3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256

                        and ECDSAP384SHA384. [RT #37183]

(cherry picked from commit 80169c379dd4e0a6e164b7cac4bf5fa013c91138)

diff --git a/CHANGES b/CHANGES
index 36f35807a67140176f7965e2e7637a2edf4167f1..40c0db67f34a004dc801a7fbedc6046beda1d8be 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3957.  [bug]           "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+                       and ECDSAP384SHA384. [RT #37183]
+
 3955.  [bug]           Notify messages due to changes are no longer queued
                        behind startup notify messages. [RT #24454]
 

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 510bb16a0a7d53f4b6821cd481309bcd90f5b025..4b54e4d245126ba64cbff7bb2d79324d257ad8bd 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -530,6 +530,9 @@ main(int argc, char **argv) {
                                options |= DST_TYPE_KEY;
                }
 
+               if (!dst_algorithm_supported(alg))
+                       fatal("unsupported algorithm: %d", alg);
+
                if (use_nsec3 &&
                    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
                    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
@@ -697,8 +700,13 @@ main(int argc, char **argv) {
                        fatal("invalid DSS key size: %d", size);
                break;
        case DST_ALG_ECCGOST:
+               size = 256;
+               break;
        case DST_ALG_ECDSA256:
+               size = 256;
+               break;
        case DST_ALG_ECDSA384:
+               size = 384;
                break;
        case DST_ALG_HMACMD5:
                options |= DST_TYPE_KEY;

diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 8cf407ca3bc822e194986c1df05e82cb625e79d0..f9f0e403dfa44044da58d0e112560e069081cb87 100644 (file)
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -69,3 +69,5 @@ rm -f ns1/resolve.key
 rm -f ns3/siginterval.conf
 rm -f ns4/named_dump.db
 rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
+rm -f Kexample.*
+rm -f keygen.err

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 17594f11ed6deb6f24616a049e815725db07d4bb..7ddd5dd58ce868b73aa369c2d467d0d4c06c75f6 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1956,5 +1956,52 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
+ret=0
+alg=1
+until test $alg = 256
+do
+       size=
+       case $alg in
+       1) size="-b 512";;
+       2) # Diffie Helman
+          alg=`expr $alg + 1`
+          continue;;
+       3) size="-b 512";;
+       5) size="-b 512";;
+       6) size="-b 512";;
+       7) size="-b 512";;
+       8) size="-b 512";;
+       10) size="-b 1024";;
+       157|160|161|162|163|164|165) # private - non standard
+          alg=`expr $alg + 1`
+          continue;;
+       esac
+       key1=`$KEYGEN -a $alg $size -n zone -r /dev/urandom example 2> keygen.err`
+       if grep "unsupported algorithm" keygen.err > /dev/null
+       then
+               alg=`expr $alg + 1`
+               continue
+       fi
+       if test -z "$key1"
+       then
+               echo "I: '$KEYGEN -a $alg': failed"
+               cat keygen.err
+               ret=1
+               alg=`expr $alg + 1`
+               continue
+       fi
+       $SETTIME -I now+4d $key1.private > /dev/null
+       key2=`$KEYGEN -v 10 -r /dev/urandom -i 3d -S $key1.private 2> /dev/null`
+       test -f $key2.key -a -f $key2.private || {
+               ret=1
+               echo "I: 'dnssec-keygen -S' failed for algorithm: $alg"
+       }
+       alg=`expr $alg + 1`
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 78d2d0ceb9d9e327d289d83d3534318e4dc76a12..0562a8616c12478a8bab4191d2c4f7e9f934d956 100644 (file)
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -295,10 +295,13 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
        UNUSED(unused);
        UNUSED(callback);
 
-       if (key->key_alg == DST_ALG_ECDSA256)
+       if (key->key_alg == DST_ALG_ECDSA256) {
                group_nid = NID_X9_62_prime256v1;
-       else
+               key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+       } else {
                group_nid = NID_secp384r1;
+               key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+       }
 
        eckey = EC_KEY_new_by_curve_name(group_nid);
        if (eckey == NULL)
@@ -433,6 +436,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
        isc_buffer_forward(data, len);
        key->keydata.pkey = pkey;
+       key->key_size = len * 4;
        ret = ISC_R_SUCCESS;
 
  err:
@@ -556,6 +560,10 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
                DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
        }
        key->keydata.pkey = pkey;
+       if (key->key_alg == DST_ALG_ECDSA256)
+               key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+       else
+               key->key_size = DNS_KEY_ECDSA384SIZE * 4;
        ret = ISC_R_SUCCESS;
 
  err:

diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c
index a7e728cff9ed6deb6e75a6776a9a3ce8f1104115..09a5ec72f9d4931b872861338213af97ee6bfda3 100644 (file)
--- a/lib/dns/opensslgost_link.c
+++ b/lib/dns/opensslgost_link.c
@@ -196,6 +196,7 @@ opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
                DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
                                               DST_R_OPENSSLFAILURE));
        key->keydata.pkey = pkey;
+       key->key_size = EVP_PKEY_bits(pkey);
        EVP_PKEY_CTX_free(ctx);
        return (ISC_R_SUCCESS);
 
@@ -281,6 +282,7 @@ opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
                return (dst__openssl_toresult2("d2i_PUBKEY",
                                               DST_R_OPENSSLFAILURE));
        key->keydata.pkey = pkey;
+       key->key_size = EVP_PKEY_bits(pkey);
 
        return (ISC_R_SUCCESS);
 }