PK11_CALL(pkcs_C_VerifyUpdate,
- (pk11_ctx->session,
- (CK_BYTE_PTR) data->base,
- (CK_ULONG) data->length),
- ISC_R_FAILURE);
- return (ret);
-}
-
-static isc_result_t
-pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- CK_RV rv;
- CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH;
- isc_region_t r;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- isc_buffer_availableregion(sig, &r);
- if (r.length < ISC_GOST_SIGNATURELENGTH)
- return (ISC_R_NOSPACE);
-
- PK11_RET(pkcs_C_SignFinal,
- (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
- DST_R_SIGNFAILURE);
- if (siglen != ISC_GOST_SIGNATURELENGTH)
- return (DST_R_SIGNFAILURE);
-
- isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH);
-
- err:
- return (ret);
-}
-
-static isc_result_t
-pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- PK11_CALL(pkcs_C_VerifyFinal,
- (pk11_ctx->session,
- (CK_BYTE_PTR) sig->base,
- (CK_ULONG) sig->length),
- DST_R_VERIFYFAILURE);
- return (ret);
-}
-
-static isc_boolean_t
-pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) {
- pk11_object_t *gost1, *gost2;
- CK_ATTRIBUTE *attr1, *attr2;
-
- gost1 = key1->keydata.pkey;
- gost2 = key2->keydata.pkey;
-
- if ((gost1 == NULL) && (gost2 == NULL))
- return (ISC_TRUE);
- else if ((gost1 == NULL) || (gost2 == NULL))
- return (ISC_FALSE);
-
- attr1 = pk11_attribute_bytype(gost1, CKA_VALUE);
- attr2 = pk11_attribute_bytype(gost2, CKA_VALUE);
- if ((attr1 == NULL) && (attr2 == NULL))
- return (ISC_TRUE);
- else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- return (ISC_FALSE);
-
- attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2);
- attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2);
- if (((attr1 != NULL) || (attr2 != NULL)) &&
- ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen)))
- return (ISC_FALSE);
-
- if (!gost1->ontoken && !gost2->ontoken)
- return (ISC_TRUE);
- else if (gost1->ontoken || gost2->ontoken ||
- (gost1->object != gost2->object))
- return (ISC_FALSE);
-
- return (ISC_TRUE);
-}
-
-static isc_result_t
-pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 };
- CK_KEY_TYPE keyType = CKK_GOSTR3410;
- CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
- CK_ATTRIBUTE pubTemplate[] =
- {
- { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
- (CK_ULONG) sizeof(pk11_gost_a_paramset) },
- { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
- (CK_ULONG) sizeof(pk11_gost_paramset) }
- };
- CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
- CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
- CK_ATTRIBUTE privTemplate[] =
- {
- { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *gost;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
-
- UNUSED(unused);
- UNUSED(callback);
-
- pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
- sizeof(*pk11_ctx));
- if (pk11_ctx == NULL)
- return (ISC_R_NOMEMORY);
- ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
- if (ret != ISC_R_SUCCESS)
- goto err;
-
- PK11_RET(pkcs_C_GenerateKeyPair,
- (pk11_ctx->session, &mech,
- pubTemplate, (CK_ULONG) 7,
- privTemplate, (CK_ULONG) 7,
- &pub, &priv),
- DST_R_CRYPTOFAILURE);
-
- gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
- if (gost == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(gost, 0, sizeof(*gost));
- key->keydata.pkey = gost;
- key->key_size = ISC_GOST_KEYSIZE;
- gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
- sizeof(*attr) * 2);
- if (gost->repr == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(gost->repr, 0, sizeof(*attr) * 2);
- gost->attrcnt = 2;
-
- attr = gost->repr;
- attr[0].type = CKA_VALUE;
- attr[1].type = CKA_VALUE2;
-
- attr = gost->repr;
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- if (attr->pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
-
- attr++;
- attr->type = CKA_VALUE;
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- if (attr->pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->type = CKA_VALUE2;
-
- (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ISC_R_SUCCESS);
-
- err:
- pkcs11gost_destroy(key);
- if (priv != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
- if (pub != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static isc_boolean_t
-pkcs11gost_isprivate(const dst_key_t *key) {
- pk11_object_t *gost = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (gost == NULL)
- return (ISC_FALSE);
- attr = pk11_attribute_bytype(gost, CKA_VALUE2);
- return (ISC_TF((attr != NULL) || gost->ontoken));
-}
-
-static void
-pkcs11gost_destroy(dst_key_t *key) {
- pk11_object_t *gost = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (gost == NULL)
- return;
-
- INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken);
-
- for (attr = pk11_attribute_first(gost);
- attr != NULL;
- attr = pk11_attribute_next(gost, attr))
- switch (attr->type) {
- case CKA_VALUE:
- case CKA_VALUE2:
- if (attr->pValue != NULL) {
- isc_safe_memwipe(attr->pValue,
- attr->ulValueLen);
- isc_mem_put(key->mctx,
- attr->pValue,
- attr->ulValueLen);
- }
- break;
- }
- if (gost->repr != NULL) {
- isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
- isc_mem_put(key->mctx,
- gost->repr, gost->attrcnt * sizeof(*attr));
- }
- isc_safe_memwipe(gost, sizeof(*gost));
- isc_mem_put(key->mctx, gost, sizeof(*gost));
- key->keydata.pkey = NULL;
-}
-
-static isc_result_t
-pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *gost;
- isc_region_t r;
- CK_ATTRIBUTE *attr;
-
- REQUIRE(key->keydata.pkey != NULL);
-
- gost = key->keydata.pkey;
- attr = pk11_attribute_bytype(gost, CKA_VALUE);
- if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH))
- return (ISC_R_FAILURE);
-
- isc_buffer_availableregion(data, &r);
- if (r.length < ISC_GOST_PUBKEYLENGTH)
- return (ISC_R_NOSPACE);
- memmove(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH);
- isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *gost;
- isc_region_t r;
- CK_ATTRIBUTE *attr;
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
- return (ISC_R_SUCCESS);
- if (r.length != ISC_GOST_PUBKEYLENGTH)
- return (DST_R_INVALIDPUBLICKEY);
-
- gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
- if (gost == NULL)
- return (ISC_R_NOMEMORY);
- memset(gost, 0, sizeof(*gost));
- gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr));
- if (gost->repr == NULL)
- goto nomemory;
- gost->attrcnt = 1;
-
- attr = gost->repr;
- attr->type = CKA_VALUE;
- attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH);
- if (attr->pValue == NULL)
- goto nomemory;
- memmove((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH);
- attr->ulValueLen = ISC_GOST_PUBKEYLENGTH;
-
- isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH);
- key->keydata.pkey = gost;
- key->key_size = ISC_GOST_KEYSIZE;
- return (ISC_R_SUCCESS);
-
- nomemory:
- for (attr = pk11_attribute_first(gost);
- attr != NULL;
- attr = pk11_attribute_next(gost, attr))
- switch (attr->type) {
- case CKA_VALUE:
- if (attr->pValue != NULL) {
- isc_safe_memwipe(attr->pValue,
- attr->ulValueLen);
- isc_mem_put(key->mctx,
- attr->pValue,
- attr->ulValueLen);
- }
- break;
- }
- if (gost->repr != NULL) {
- isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
- isc_mem_put(key->mctx,
- gost->repr, gost->attrcnt * sizeof(*attr));
- }
- isc_safe_memwipe(gost, sizeof(*gost));
- isc_mem_put(key->mctx, gost, sizeof(*gost));
- return (ISC_R_NOMEMORY);
-}
-
-static unsigned char gost_private_der[39] = {
- 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
- 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
- 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
- 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
- 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20
-};
-
-#ifdef PREFER_GOSTASN1
-
-static isc_result_t
-pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
- isc_result_t ret;
- pk11_object_t *gost;
- dst_private_t priv;
- unsigned char *buf = NULL;
- unsigned int i = 0;
- CK_ATTRIBUTE *attr;
- int adj;
-
- if (key->keydata.pkey == NULL)
- return (DST_R_NULLKEY);
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- gost = key->keydata.pkey;
- attr = pk11_attribute_bytype(gost, CKA_VALUE2);
- if (attr != NULL) {
- buf = isc_mem_get(key->mctx, attr->ulValueLen + 39);
- if (buf == NULL)
- return (ISC_R_NOMEMORY);
- priv.elements[i].tag = TAG_GOST_PRIVASN1;
- priv.elements[i].length =
- (unsigned short) attr->ulValueLen + 39;
- memmove(buf, gost_private_der, 39);
- memmove(buf + 39, attr->pValue, attr->ulValueLen);
- adj = (int) attr->ulValueLen - 32;
- if (adj != 0) {
- buf[1] += adj;
- buf[36] += adj;
- buf[38] += adj;
- }
- priv.elements[i].data = buf;
- i++;
- } else
- return (DST_R_CRYPTOFAILURE);
-
- priv.nelements = i;
- ret = dst__privstruct_writefile(key, &priv, directory);
-
- if (buf != NULL) {
- isc_safe_memwipe(buf, attr->ulValueLen);
- isc_mem_put(key->mctx, buf, attr->ulValueLen);
- }
- return (ret);
-}
-
-#else
-
-static isc_result_t
-pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
- isc_result_t ret;
- pk11_object_t *gost;
- dst_private_t priv;
- unsigned char *buf = NULL;
- unsigned int i = 0;
- CK_ATTRIBUTE *attr;
-
- if (key->keydata.pkey == NULL)
- return (DST_R_NULLKEY);
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- gost = key->keydata.pkey;
- attr = pk11_attribute_bytype(gost, CKA_VALUE2);
- if (attr != NULL) {
- buf = isc_mem_get(key->mctx, attr->ulValueLen);
- if (buf == NULL)
- return (ISC_R_NOMEMORY);
- priv.elements[i].tag = TAG_GOST_PRIVRAW;
- priv.elements[i].length = (unsigned short) attr->ulValueLen;
- memmove(buf, attr->pValue, attr->ulValueLen);
- priv.elements[i].data = buf;
- i++;
- } else
- return (DST_R_CRYPTOFAILURE);
-
- priv.nelements = i;
- ret = dst__privstruct_writefile(key, &priv, directory);
-
- if (buf != NULL) {
- isc_safe_memwipe(buf, attr->ulValueLen);
- isc_mem_put(key->mctx, buf, attr->ulValueLen);
- }
- return (ret);
-}
-#endif
-
-static isc_result_t
-pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- pk11_object_t *gost = NULL;
- CK_ATTRIBUTE *attr, *pattr;
- isc_mem_t *mctx = key->mctx;
-
- if ((pub == NULL) || (pub->keydata.pkey == NULL))
- DST_RET(DST_R_INVALIDPRIVATEKEY);
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS)
- return (ret);
-
- if (key->external) {
- if (priv.nelements != 0)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
-
- key->keydata.pkey = pub->keydata.pkey;
- pub->keydata.pkey = NULL;
- key->key_size = pub->key_size;
-
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
-
- return (ISC_R_SUCCESS);
- }
-
- if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
- int adj = (int) priv.elements[0].length - (39 + 32);
- unsigned char buf[39];
-
- if ((adj > 0) || (adj < -31))
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- memmove(buf, gost_private_der, 39);
- if (adj != 0) {
- buf[1] += adj;
- buf[36] += adj;
- buf[38] += adj;
- }
- if (!isc_safe_memequal(priv.elements[0].data, buf, 39))
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- priv.elements[0].tag = TAG_GOST_PRIVRAW;
- priv.elements[0].length -= 39;
- memmove(priv.elements[0].data,
- priv.elements[0].data + 39,
- 32 + adj);
- }
-
- gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
- if (gost == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(gost, 0, sizeof(*gost));
- key->keydata.pkey = gost;
- key->key_size = ISC_GOST_KEYSIZE;
-
- gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
- sizeof(*attr) * 2);
- if (gost->repr == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(gost->repr, 0, sizeof(*attr) * 2);
- gost->attrcnt = 2;
-
- attr = gost->repr;
- attr->type = CKA_VALUE;
- pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
- INSIST(pattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
- if (attr->pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
- attr->ulValueLen = pattr->ulValueLen;
-
- attr++;
- attr->type = CKA_VALUE2;
- attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
- if (attr->pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
- attr->ulValueLen = priv.elements[0].length;
-
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
-
- return (ISC_R_SUCCESS);
-
- err:
- pkcs11gost_destroy(key);
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ret);
-}
-
-static dst_func_t pkcs11gost_functions = {
- pkcs11gost_createctx,
- NULL, /*%< createctx2 */
- pkcs11gost_destroyctx,
- pkcs11gost_adddata,
- pkcs11gost_sign,
- pkcs11gost_verify,
- NULL, /*%< verify2 */
- NULL, /*%< computesecret */
- pkcs11gost_compare,
- NULL, /*%< paramcompare */
- pkcs11gost_generate,
- pkcs11gost_isprivate,
- pkcs11gost_destroy,
- pkcs11gost_todns,
- pkcs11gost_fromdns,
- pkcs11gost_tofile,
- pkcs11gost_parse,
- NULL, /*%< cleanup */
- NULL, /*%< fromlabel */
- NULL, /*%< dump */
- NULL, /*%< restore */
-};
-
-isc_result_t
-dst__pkcs11gost_init(dst_func_t **funcp) {
- REQUIRE(funcp != NULL);
- if (*funcp == NULL)
- *funcp = &pkcs11gost_functions;
- return (ISC_R_SUCCESS);
-}
-
-#else /* HAVE_PKCS11 && HAVE_PKCS11_GOST */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_PKCS11 && HAVE_PKCS11_GOST */
-/*! \file */
#include <dns/ds.h>
-#include "dst_gost.h"
-
static inline isc_result_t
fromtext_cds(ARGS_FROMTEXT) {
#include <dns/ds.h>
-#include "dst_gost.h"
-
static inline isc_result_t
fromtext_dlv(ARGS_FROMTEXT) {
#include <dns/ds.h>
-#include "dst_gost.h"
-
static inline isc_result_t
generic_fromtext_ds(ARGS_FROMTEXT) {
isc_token_t token;
case DNS_DSDIGEST_SHA256:
length = ISC_SHA256_DIGESTLENGTH;
break;
-#ifdef ISC_GOST_DIGESTLENGTH
- case DNS_DSDIGEST_GOST:
- length = ISC_GOST_DIGESTLENGTH;
- break;
-#endif
case DNS_DSDIGEST_SHA384:
length = ISC_SHA384_DIGESTLENGTH;
break;
sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
(sr.base[3] == DNS_DSDIGEST_SHA256 &&
sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
-#ifdef ISC_GOST_DIGESTLENGTH
- (sr.base[3] == DNS_DSDIGEST_GOST &&
- sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
-#endif
(sr.base[3] == DNS_DSDIGEST_SHA384 &&
sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
return (ISC_R_UNEXPECTEDEND);
sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
else if (sr.base[3] == DNS_DSDIGEST_SHA256)
sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
-#ifdef ISC_GOST_DIGESTLENGTH
- else if (sr.base[3] == DNS_DSDIGEST_GOST)
- sr.length = 4 + ISC_GOST_DIGESTLENGTH;
-#endif
else if (sr.base[3] == DNS_DSDIGEST_SHA384)
sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
case DNS_DSDIGEST_SHA256:
REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
break;
-#ifdef ISC_GOST_DIGESTLENGTH
- case DNS_DSDIGEST_GOST:
- REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH);
- break;
-#endif
case DNS_DSDIGEST_SHA384:
REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
break;
tp: dnstap_test
tp: dst_test
tp: geoip_test
-tp: gost_test
tp: keytable_test
tp: master_test
tp: name_test
atf_test_program{name='dnstap_test'}
atf_test_program{name='dst_test'}
atf_test_program{name='geoip_test'}
-atf_test_program{name='gost_test'}
atf_test_program{name='keytable_test'}
atf_test_program{name='master_test'}
atf_test_program{name='name_test'}
dst_test.c \
dnstest.c \
geoip_test.c \
- gost_test.c \
keytable_test.c \
master_test.c \
name_test.c \
dnstap_test@EXEEXT@ \
dst_test@EXEEXT@ \
geoip_test@EXEEXT@ \
- gost_test@EXEEXT@ \
keytable_test@EXEEXT@ \
master_test@EXEEXT@ \
name_test@EXEEXT@ \
geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
-gost_test@EXEEXT@: gost_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- gost_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
-
keytable_test@EXEEXT@: keytable_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
keytable_test.@O@ dnstest.@O@ ${DNSLIBS} \
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-
-/* ! \file */
-
-#include <config.h>
-
-#include <atf-c.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/util.h>
-#include <isc/print.h>
-#include <isc/string.h>
-
-#include "dnstest.h"
-
-#ifdef HAVE_OPENSSL_GOST
-#include "../dst_gost.h"
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-#include <openssl/engine.h>
-#include <openssl/bn.h>
-#endif
-
-#ifdef HAVE_PKCS11_GOST
-#include "../dst_gost.h"
-#include <pk11/internal.h>
-#define WANT_GOST_PARAMS
-#include <pk11/constants.h>
-#include <pkcs11/pkcs11.h>
-#endif
-
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
-/*
- * Test data from Wikipedia GOST (hash function)
- */
-
-unsigned char digest[ISC_GOST_DIGESTLENGTH];
-unsigned char buffer[1024];
-const char *s;
-char str[2 * ISC_GOST_DIGESTLENGTH + 3];
-int i = 0;
-
-/*
- * Precondition: a hexadecimal number in *d, the length of that number in len,
- * and a pointer to a character array to put the output (*out).
- * Postcondition: A String representation of the given hexadecimal number is
- * placed into the array *out
- *
- * 'out' MUST point to an array of at least len * 2 + 1
- *
- * Return values: ISC_R_SUCCESS if the operation is sucessful
- */
-static isc_result_t
-tohexstr(unsigned char *d, unsigned int len, char *out, size_t out_size) {
- char c_ret[] = "AA";
- unsigned int j;
-
- out[0] = '\0';
- strlcat(out, "0x", out_size);
- for (j = 0; j < len; j++) {
- snprintf(c_ret, sizeof(c_ret), "%02X", d[j]);
- strlcat(out, c_ret, out_size);
- }
- return (ISC_R_SUCCESS);
-}
-
-
-#define TEST_INPUT(x) (x), sizeof(x)-1
-
-typedef struct hash_testcase {
- const char *input;
- size_t input_len;
- const char *result;
- int repeats;
-} hash_testcase_t;
-
-ATF_TC(isc_gost_md);
-ATF_TC_HEAD(isc_gost_md, tc) {
- atf_tc_set_md_var(tc, "descr",
- "GOST R 34.11-94 examples from Wikipedia");
-}
-ATF_TC_BODY(isc_gost_md, tc) {
- isc_gost_t gost;
- isc_result_t result;
-
- UNUSED(tc);
-
- /*
- * These are the various test vectors. All of these are passed
- * through the hash function and the results are compared to the
- * result specified here.
- */
- hash_testcase_t testcases[] = {
- /* Test 1 */
- {
- TEST_INPUT(""),
- "0x981E5F3CA30C841487830F84FB433E1"
- "3AC1101569B9C13584AC483234CD656C0",
- 1
- },
- /* Test 2 */
- {
- TEST_INPUT("a"),
- "0xE74C52DD282183BF37AF0079C9F7805"
- "5715A103F17E3133CEFF1AACF2F403011",
- 1
- },
- /* Test 3 */
- {
- TEST_INPUT("abc"),
- "0xB285056DBF18D7392D7677369524DD1"
- "4747459ED8143997E163B2986F92FD42C",
- 1
- },
- /* Test 4 */
- {
- TEST_INPUT("message digest"),
- "0xBC6041DD2AA401EBFA6E9886734174F"
- "EBDB4729AA972D60F549AC39B29721BA0",
- 1
- },
- /* Test 5 */
- {
- TEST_INPUT("The quick brown fox jumps "
- "over the lazy dog"),
- "0x9004294A361A508C586FE53D1F1B027"
- "46765E71B765472786E4770D565830A76",
- 1
- },
-
- /* Test 6 */
- {
- TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcde"
- "fghijklmnopqrstuvwxyz0123456789"),
- "0x73B70A39497DE53A6E08C67B6D4DB85"
- "3540F03E9389299D9B0156EF7E85D0F61",
- 1
- },
- /* Test 7 */
- {
- TEST_INPUT("1234567890123456789012345678901"
- "2345678901234567890123456789012"
- "345678901234567890"),
- "0x6BC7B38989B28CF93AE8842BF9D7529"
- "05910A7528A61E5BCE0782DE43E610C90",
- 1
- },
- /* Test 8 */
- {
- TEST_INPUT("This is message, length=32 bytes"),
- "0x2CEFC2F7B7BDC514E18EA57FA74FF35"
- "7E7FA17D652C75F69CB1BE7893EDE48EB",
- 1
- },
- /* Test 9 */
- {
- TEST_INPUT("Suppose the original message "
- "has length = 50 bytes"),
- "0xC3730C5CBCCACF915AC292676F21E8B"
- "D4EF75331D9405E5F1A61DC3130A65011",
- 1
- },
- /* Test 10 */
- {
- TEST_INPUT("U") /* times 128 */,
- "0x1C4AC7614691BBF427FA2316216BE8F"
- "10D92EDFD37CD1027514C1008F649C4E8",
- 128
- },
- /* Test 11 */
- {
- TEST_INPUT("a") /* times 1000000 */,
- "0x8693287AA62F9478F7CB312EC0866B6"
- "C4E4A0F11160441E8F4FFCD2715DD554F",
- 1000000
- },
- { NULL, 0, NULL, 1 }
- };
-
- result = dns_test_begin(NULL, ISC_FALSE);
- ATF_REQUIRE(result == ISC_R_SUCCESS);
-
- hash_testcase_t *testcase = testcases;
-
- while (testcase->input != NULL && testcase->result != NULL) {
- result = isc_gost_init(&gost);
- ATF_REQUIRE(result == ISC_R_SUCCESS);
- for(i = 0; i < testcase->repeats; i++) {
- result = isc_gost_update(&gost,
- (const isc_uint8_t *) testcase->input,
- testcase->input_len);
- ATF_REQUIRE(result == ISC_R_SUCCESS);
- }
- result = isc_gost_final(&gost, digest);
- ATF_REQUIRE(result == ISC_R_SUCCESS);
- tohexstr(digest, ISC_GOST_DIGESTLENGTH, str, sizeof(str));
- ATF_CHECK_STREQ(str, testcase->result);
-
- testcase++;
- }
-
- dns_test_end();
-}
-
-ATF_TC(isc_gost_private);
-ATF_TC_HEAD(isc_gost_private, tc) {
- atf_tc_set_md_var(tc, "descr", "GOST R 34.10-2001 private key");
-}
-ATF_TC_BODY(isc_gost_private, tc) {
- isc_result_t result;
- unsigned char privraw[31] = {
- 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
- 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
- 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
- 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
- };
-#ifdef HAVE_OPENSSL_GOST
- unsigned char rbuf[32];
- unsigned char privasn1[70] = {
- 0x30, 0x44, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
- 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
- 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
- 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
- 0x02, 0x1e, 0x01, 0x04, 0x21, 0x02, 0x1f, 0x01,
- 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
- 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
- 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
- 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
- };
- unsigned char abuf[71];
- unsigned char gost_dummy_key[71] = {
- 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
- 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
- 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
- 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
- 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
- 0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
- 0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
- 0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
- 0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
- };
- EVP_PKEY *pkey;
- EC_KEY *eckey;
- BIGNUM *privkey;
- const BIGNUM *privkey1;
- const unsigned char *p;
- int len;
- unsigned char *q;
-
- result = dns_test_begin(NULL, ISC_FALSE);
- ATF_REQUIRE(result == ISC_R_SUCCESS);
-
- /* raw parse */
- privkey = BN_bin2bn(privraw, (int) sizeof(privraw), NULL);
- ATF_REQUIRE(privkey != NULL);
- p = gost_dummy_key;
- pkey = NULL;
- ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
- (long) sizeof(gost_dummy_key)) != NULL);
- ATF_REQUIRE(pkey != NULL);
- ATF_REQUIRE(EVP_PKEY_bits(pkey) == 256);
- eckey = EVP_PKEY_get0(pkey);
- ATF_REQUIRE(eckey != NULL);
- ATF_REQUIRE(EC_KEY_set_private_key(eckey, privkey) == 1);
- BN_clear_free(privkey);
-
- /* asn1 tofile */
- len = i2d_PrivateKey(pkey, NULL);
- ATF_REQUIRE(len == 70);
- q = abuf;
- ATF_REQUIRE(i2d_PrivateKey(pkey, &q) == len);
- ATF_REQUIRE(memcmp(abuf, privasn1, len) == 0);
- EVP_PKEY_free(pkey);
-
- /* asn1 parse */
- p = privasn1;
- pkey = NULL;
- ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
- (long) len) != NULL);
- ATF_REQUIRE(pkey != NULL);
- eckey = EVP_PKEY_get0(pkey);
- ATF_REQUIRE(eckey != NULL);
- privkey1 = EC_KEY_get0_private_key(eckey);
- len = BN_num_bytes(privkey1);
- ATF_REQUIRE(len == 31);
- ATF_REQUIRE(BN_bn2bin(privkey1, rbuf) == len);
- ATF_REQUIRE(memcmp(rbuf, privraw, len) == 0);
-
- dns_test_end();
-#else
- CK_BBOOL truevalue = TRUE;
- CK_BBOOL falsevalue = FALSE;
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_GOSTR3410;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, privraw, sizeof(privraw) },
- { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
- (CK_ULONG) sizeof(pk11_gost_a_paramset) },
- { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
- (CK_ULONG) sizeof(pk11_gost_paramset) }
- };
- CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
- CK_BYTE sig[64];
- CK_ULONG siglen;
- pk11_context_t pk11_ctx;
-
- result = dns_test_begin(NULL, ISC_FALSE);
- ATF_REQUIRE(result == ISC_R_SUCCESS);
-
- /* create the private key */
- memset(&pk11_ctx, 0, sizeof(pk11_ctx));
- ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_TRUE,
- ISC_FALSE, ISC_FALSE, NULL,
- pk11_get_best_token(OP_GOST)) ==
- ISC_R_SUCCESS);
- pk11_ctx.object = CK_INVALID_HANDLE;
- pk11_ctx.ontoken = ISC_FALSE;
- ATF_REQUIRE(pkcs_C_CreateObject(pk11_ctx.session, keyTemplate,
- (CK_ULONG) 9, &pk11_ctx.object) ==
- CKR_OK);
- ATF_REQUIRE(pk11_ctx.object != CK_INVALID_HANDLE);
-
- /* sign something */
- ATF_REQUIRE(pkcs_C_SignInit(pk11_ctx.session, &mech,
- pk11_ctx.object) == CKR_OK);
- siglen = 0;
- ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64,
- NULL, &siglen) == CKR_OK);
- ATF_REQUIRE(siglen == 64);
- ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64,
- sig, &siglen) == CKR_OK);
- ATF_REQUIRE(siglen == 64);
-
- dns_test_end();
-#endif
-};
-#else
-ATF_TC(untested);
-ATF_TC_HEAD(untested, tc) {
- atf_tc_set_md_var(tc, "descr", "skipping gost test");
-}
-ATF_TC_BODY(untested, tc) {
- UNUSED(tc);
- atf_tc_skip("GOST not available");
-}
-#endif
-/*
- * Main
- */
-ATF_TP_ADD_TCS(tp) {
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
- ATF_TP_ADD_TC(tp, isc_gost_md);
- ATF_TP_ADD_TC(tp, isc_gost_private);
-#else
- ATF_TP_ADD_TC(tp, untested);
-#endif
- return (atf_no_error());
-}
-
<ClCompile Include="..\openssleddsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
- <ClCompile Include="..\opensslgost_link.c">
- <Filter>Dst Source Files</Filter>
- </ClCompile>
<ClCompile Include="..\opensslrsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClCompile Include="..\pkcs11eddsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
- <ClCompile Include="..\pkcs11gost_link.c">
- <Filter>Dst Source Files</Filter>
- </ClCompile>
<ClCompile Include="..\pkcs11rsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClInclude Include="..\include\dst\result.h">
<Filter>Dst Header Files</Filter>
</ClInclude>
- <ClInclude Include="..\dst_gost.h">
- <Filter>Dst Header Files</Filter>
- </ClInclude>
<ClInclude Include="..\dst_internal.h">
<Filter>Dst Header Files</Filter>
</ClInclude>
<ClCompile Include="..\openssldsa_link.c" />
<ClCompile Include="..\opensslecdsa_link.c" />
<ClCompile Include="..\openssleddsa_link.c" />
- <ClCompile Include="..\opensslgost_link.c" />
<ClCompile Include="..\opensslrsa_link.c" />
<ClCompile Include="..\openssl_link.c" />
@END OPENSSL
<ClCompile Include="..\pkcs11dsa_link.c" />
<ClCompile Include="..\pkcs11ecdsa_link.c" />
<ClCompile Include="..\pkcs11eddsa_link.c" />
- <ClCompile Include="..\pkcs11gost_link.c" />
<ClCompile Include="..\pkcs11rsa_link.c" />
@END PKCS11
<ClCompile Include="..\portlist.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\code.h" />
- <ClInclude Include="..\dst_gost.h" />
<ClInclude Include="..\dst_internal.h" />
@IF OPENSSL
<ClInclude Include="..\dst_openssl.h" />
- DH (secret derivation)
- digest (hash)
- EC (ECDSA, sign/verify)
- - GOST (Russian hash and sign/verify)
- AES (encrypt/decrypt)
...and a summary of PKCS#11 tokens that have been found.
- EC: you may wish to configure BIND9 without ECDSA support by adding
--without-ecdsa to the "configure" arguments.
- - GOST: you SHOULD configure BIND9 without GOST support by adding
- --without-gost to the "configure" arguments.
-
- AES: you MUST reconfigure bind9 without AES support by adding
--without-aes to configure arguments.
You can disable some algorithms (e.g. DSA, DH and MD5) using the
"disable-algorithms" option in named.conf, and some other algorithms can be
-disabled at compile time (ECDSA, GOST, AES). Note, however, that disabling
+disabled at compile time (ECDSA, AES). Note, however, that disabling
algorithms can have unwanted side effects; for instance, disabling DH breaks
TKEY support.
};
#endif
-#ifdef WANT_GOST_PARAMS
-static CK_BYTE pk11_gost_a_paramset[] = {
- 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01
-};
-static CK_BYTE pk11_gost_paramset[] = {
- 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01
-};
-#endif
-
#endif /* PK11_CONSTANTS_H */
static pk11_token_t *best_dh_token;
static pk11_token_t *digest_token;
static pk11_token_t *best_ec_token;
-static pk11_token_t *best_gost_token;
static pk11_token_t *aes_token;
static isc_result_t free_all_sessions(void);
digest_token = NULL;
if (token == best_ec_token)
best_ec_token = NULL;
- if (token == best_gost_token)
- best_gost_token = NULL;
if (token == aes_token)
aes_token = NULL;
pk11_mem_put(token, sizeof(*token));
PK11_TRACEM(CKM_ECDSA);
}
if (bad)
- goto try_gost;
+ goto try_eddsa;
token->operations |= 1 << OP_EC;
if (best_ec_token == NULL)
best_ec_token = token;
- try_gost:
- bad = ISC_FALSE;
- /* does GOST require digest too? */
- rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_GOSTR3411);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN,
- &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_GOSTR3410_KEY_PAIR_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot,
- CKM_GOSTR3410_WITH_GOSTR3411,
- &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
- }
- if (bad)
- goto try_eddsa;
- token->operations |= 1 << OP_GOST;
- if (best_gost_token == NULL)
- best_gost_token = token;
-
try_eddsa:
#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
bad = ISC_FALSE;
case OP_EC:
token = best_ec_token;
break;
- case OP_GOST:
- token = best_gost_token;
- break;
case OP_AES:
token = aes_token;
break;
printf("\tbest_dh_token=%p\n", best_dh_token);
printf("\tdigest_token=%p\n", digest_token);
printf("\tbest_ec_token=%p\n", best_ec_token);
- printf("\tbest_gost_token=%p\n", best_gost_token);
printf("\taes_token=%p\n", aes_token);
for (token = ISC_LIST_HEAD(tokens);
./bin/tests/system/glue/tests.sh SH 2000,2001,2003,2004,2007,2012,2013,2016,2017,2018
./bin/tests/system/glue/xx.good X 2000,2001,2018
./bin/tests/system/glue/yy.good X 2000,2001,2003,2018
-./bin/tests/system/gost/clean.sh SH 2010,2012,2014,2016,2018
-./bin/tests/system/gost/ns1/named.conf CONF-C 2010,2016,2018
-./bin/tests/system/gost/ns1/root.db.in ZONE 2010,2016,2018
-./bin/tests/system/gost/ns1/sign.sh SH 2010,2012,2014,2016,2018
-./bin/tests/system/gost/ns2/named.conf CONF-C 2010,2016,2018
-./bin/tests/system/gost/prereq.sh SH 2010,2012,2014,2016,2018
-./bin/tests/system/gost/setup.sh SH 2010,2012,2014,2016,2017,2018
-./bin/tests/system/gost/tests.sh SH 2010,2012,2013,2016,2018
./bin/tests/system/idna/clean.sh SH 2018
./bin/tests/system/idna/ns1/named.conf.in CONF-C 2018
./bin/tests/system/idna/ns1/root.db ZONE 2018
./lib/dns/dnstap.proto X 2015,2018
./lib/dns/ds.c C 2002,2003,2004,2005,2006,2007,2010,2012,2014,2016,2018
./lib/dns/dst_api.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
-./lib/dns/dst_gost.h C 2014,2016,2018
./lib/dns/dst_internal.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018
./lib/dns/dst_lib.c C 1999,2000,2001,2004,2005,2007,2016,2018
./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012,2015,2016,2018
./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/opensslecdsa_link.c C 2012,2013,2014,2015,2016,2017,2018
./lib/dns/openssleddsa_link.c C 2017,2018
-./lib/dns/opensslgost_link.c C 2010,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/order.c C 2002,2004,2005,2007,2015,2016,2017,2018
./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018
./lib/dns/pkcs11dsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11ecdsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11eddsa_link.c C 2017,2018
-./lib/dns/pkcs11gost_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11rsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/portlist.c C 2003,2004,2005,2006,2007,2014,2016,2018
./lib/dns/private.c C 2009,2011,2012,2015,2016,2017,2018
./lib/dns/tests/dnstest.h C 2011,2012,2014,2015,2016,2017,2018
./lib/dns/tests/dst_test.c C 2018
./lib/dns/tests/geoip_test.c C 2013,2014,2015,2016,2017,2018
-./lib/dns/tests/gost_test.c C 2014,2015,2016,2017,2018
./lib/dns/tests/keytable_test.c C 2014,2015,2016,2017,2018
./lib/dns/tests/master_test.c C 2011,2012,2013,2015,2016,2017,2018
./lib/dns/tests/mkraw.pl PERL 2011,2012,2016,2018
"HAVE_OPENSSL_ED25519",
"HAVE_OPENSSL_ED448",
"HAVE_OPENSSL_EVP_AES",
- "HAVE_OPENSSL_GOST",
"HAVE_DH_GET0_KEY",
"HAVE_DSA_GET0_PQG",
"HAVE_ECDSA_SIG_GET0",
"HAVE_PKCS11_ECDSA",
"HAVE_PKCS11_ED25519",
"HAVE_PKCS11_ED448",
- "HAVE_PKCS11_GOST",
"HAVE_READLINE",
"HAVE_ZLIB",
"HMAC_SHA1_CC",
"HMAC_SHA256_CC",
"ISC_LIST_CHECKINIT",
- "PREFER_GOSTASN1",
"TUNE_LARGE",
"WANT_QUERYTRACE",
"WITH_IDN");
"extra-tests",
"gssapi",
"geoip",
- "gost",
"iconv",
"idn",
"openssl",
" with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n",
" with-ecdsa crypto ECDSA\n",
" with-eddsa crypto EDDSA yes|all|no\n",
-" with-gost[=ENC] crypto GOST yes|no|raw|ans1\n",
" with-aes crypto AES\n",
" with-cc-alg choose the algorithm for cookies aes|sha1|sha256\n",
" with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n",
my $use_ecdsa = "auto";
my $use_eddsa = "auto";
my $use_ed448 = "auto";
-my $use_gost = "auto";
-my $gost_encoding = "raw";
my $use_aes = "auto";
my $cookie_algorithm = "aes";
my $use_gssapi = "no";
$use_ed448 = "yes";
}
}
- } elsif ($key =~ /^gost$/i) {
- if ($val =~ /^no$/i) {
- $use_gost = "no";
- } elsif ($val !~ /^no$/i) {
- $use_gost = "yes";
- $gost_encoding = $val;
- }
} elsif ($key =~ /^aes$/i) {
if ($val =~ /^no$/i) {
$use_aes = "no";
print "ed448: enabled\n";
}
}
- if ($use_gost eq "no") {
- print "gost: disabled\n";
- } else {
- print "gost: enabled\n";
- print "gost private key encoding: $gost_encoding\n";
- }
if ($use_aes eq "no") {
print "aes: disabled\n";
} else {
$configdefh{"HAVE_PKCS11_ED448"} = 1;
}
}
- if ($use_gost eq "no") {
- if ($verbose) {
- print "no GOST support in native PKCS#11\n";
- }
- } else {
- if ($verbose) {
- print "enabled GOST support in native PKCS#11\n";
- }
- $configdefh{"HAVE_PKCS11_GOST"} = 1;
- }
if ($use_aes eq "no") {
if ($verbose) {
print "no AES support in native PKCS#11\n";
$configdefh{"HAVE_OPENSSL_ED448"} = 1;
}
-# with-gost
-if ($use_openssl eq "no") {
- $use_gost = "no";
-}
-if ($use_gost eq "auto") {
- if ($verbose) {
- print "checking for OpenSSL GOST support\n";
- }
- open F, ">testgost.c" || die $!;
- print F << 'EOF';
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-
-int
-main(void)
-{
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
- ENGINE *e;
- EC_KEY *ek;
-
- ek = NULL;
- OPENSSL_config(NULL);
-
- e = ENGINE_by_id("gost");
- if (e == NULL)
- return (1);
- if (ENGINE_init(e) <= 0)
- return (1);
- return (0);
-#else
- return (1);
-#endif
-}
-EOF
- close F;
- my $include = $configinc{"OPENSSL_INC"};
- my $library = $configlib{"OPENSSL_LIB"};
- $compret = `cl /nologo /MD /I "$include" testgost.c "$library"`;
- if (grep { -f and -x } ".\\testgost.exe") {
- `.\\testgost.exe`;
- if ($? != 0) {
- if ($verbose) {
- print "GOST test failed: disabling GOST\n";
- }
- $use_gost = "no";
- }
- } else {
- if ($verbose) {
- print "can't compile GOST test: $compret\n";
- print "disabling GOST\n";
- }
- $use_gost = "no";
- }
-}
-
-if ($use_gost ne "no") {
- $use_gost = "yes";
- $configdefh{"HAVE_OPENSSL_GOST"} = 1;
-}
-
-if ($gost_encoding eq "ans1") {
- $configdefh{"PREFER_GOSTASN1"} = 1;
-} elsif ($gost_encoding ne "raw") {
- die "Unrecognized GOST private key encoding: $gost_encoding\n";
-}
-
# with-aes
if ($use_openssl eq "no") {
if ($use_aes ne "pkcs11") {
# --with-pkcs11 supported
# --with-ecdsa supported
# --with-eddsa supported
-# --with-gost supported
# --with-aes supported
# --with-cc-alg supported
# --with-randomdev not supported on WIN32 (makes no sense)
nmake /f ms\ntdll.mak
The "enable-static-engine" option is needed when an OpenSSL engine
- will be used -- for example, when using the GOST signing algorithm or
- OpenSSL-based PKCS#11 support.
+ will be used -- for example, when using OpenSSL-based PKCS#11 support.
If you wish to use OpenSSL-based PKCS#11 to control a cryptographic
hardware service module, please see "PKCS#11 (Cryptoki) support" in
projects / thirdparty / bind9.git / commitdiff
