[master] fix keysizes in confgen

3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
			rndc-confgen were too constrained. Keys up to 512
			bits are now allowed for most algorithms, and up
			to 1024 bits for hmac-sha384 and hmac-sha512.
			[RT #32753]

diff --git a/CHANGES b/CHANGES
index ad6a717fd9027d91a4d255b6525986229a671649..9465e498c55cd83b3e01e4e4ffef9fc5cb8a9a96 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+3514.  [bug]           The ranges for valid key sizes in ddns-confgen and
+                       rndc-confgen were too constrained. Keys up to 512
+                       bits are now allowed for most algorithms, and up
+                       to 1024 bits for hmac-sha384 and hmac-sha512.
+                       [RT #32753]
+
 3513.  [func]          "dig -u" prints times in microseconds rather than
                        milliseconds. [RT #32704]
 

diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 787a93f1a7d818fda7f70f5d34ac692309fa0cdf..59096b57609fd494db51af452bec4781727b9a4e 100644 (file)
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -126,29 +126,17 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 
        switch (alg) {
            case DST_ALG_HMACMD5:
-           case DST_ALG_HMACSHA512:
-               if (keysize < 1 || keysize > 512)
-                       fatal("keysize %d out of range (must be 1-512)\n",
-                             keysize);
-               break;
-           case DST_ALG_HMACSHA256:
-               if (keysize < 1 || keysize > 256)
-                       fatal("keysize %d out of range (must be 1-256)\n",
-                             keysize);
-               break;
            case DST_ALG_HMACSHA1:
-               if (keysize < 1 || keysize > 160)
-                       fatal("keysize %d out of range (must be 1-160)\n",
-                             keysize);
-               break;
            case DST_ALG_HMACSHA224:
-               if (keysize < 1 || keysize > 224)
-                       fatal("keysize %d out of range (must be 1-224)\n",
+           case DST_ALG_HMACSHA256:
+               if (keysize < 1 || keysize > 512)
+                       fatal("keysize %d out of range (must be 1-512)\n",
                              keysize);
                break;
            case DST_ALG_HMACSHA384:
-               if (keysize < 1 || keysize > 384)
-                       fatal("keysize %d out of range (must be 1-384)\n",
+           case DST_ALG_HMACSHA512:
+               if (keysize < 1 || keysize > 1024)
+                       fatal("keysize %d out of range (must be 1-1024)\n",
                              keysize);
                break;
            default:

diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
index a9831b1867b3af427ada4d0cddddb3d7b2edfcc4..70639affb60ee96888b84d38ab5dbecb95cf8abd 100644 (file)
--- a/bin/confgen/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -140,8 +140,6 @@ main(int argc, char **argv) {
                        keysize = strtol(isc_commandline_argument, &p, 10);
                        if (*p != '\0' || keysize < 0)
                                fatal("-b requires a non-negative number");
-                       if (keysize < 1 || keysize > 512)
-                               fatal("-b must be in the range 1 through 512");
                        break;
                case 'c':
                        keyfile = isc_commandline_argument;