[v9_9] fix keysizes in confgen

3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]
(cherry picked from commit 33b8db1bb3f0aa3a39db459e6a32a1082b8dce13)

diff --git a/CHANGES b/CHANGES
index 7e9bf9abe16c36f3d0f2c5d53c860290851d4e5c..b3fd80c387bdbe026dbb8f1a8adad323e5310e10 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+3514.  [bug]           The ranges for valid key sizes in ddns-confgen and
+                       rndc-confgen were too constrained. Keys up to 512
+                       bits are now allowed for most algorithms, and up
+                       to 1024 bits for hmac-sha384 and hmac-sha512.
+                       [RT #32753]
+
 3511.  [doc]           Improve documentation of redirect zones. [RT #32756]
 
 3509.  [cleanup]       Added a product line to version file to allow for

diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 787a93f1a7d818fda7f70f5d34ac692309fa0cdf..59096b57609fd494db51af452bec4781727b9a4e 100644 (file)
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -126,29 +126,17 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 
        switch (alg) {
            case DST_ALG_HMACMD5:
-           case DST_ALG_HMACSHA512:
-               if (keysize < 1 || keysize > 512)
-                       fatal("keysize %d out of range (must be 1-512)\n",
-                             keysize);
-               break;
-           case DST_ALG_HMACSHA256:
-               if (keysize < 1 || keysize > 256)
-                       fatal("keysize %d out of range (must be 1-256)\n",
-                             keysize);
-               break;
            case DST_ALG_HMACSHA1:
-               if (keysize < 1 || keysize > 160)
-                       fatal("keysize %d out of range (must be 1-160)\n",
-                             keysize);
-               break;
            case DST_ALG_HMACSHA224:
-               if (keysize < 1 || keysize > 224)
-                       fatal("keysize %d out of range (must be 1-224)\n",
+           case DST_ALG_HMACSHA256:
+               if (keysize < 1 || keysize > 512)
+                       fatal("keysize %d out of range (must be 1-512)\n",
                              keysize);
                break;
            case DST_ALG_HMACSHA384:
-               if (keysize < 1 || keysize > 384)
-                       fatal("keysize %d out of range (must be 1-384)\n",
+           case DST_ALG_HMACSHA512:
+               if (keysize < 1 || keysize > 1024)
+                       fatal("keysize %d out of range (must be 1-1024)\n",
                              keysize);
                break;
            default:

diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
index a9831b1867b3af427ada4d0cddddb3d7b2edfcc4..70639affb60ee96888b84d38ab5dbecb95cf8abd 100644 (file)
--- a/bin/confgen/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -140,8 +140,6 @@ main(int argc, char **argv) {
                        keysize = strtol(isc_commandline_argument, &p, 10);
                        if (*p != '\0' || keysize < 0)
                                fatal("-b requires a non-negative number");
-                       if (keysize < 1 || keysize > 512)
-                               fatal("-b must be in the range 1 through 512");
                        break;
                case 'c':
                        keyfile = isc_commandline_argument;