From: Mark Andrews <marka@isc.org>
Date: Mon, 29 Sep 2014 00:18:54 +0000 (+1000)
Subject: 3957.   [bug]           "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8678bcdcbea233e351fe8517b8ec1b5e98a6909;p=thirdparty%2Fbind9.git

3957.   [bug]           "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
                        and ECDSAP384SHA384. [RT #37183]

(cherry picked from commit 80169c379dd4e0a6e164b7cac4bf5fa013c91138)
---

diff --git a/CHANGES b/CHANGES
index 36f35807a67..40c0db67f34 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+			and ECDSAP384SHA384. [RT #37183]
+
 3955.	[bug]		Notify messages due to changes are no longer queued
 			behind startup notify messages. [RT #24454]
 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 510bb16a0a7..4b54e4d2451 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -530,6 +530,9 @@ main(int argc, char **argv) {
 				options |= DST_TYPE_KEY;
 		}
 
+		if (!dst_algorithm_supported(alg))
+			fatal("unsupported algorithm: %d", alg);
+
 		if (use_nsec3 &&
 		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
 		    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
@@ -697,8 +700,13 @@ main(int argc, char **argv) {
 			fatal("invalid DSS key size: %d", size);
 		break;
 	case DST_ALG_ECCGOST:
+		size = 256;
+		break;
 	case DST_ALG_ECDSA256:
+		size = 256;
+		break;
 	case DST_ALG_ECDSA384:
+		size = 384;
 		break;
 	case DST_ALG_HMACMD5:
 		options |= DST_TYPE_KEY;
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 8cf407ca3bc..f9f0e403dfa 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -69,3 +69,5 @@ rm -f ns1/resolve.key
 rm -f ns3/siginterval.conf
 rm -f ns4/named_dump.db
 rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
+rm -f Kexample.*
+rm -f keygen.err
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 17594f11ed6..7ddd5dd58ce 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1956,5 +1956,52 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
+ret=0
+alg=1
+until test $alg = 256
+do
+	size=
+	case $alg in
+	1) size="-b 512";;
+	2) # Diffie Helman
+	   alg=`expr $alg + 1`
+	   continue;;
+	3) size="-b 512";;
+	5) size="-b 512";;
+	6) size="-b 512";;
+	7) size="-b 512";;
+	8) size="-b 512";;
+	10) size="-b 1024";;
+	157|160|161|162|163|164|165) # private - non standard
+	   alg=`expr $alg + 1`
+	   continue;;
+	esac
+	key1=`$KEYGEN -a $alg $size -n zone -r /dev/urandom example 2> keygen.err`
+	if grep "unsupported algorithm" keygen.err > /dev/null
+	then
+		alg=`expr $alg + 1`
+		continue
+	fi
+	if test -z "$key1"
+	then
+		echo "I: '$KEYGEN -a $alg': failed"
+		cat keygen.err
+		ret=1
+		alg=`expr $alg + 1`
+		continue
+	fi
+	$SETTIME -I now+4d $key1.private > /dev/null
+	key2=`$KEYGEN -v 10 -r /dev/urandom -i 3d -S $key1.private 2> /dev/null`
+	test -f $key2.key -a -f $key2.private || {
+		ret=1
+		echo "I: 'dnssec-keygen -S' failed for algorithm: $alg"
+	}
+	alg=`expr $alg + 1`
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 78d2d0ceb9d..0562a8616c1 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -295,10 +295,13 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	UNUSED(unused);
 	UNUSED(callback);
 
-	if (key->key_alg == DST_ALG_ECDSA256)
+	if (key->key_alg == DST_ALG_ECDSA256) {
 		group_nid = NID_X9_62_prime256v1;
-	else
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	} else {
 		group_nid = NID_secp384r1;
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+	}
 
 	eckey = EC_KEY_new_by_curve_name(group_nid);
 	if (eckey == NULL)
@@ -433,6 +436,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, len);
 	key->keydata.pkey = pkey;
+	key->key_size = len * 4;
 	ret = ISC_R_SUCCESS;
 
  err:
@@ -556,6 +560,10 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
 	key->keydata.pkey = pkey;
+	if (key->key_alg == DST_ALG_ECDSA256)
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	else
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
 	ret = ISC_R_SUCCESS;
 
  err:
diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c
index a7e728cff9e..09a5ec72f9d 100644
--- a/lib/dns/opensslgost_link.c
+++ b/lib/dns/opensslgost_link.c
@@ -196,6 +196,7 @@ opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
 					       DST_R_OPENSSLFAILURE));
 	key->keydata.pkey = pkey;
+	key->key_size = EVP_PKEY_bits(pkey);
 	EVP_PKEY_CTX_free(ctx);
 	return (ISC_R_SUCCESS);
 
@@ -281,6 +282,7 @@ opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		return (dst__openssl_toresult2("d2i_PUBKEY",
 					       DST_R_OPENSSLFAILURE));
 	key->keydata.pkey = pkey;
+	key->key_size = EVP_PKEY_bits(pkey);
 
 	return (ISC_R_SUCCESS);
 }