if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
- if (alg == DST_ALG_DH) {
- options |= DST_TYPE_KEY;
- }
if (use_nsec3) {
switch (alg) {
}
}
- if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
- alg == DNS_KEYALG_DH)
- {
- fatal("a key with algorithm '%s' cannot be a zone key",
- algname);
- }
-
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
char *algname;
char *nametype;
char *type;
- int generator;
int protocol;
int size;
int signatory;
fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
- fprintf(stderr, " ED25519 | ED448 | DH\n");
+ fprintf(stderr, " ED25519 | ED448\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
- fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " ED25519:\tignored\n");
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
- fprintf(stderr, " -g <generator>: use specified generator "
- "(DH only)\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
fprintf(stderr, " -p <protocol>: (default: 3 [dnssec])\n");
fprintf(stderr, " -s <strength>: strength value this key signs DNS "
fatal("unsupported algorithm: %s", algstr);
}
- if (ctx->alg == DST_ALG_DH) {
- ctx->options |= DST_TYPE_KEY;
- }
-
if (ctx->use_nsec3) {
switch (ctx->alg) {
case DST_ALG_RSASHA1:
fatal("RSA key size %d out of range", ctx->size);
}
break;
- case DNS_KEYALG_DH:
- if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) {
- fatal("DH key size %d out of range", ctx->size);
- }
- break;
case DST_ALG_ECDSA256:
ctx->size = 256;
break;
break;
}
- if (ctx->alg != DNS_KEYALG_DH && ctx->generator != 0) {
- fatal("specified DH generator for a non-DH key");
- }
-
if (ctx->nametype == NULL) {
if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
fatal("no nametype specified");
}
}
- if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
- ctx->alg == DNS_KEYALG_DH)
- {
- fatal("a key with algorithm %s cannot be a zone key", algstr);
- }
-
switch (ctx->alg) {
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
show_progress = true;
break;
- case DNS_KEYALG_DH:
- param = ctx->generator;
- break;
-
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
}
break;
case 'g':
- ctx.generator = strtol(isc_commandline_argument, &endp,
- 10);
- if (*endp != '\0' || ctx.generator <= 0) {
- fatal("-g requires a positive number");
- }
+ fprintf(stderr,
+ "phased-out option -e "
+ "(was 'use specified generator (DH only)')\n");
break;
case 'K':
ctx.directory = isc_commandline_argument;
This option selects the cryptographic algorithm. For DNSSEC keys, the value of
``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
- RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
- TKEY, the value must be DH (Diffie-Hellman); specifying this value
- automatically sets the :option:`-T KEY <-T>` option as well.
+ RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
These values are case-insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
uint16_t id, oldid;
uint32_t rid, roldid;
dns_secalg_t alg;
- char filename[NAME_MAX];
- isc_buffer_t fileb;
isc_stdtime_t now;
if (exact != NULL) {
rid = dst_key_rid(dstkey);
alg = dst_key_alg(dstkey);
- /*
- * For Diffie Hellman just check if there is a direct collision as
- * they can't be revoked. Additionally dns_dnssec_findmatchingkeys
- * only handles DNSKEY which is not used for HMAC.
- */
- if (alg == DST_ALG_DH) {
- isc_buffer_init(&fileb, filename, sizeof(filename));
- result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE, dir,
- &fileb);
- if (result != ISC_R_SUCCESS) {
- return (true);
- }
- return (isc_file_exists(filename));
- }
-
ISC_LIST_INIT(matchkeys);
isc_stdtime_get(&now);
result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);
tcp-listen-queue 10;\n\
tcp-receive-buffer 0;\n\
tcp-send-buffer 0;\n\
-# tkey-dhkey <none>\n\
# tkey-domain <none>\n\
# tkey-gssapi-credential <none>\n\
transfer-message-size 20480;\n\
static void
list_dnssec_algorithms(isc_buffer_t *b) {
for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) {
- if (i == DST_ALG_DH || i == DST_ALG_GSSAPI ||
+ if (i == DST_ALG_GSSAPI ||
(i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST))
{
continue;
(*emit)(&b);
isc_buffer_init(&b, buf, sizeof(buf));
- isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s",
- (dst_algorithm_supported(DST_ALG_DH) &&
- dst_algorithm_supported(DST_ALG_HMACMD5))
- ? "yes"
- : "non");
+ isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", "no");
(*emit)(&b);
isc_buffer_init(&b, buf, sizeof(buf));
isc_result_t result;
dns_tkeyctx_t *tctx = NULL;
const char *s;
- uint32_t n;
dns_fixedname_t fname;
dns_name_t *name;
isc_buffer_t b;
const cfg_obj_t *obj;
- int type;
result = dns_tkeyctx_create(mctx, &tctx);
if (result != ISC_R_SUCCESS) {
return (result);
}
- obj = NULL;
- result = cfg_map_get(options, "tkey-dhkey", &obj);
- if (result == ISC_R_SUCCESS) {
- s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
- n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
- isc_buffer_constinit(&b, s, strlen(s));
- isc_buffer_add(&b, strlen(s));
- name = dns_fixedname_initname(&fname);
- RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
- type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
- RETERR(dst_key_fromfile(name, (dns_keytag_t)n, DNS_KEYALG_DH,
- type, NULL, mctx, &tctx->dhkey));
- }
-
obj = NULL;
result = cfg_map_get(options, "tkey-domain", &obj);
if (result == ISC_R_SUCCESS) {
makejournal \
pipelined/pipequeries \
rndc/gencheck \
- rpz/dnsrps \
- tkey/keycreate \
- tkey/keydelete
+ rpz/dnsrps
feature_test_CPPFLAGS = \
$(AM_CPPFLAGS) \
$(LDADD) \
$(LIBDNS_LIBS)
-tkey_keycreate_CPPFLAGS = \
- $(AM_CPPFLAGS) \
- $(LIBDNS_CFLAGS)
-
-tkey_keycreate_LDADD = \
- $(LDADD) \
- $(LIBDNS_LIBS)
-
-tkey_keydelete_CPPFLAGS = \
- $(AM_CPPFLAGS) \
- $(LIBDNS_CFLAGS)
-
-tkey_keydelete_LDADD = \
- $(LDADD) \
- $(LIBDNS_LIBS)
-
TESTS =
if HAVE_PERLMOD_TIME_HIRES
staticstub \
stub \
synthfromdnssec \
- tkey \
tools \
transport-acl \
tsig \
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
-# A NSEC zone with occuded data at the delegation
+# A NSEC zone with occluded data at the delegation
#
zone=occluded.example
infile=occluded.example.db.in
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
-keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone")
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}."
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
+++ /dev/null
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-rm -f ./K*
-rm -f ./dig.out.*
-rm -f ./rndc.out.*
-rm -f ns*/K*
-rm -f ns*/_default.tsigkeys
-rm -f ns*/managed-keys.bind*
-rm -f ns*/named.conf
-rm -f ns*/named.conf-e
-rm -f ns*/named.lock
-rm -f ns*/named.memstats
-rm -f ns*/named.run
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/base64.h>
-#include <isc/hash.h>
-#include <isc/log.h>
-#include <isc/loop.h>
-#include <isc/managers.h>
-#include <isc/mem.h>
-#include <isc/netmgr.h>
-#include <isc/nonce.h>
-#include <isc/random.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/dispatch.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/request.h>
-#include <dns/result.h>
-#include <dns/tkey.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-
-#define CHECK(str, x) \
- { \
- if ((x) != ISC_R_SUCCESS) { \
- fprintf(stderr, "I:%s: %s\n", (str), \
- isc_result_totext(x)); \
- exit(-1); \
- } \
- }
-
-#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
-
-#define TIMEOUT 30
-
-static char *ip_address = NULL;
-static int port = 0;
-
-static dst_key_t *ourkey = NULL;
-static isc_mem_t *mctx = NULL;
-static isc_loopmgr_t *loopmgr = NULL;
-static dns_tsigkey_t *tsigkey = NULL, *initialkey = NULL;
-static dns_tsig_keyring_t *ring = NULL;
-static unsigned char noncedata[16];
-static isc_buffer_t nonce;
-static dns_requestmgr_t *requestmgr = NULL;
-static const char *ownername_str = ".";
-
-static void
-recvquery(void *arg) {
- dns_request_t *request = (dns_request_t *)arg;
- dns_message_t *query = dns_request_getarg(request);
- dns_message_t *response = NULL;
- isc_result_t result;
- char keyname[256];
- isc_buffer_t keynamebuf;
- int type;
-
- result = dns_request_getresult(request);
- if (result != ISC_R_SUCCESS) {
- fprintf(stderr, "I:request event result: %s\n",
- isc_result_totext(result));
- exit(-1);
- }
-
- dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
-
- result = dns_request_getresponse(request, response,
- DNS_MESSAGEPARSE_PRESERVEORDER);
- CHECK("dns_request_getresponse", result);
-
- if (response->rcode != dns_rcode_noerror) {
- result = dns_result_fromrcode(response->rcode);
- fprintf(stderr, "I:response rcode: %s\n",
- isc_result_totext(result));
- exit(-1);
- }
-
- result = dns_tkey_processdhresponse(query, response, ourkey, &nonce,
- &tsigkey, ring);
- CHECK("dns_tkey_processdhresponse", result);
-
- /*
- * Yes, this is a hack.
- */
- isc_buffer_init(&keynamebuf, keyname, sizeof(keyname));
- result = dst_key_buildfilename(tsigkey->key, 0, "", &keynamebuf);
- CHECK("dst_key_buildfilename", result);
- printf("%.*s\n", (int)isc_buffer_usedlength(&keynamebuf),
- (char *)isc_buffer_base(&keynamebuf));
- type = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_KEY;
- result = dst_key_tofile(tsigkey->key, type, "");
- CHECK("dst_key_tofile", result);
-
- dns_message_detach(&query);
- dns_message_detach(&response);
- dns_request_destroy(&request);
- isc_loopmgr_shutdown(loopmgr);
-}
-
-static void
-sendquery(void *arg) {
- struct in_addr inaddr;
- isc_sockaddr_t address;
- isc_region_t r;
- isc_result_t result;
- dns_fixedname_t keyname;
- dns_fixedname_t ownername;
- isc_buffer_t namestr, keybuf;
- unsigned char keydata[9];
- dns_message_t *query = NULL;
- dns_request_t *request = NULL;
- static char keystr[] = "0123456789ab";
-
- UNUSED(arg);
-
- result = ISC_R_FAILURE;
- if (inet_pton(AF_INET, ip_address, &inaddr) != 1) {
- CHECK("inet_pton", result);
- }
- isc_sockaddr_fromin(&address, &inaddr, port);
-
- dns_fixedname_init(&keyname);
- isc_buffer_constinit(&namestr, "tkeytest.", 9);
- isc_buffer_add(&namestr, 9);
- result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr, NULL,
- 0, NULL);
- CHECK("dns_name_fromtext", result);
-
- dns_fixedname_init(&ownername);
- isc_buffer_constinit(&namestr, ownername_str, strlen(ownername_str));
- isc_buffer_add(&namestr, strlen(ownername_str));
- result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr,
- NULL, 0, NULL);
- CHECK("dns_name_fromtext", result);
-
- isc_buffer_init(&keybuf, keydata, 9);
- result = isc_base64_decodestring(keystr, &keybuf);
- CHECK("isc_base64_decodestring", result);
-
- isc_buffer_usedregion(&keybuf, &r);
-
- result = dns_tsigkey_create(
- dns_fixedname_name(&keyname), DNS_TSIG_HMACMD5_NAME,
- isc_buffer_base(&keybuf), isc_buffer_usedlength(&keybuf), false,
- NULL, 0, 0, mctx, ring, &initialkey);
- CHECK("dns_tsigkey_create", result);
-
- dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
-
- result = dns_tkey_builddhquery(query, ourkey,
- dns_fixedname_name(&ownername),
- DNS_TSIG_HMACMD5_NAME, &nonce, 3600);
- CHECK("dns_tkey_builddhquery", result);
-
- result = dns_request_create(requestmgr, query, NULL, &address, NULL,
- NULL, DNS_REQUESTOPT_TCP, initialkey,
- TIMEOUT, 0, 0, isc_loop_main(loopmgr),
- recvquery, query, &request);
- CHECK("dns_request_create", result);
-}
-
-int
-main(int argc, char *argv[]) {
- char *ourkeyname = NULL;
- isc_nm_t *netmgr = NULL;
- isc_sockaddr_t bind_any;
- dns_dispatchmgr_t *dispatchmgr = NULL;
- dns_dispatch_t *dispatchv4 = NULL;
- dns_view_t *view = NULL;
- dns_tkeyctx_t *tctx = NULL;
- isc_log_t *log = NULL;
- isc_logconfig_t *logconfig = NULL;
- isc_result_t result;
- int type;
-
- if (argc < 4) {
- fprintf(stderr, "I:no DH key provided\n");
- exit(-1);
- }
- ip_address = argv[1];
- port = atoi(argv[2]);
- ourkeyname = argv[3];
-
- if (argc >= 5) {
- ownername_str = argv[4];
- }
-
- isc_mem_debugging = ISC_MEM_DEBUGRECORD;
-
- isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
-
- isc_log_create(mctx, &log, &logconfig);
-
- RUNCHECK(dst_lib_init(mctx, NULL));
-
- RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr));
-
- isc_sockaddr_any(&bind_any);
- RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4));
- RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL,
- &requestmgr));
-
- RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
- RUNCHECK(dns_tkeyctx_create(mctx, &tctx));
-
- RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
- dns_view_setkeyring(view, ring);
- dns_tsigkeyring_detach(&ring);
-
- type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
- result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey);
- CHECK("dst_key_fromnamedfile", result);
-
- isc_buffer_init(&nonce, noncedata, sizeof(noncedata));
- isc_nonce_buf(noncedata, sizeof(noncedata));
- isc_buffer_add(&nonce, sizeof(noncedata));
-
- isc_loopmgr_setup(loopmgr, sendquery, NULL);
- isc_loopmgr_run(loopmgr);
-
- dns_requestmgr_shutdown(requestmgr);
- dns_requestmgr_detach(&requestmgr);
- dns_dispatch_detach(&dispatchv4);
- dns_dispatchmgr_detach(&dispatchmgr);
-
- dst_key_free(&ourkey);
- dns_tsigkey_detach(&initialkey);
- dns_tsigkey_detach(&tsigkey);
-
- dns_tkeyctx_destroy(&tctx);
-
- dns_view_detach(&view);
-
- isc_log_destroy(&log);
-
- dst_lib_destroy();
-
- isc_managers_destroy(&mctx, &loopmgr, &netmgr);
-
- return (0);
-}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/base64.h>
-#include <isc/hash.h>
-#include <isc/log.h>
-#include <isc/loop.h>
-#include <isc/managers.h>
-#include <isc/mem.h>
-#include <isc/netmgr.h>
-#include <isc/random.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/dispatch.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/request.h>
-#include <dns/result.h>
-#include <dns/tkey.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-
-#define CHECK(str, x) \
- { \
- if ((x) != ISC_R_SUCCESS) { \
- fprintf(stderr, "I:%s: %s\n", (str), \
- isc_result_totext(x)); \
- exit(-1); \
- } \
- }
-
-#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
-
-#define TIMEOUT 30
-
-static char *ip_address = NULL;
-static int port;
-static isc_mem_t *mctx = NULL;
-static isc_loopmgr_t *loopmgr = NULL;
-static dns_tsigkey_t *tsigkey = NULL;
-static dns_tsig_keyring_t *ring = NULL;
-static dns_requestmgr_t *requestmgr = NULL;
-
-static void
-recvquery(void *arg) {
- isc_result_t result;
- dns_request_t *request = (dns_request_t *)arg;
- dns_message_t *query = dns_request_getarg(request);
- dns_message_t *response = NULL;
-
- result = dns_request_getresult(request);
- if (result != ISC_R_SUCCESS) {
- fprintf(stderr, "I:request event result: %s\n",
- isc_result_totext(result));
- exit(-1);
- }
-
- dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
-
- result = dns_request_getresponse(request, response,
- DNS_MESSAGEPARSE_PRESERVEORDER);
- CHECK("dns_request_getresponse", result);
-
- if (response->rcode != dns_rcode_noerror) {
- result = dns_result_fromrcode(response->rcode);
- fprintf(stderr, "I:response rcode: %s\n",
- isc_result_totext(result));
- exit(-1);
- }
-
- result = dns_tkey_processdeleteresponse(query, response, ring);
- CHECK("dns_tkey_processdhresponse", result);
-
- dns_message_detach(&query);
- dns_message_detach(&response);
- dns_request_destroy(&request);
- isc_loopmgr_shutdown(loopmgr);
-}
-
-static void
-sendquery(void *arg) {
- struct in_addr inaddr;
- isc_sockaddr_t address;
- isc_result_t result;
- dns_message_t *query = NULL;
- dns_request_t *request = NULL;
-
- UNUSED(arg);
-
- result = ISC_R_FAILURE;
- if (inet_pton(AF_INET, ip_address, &inaddr) != 1) {
- CHECK("inet_pton", result);
- }
- isc_sockaddr_fromin(&address, &inaddr, port);
-
- dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
-
- result = dns_tkey_builddeletequery(query, tsigkey);
- CHECK("dns_tkey_builddeletequery", result);
-
- result = dns_request_create(requestmgr, query, NULL, &address, NULL,
- NULL, DNS_REQUESTOPT_TCP, tsigkey, TIMEOUT,
- 0, 0, isc_loop_main(loopmgr), recvquery,
- query, &request);
- CHECK("dns_request_create", result);
-}
-
-int
-main(int argc, char **argv) {
- char *keyname = NULL;
- isc_nm_t *netmgr = NULL;
- isc_sockaddr_t bind_any;
- dns_dispatchmgr_t *dispatchmgr = NULL;
- dns_dispatch_t *dispatchv4 = NULL;
- dns_view_t *view = NULL;
- dns_tkeyctx_t *tctx = NULL;
- dst_key_t *dstkey = NULL;
- isc_log_t *log = NULL;
- isc_logconfig_t *logconfig = NULL;
- isc_result_t result;
- int type;
-
- if (argc < 4) {
- fprintf(stderr, "I:no key to delete\n");
- exit(-1);
- }
- if (strcmp(argv[1], "-r") == 0) {
- fprintf(stderr, "I:The -r options has been deprecated\n");
- exit(-1);
- }
- ip_address = argv[1];
- port = atoi(argv[2]);
- keyname = argv[3];
-
- isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
-
- isc_log_create(mctx, &log, &logconfig);
-
- RUNCHECK(dst_lib_init(mctx, NULL));
-
- RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr));
- isc_sockaddr_any(&bind_any);
- RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4));
- RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL,
- &requestmgr));
-
- RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
- RUNCHECK(dns_tkeyctx_create(mctx, &tctx));
-
- RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
- dns_view_setkeyring(view, ring);
-
- type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
- result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
- CHECK("dst_key_fromnamedfile", result);
- result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
- DNS_TSIG_HMACMD5_NAME, dstkey, true,
- NULL, 0, 0, mctx, ring, &tsigkey);
- dst_key_free(&dstkey);
- CHECK("dns_tsigkey_createfromkey", result);
-
- isc_loopmgr_setup(loopmgr, sendquery, NULL);
- isc_loopmgr_run(loopmgr);
-
- dns_requestmgr_shutdown(requestmgr);
- dns_requestmgr_detach(&requestmgr);
- dns_dispatch_detach(&dispatchv4);
- dns_dispatchmgr_detach(&dispatchmgr);
-
- dns_tsigkeyring_detach(&ring);
-
- dns_tsigkey_detach(&tsigkey);
-
- dns_tkeyctx_destroy(&tctx);
-
- dns_view_detach(&view);
-
- isc_log_destroy(&log);
-
- dst_lib_destroy();
-
- isc_managers_destroy(&mctx, &loopmgr, &netmgr);
-
- return (0);
-}
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; SPDX-License-Identifier: MPL-2.0
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 1D
-
-@ IN SOA ns hostmaster (
- 1
- 3600
- 1800
- 1814400
- 3
- )
- NS ns
-ns A 10.53.0.1
-mx MX 10 mail
-a A 10.53.0.1
- A 10.53.0.2
-txt TXT "this is text"
-
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.1;
- notify-source 10.53.0.1;
- transfer-source 10.53.0.1;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- recursion no;
- notify no;
- tkey-domain "server";
- tkey-dhkey "server" KEYID;
- allow-query-cache { any; };
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-key "tkeytest." {
- algorithm hmac-md5;
- secret "0123456789ab";
-};
-
-zone example {
- type primary;
- file "example.db";
- allow-query { key tkeytest.; none; };
-};
+++ /dev/null
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-. ../../conf.sh
-
-keyname=$($KEYGEN -T KEY -a DH -b 768 -n host server)
-keyid=$(keyfile_to_key_id "$keyname")
-sed -i -e "s;KEYID;$keyid;" named.conf
+++ /dev/null
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-. ../conf.sh
-
-copy_setports ns1/named.conf.in ns1/named.conf
-
-cd ns1 && $SHELL setup.sh
+++ /dev/null
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-. ../conf.sh
-
-dig_with_opts() {
- "$DIG" @10.53.0.1 -p "$PORT" "$@"
-}
-
-status=0
-n=1
-
-echo_i "generating new DH key ($n)"
-ret=0
-dhkeyname=$($KEYGEN -T KEY -a DH -b 768 -n host client) || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
- status=$((status+ret))
- echo_i "exit status: $status"
- exit $status
-fi
-status=$((status+ret))
-n=$((n+1))
-
-for owner in . foo.example.
-do
- echo_i "creating new key using owner name \"$owner\" ($n)"
- ret=0
- keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1
- if [ $ret != 0 ]; then
- echo_i "failed"
- status=$((status+ret))
- echo_i "exit status: $status"
- exit $status
- fi
- status=$((status+ret))
- n=$((n+1))
-
- echo_i "checking the new key ($n)"
- ret=0
- dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1
- grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
- grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null || ret=1
- grep "Some TSIG could not be validated" dig.out.test$n > /dev/null && ret=1
- if [ $ret != 0 ]; then
- echo_i "failed"
- fi
- status=$((status+ret))
- n=$((n+1))
-
- echo_i "deleting new key ($n)"
- ret=0
- $KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1
- if [ $ret != 0 ]; then
- echo_i "failed"
- fi
- status=$((status+ret))
- n=$((n+1))
-
- echo_i "checking that new key has been deleted ($n)"
- ret=0
- dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1
- grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
- grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null && ret=1
- grep "Some TSIG could not be validated" dig.out.test$n > /dev/null || ret=1
- if [ $ret != 0 ]; then
- echo_i "failed"
- fi
- status=$((status+ret))
- n=$((n+1))
-done
-
-echo_i "creating new key using owner name bar.example. ($n)"
-ret=0
-keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
- status=$((status+ret))
- echo_i "exit status: $status"
- exit $status
-fi
-status=$((status+ret))
-n=$((n+1))
-
-echo_i "checking the key with 'rndc tsig-list' ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n
-grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
-fi
-status=$((status+ret))
-n=$((n+1))
-
-echo_i "using key in a request ($n)"
-ret=0
-dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
-fi
-status=$((status+ret))
-n=$((n+1))
-
-echo_i "deleting the key with 'rndc tsig-delete' ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server > /dev/null || ret=1
-$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n
-grep "key \"bar.example.server" rndc.out.test$n > /dev/null && ret=1
-dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1
-grep "TSIG could not be validated" dig.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
-fi
-status=$((status+ret))
-n=$((n+1))
-
-echo_i "recreating the bar.example. key ($n)"
-ret=0
-keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
- status=$((status+ret))
- echo_i "exit status: $status"
- exit $status
-fi
-status=$((status+ret))
-n=$((n+1))
-
-echo_i "checking the new key with 'rndc tsig-list' ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n
-grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
-fi
-status=$((status+ret))
-n=$((n+1))
-
-echo_i "using the new key in a request ($n)"
-ret=0
-dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then
- echo_i "failed"
-fi
-status=$((status+ret))
-n=$((n+1))
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
-AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
+AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA])
AC_CHECK_FUNCS([TLS_server_method TLS_client_method])
this variable must be defined, unless a specific keytab
is specified using :any:`tkey-gssapi-keytab`.
-.. namedconf:statement:: tkey-dhkey
- :tags: security
- :short: Sets the Diffie-Hellman key used by the server to generate shared keys.
-
- This is the Diffie-Hellman key used by the server to generate shared keys
- with clients using the Diffie-Hellman mode of ``TKEY``. The server
- must be able to load the public and private keys from files in the
- working directory. In most cases, the ``key_name`` should be the
- server's host name.
-
.. namedconf:statement:: dump-file
:tags: logging
:short: Indicates the pathname of the file where the server dumps the database after :option:`rndc dumpdb`.
tcp-listen-queue <integer>;
tcp-receive-buffer <integer>;
tcp-send-buffer <integer>;
- tkey-dhkey <quoted_string> <integer>;
tkey-domain <quoted_string>;
tkey-gssapi-credential <quoted_string>;
tkey-gssapi-keytab <quoted_string>;
openssl_link.c \
openssl_shim.c \
openssl_shim.h \
- openssldh_link.c \
opensslecdsa_link.c \
openssleddsa_link.c \
opensslrsa_link.c \
case DST_ALG_HMACSHA256:
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
- case DST_ALG_DH:
if (result == DST_R_BADKEYTYPE) {
continue;
}
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
RETERR(dst__openssl_init(engine));
- RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
REQUIRE(VALID_KEY(key));
REQUIRE(n != NULL);
- /* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_GSSAPI:
*n = 128; /*%< XXX */
break;
- case DST_ALG_DH:
default:
return (DST_R_UNSUPPORTEDALG);
}
return (ISC_R_SUCCESS);
}
-isc_result_t
-dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
- REQUIRE(dst_initialized);
- REQUIRE(VALID_KEY(key));
- REQUIRE(n != NULL);
-
- if (key->key_alg == DST_ALG_DH) {
- *n = (key->key_size + 7) / 8;
- return (ISC_R_SUCCESS);
- }
- return (DST_R_UNSUPPORTEDALG);
-}
-
/*%
* Set the flags on a key, then recompute the key ID
*/
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
- /* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
- case DST_ALG_DH:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
#include <inttypes.h>
#include <stdbool.h>
-#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
union {
void *generic;
dns_gss_ctx_id_t gssctx;
- DH *dh;
dst_hmac_key_t *hmac_key;
EVP_PKEY *pkey;
struct {
isc_result_t
dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t
-dst__openssldh_init(struct dst_func **funcp);
-isc_result_t
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t
dst__opensslecdsa_init(struct dst_func **funcp);
{ TAG_RSA_ENGINE, "Engine:" },
{ TAG_RSA_LABEL, "Label:" },
- { TAG_DH_PRIME, "Prime(p):" },
- { TAG_DH_GENERATOR, "Generator(g):" },
- { TAG_DH_PRIVATE, "Private_value(x):" },
- { TAG_DH_PUBLIC, "Public_value(y):" },
-
{ TAG_ECDSA_PRIVATEKEY, "PrivateKey:" },
{ TAG_ECDSA_ENGINE, "Engine:" },
{ TAG_ECDSA_LABEL, "Label:" },
return (ok ? 0 : -1);
}
-static int
-check_dh(const dst_private_t *priv) {
- int i, j;
- if (priv->nelements != DH_NTAGS) {
- return (-1);
- }
- for (i = 0; i < DH_NTAGS; i++) {
- for (j = 0; j < priv->nelements; j++) {
- if (priv->elements[j].tag == TAG(DST_ALG_DH, i)) {
- break;
- }
- }
- if (j == priv->nelements) {
- return (-1);
- }
- }
- return (0);
-}
-
static int
check_ecdsa(const dst_private_t *priv, bool external) {
int i, j;
static int
check_data(const dst_private_t *priv, const unsigned int alg, bool old,
bool external) {
- /* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (alg) {
case DST_ALG_RSA:
case DST_ALG_RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
return (check_rsa(priv, external));
- case DST_ALG_DH:
- return (check_dh(priv));
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
fprintf(fp, "%s %u ", ALGORITHM_STR, dst_key_alg(key));
- /* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
- case DST_ALG_DH:
- fprintf(fp, "(DH)\n");
- break;
case DST_ALG_RSASHA1:
fprintf(fp, "(RSASHA1)\n");
break;
#define TAG_RSA_ENGINE ((DST_ALG_RSA << TAG_SHIFT) + 8)
#define TAG_RSA_LABEL ((DST_ALG_RSA << TAG_SHIFT) + 9)
-#define DH_NTAGS 4
-#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0)
-#define TAG_DH_GENERATOR ((DST_ALG_DH << TAG_SHIFT) + 1)
-#define TAG_DH_PRIVATE ((DST_ALG_DH << TAG_SHIFT) + 2)
-#define TAG_DH_PUBLIC ((DST_ALG_DH << TAG_SHIFT) + 3)
-
#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF /*%< no bits defined here */
/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */
-#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */
-#define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */
-#define DNS_KEYALG_DSA 3 /*%< DSA KEY */
-#define DNS_KEYALG_NSEC3DSA 6
-#define DNS_KEYALG_DSS DNS_ALG_DSA
-#define DNS_KEYALG_ECC 4
-#define DNS_KEYALG_RSASHA1 5
-#define DNS_KEYALG_NSEC3RSASHA1 7
-#define DNS_KEYALG_RSASHA256 8
-#define DNS_KEYALG_RSASHA512 10
-#define DNS_KEYALG_ECCGOST 12
-#define DNS_KEYALG_ECDSA256 13
-#define DNS_KEYALG_ECDSA384 14
-#define DNS_KEYALG_ED25519 15
-#define DNS_KEYALG_ED448 16
-#define DNS_KEYALG_INDIRECT 252
-#define DNS_KEYALG_PRIVATEDNS 253
-#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
-#define DNS_KEYALG_MAX 255
+#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */
+#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */
+#define DNS_KEYALG_DH_DEPRECATED 2 /*%< deprecated */
+#define DNS_KEYALG_DSA 3 /*%< DSA KEY */
+#define DNS_KEYALG_NSEC3DSA 6
+#define DNS_KEYALG_DSS DNS_ALG_DSA
+#define DNS_KEYALG_ECC 4
+#define DNS_KEYALG_RSASHA1 5
+#define DNS_KEYALG_NSEC3RSASHA1 7
+#define DNS_KEYALG_RSASHA256 8
+#define DNS_KEYALG_RSASHA512 10
+#define DNS_KEYALG_ECCGOST 12
+#define DNS_KEYALG_ECDSA256 13
+#define DNS_KEYALG_ECDSA384 14
+#define DNS_KEYALG_ED25519 15
+#define DNS_KEYALG_ED448 16
+#define DNS_KEYALG_INDIRECT 252
+#define DNS_KEYALG_PRIVATEDNS 253
+#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
+#define DNS_KEYALG_MAX 255
/* Protocol values */
#define DNS_KEYPROTO_RESERVED 0
#define DNS_TKEYMODE_DELETE 5
struct dns_tkeyctx {
- dst_key_t *dhkey;
dns_name_t *domain;
dns_gss_cred_id_t gsscred;
isc_mem_t *mctx;
*\li other An error occurred while processing the message
*/
-isc_result_t
-dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key,
- const dns_name_t *name, const dns_name_t *algorithm,
- isc_buffer_t *nonce, uint32_t lifetime);
-/*%<
- * Builds a query containing a TKEY that will generate a shared
- * secret using a Diffie-Hellman key exchange. The shared key
- * will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
- * is supported), and will be named either 'name',
- * 'name' + server chosen domain, or random data + server chosen domain
- * if 'name' == dns_rootname. If nonce is not NULL, it supplies
- * random data used in the shared secret computation. The key is
- * requested to have the specified lifetime (in seconds)
- *
- *
- * Requires:
- *\li 'msg' is a valid message
- *\li 'key' is a valid Diffie Hellman dst key
- *\li 'name' is a valid name
- *\li 'algorithm' is a valid name
- *
- * Returns:
- *\li #ISC_R_SUCCESS msg was successfully updated to include the
- * query to be sent
- *\li other an error occurred while building the message
- */
-
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
*\li other an error occurred while building the message
*/
-isc_result_t
-dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- dst_key_t *key, isc_buffer_t *nonce,
- dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
-/*%<
- * Processes a response to a query containing a TKEY that was
- * designed to generate a shared secret using a Diffie-Hellman key
- * exchange. If the query was successful, a new shared key
- * is created and added to the list of shared keys.
- *
- * Requires:
- *\li 'qmsg' is a valid message (the query)
- *\li 'rmsg' is a valid message (the response)
- *\li 'key' is a valid Diffie Hellman dst key
- *\li 'outkey' is either NULL or a pointer to NULL
- *\li 'ring' is a valid keyring or NULL
- *
- * Returns:
- *\li #ISC_R_SUCCESS the shared key was successfully added
- *\li #ISC_R_NOTFOUND an error occurred while looking for a
- * component of the query or response
- */
-
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *gname, dns_gss_ctx_id_t *context,
DST_ALG_UNKNOWN = 0,
DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */
DST_ALG_RSAMD5 = 1,
- DST_ALG_DH = 2,
+ DST_ALG_DH = 2, /* Deprecated */
DST_ALG_DSA = 3,
DST_ALG_ECC = 4,
DST_ALG_RSASHA1 = 5,
*\li "n" stores the size of a generated signature
*/
-isc_result_t
-dst_key_secretsize(const dst_key_t *key, unsigned int *n);
-/*%<
- * Computes the size of a shared secret generated by the given key.
- *
- * Requires:
- *\li "key" is a valid key.
- *\li "n" is not NULL
- *
- * Returns:
- *\li #ISC_R_SUCCESS
- *\li DST_R_UNSUPPORTEDALG
- *
- * Ensures:
- *\li "n" stores the size of a generated shared secret
- */
-
uint16_t
dst_region_computeid(const isc_region_t *source);
uint16_t
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (dnskey.algorithm == DST_ALG_RSAMD5 ||
- dnskey.algorithm == DST_ALG_DH ||
dnskey.algorithm == DST_ALG_DSA ||
dnskey.algorithm == DST_ALG_RSASHA1)
{
}
#endif /* !HAVE_ECDSA_SIG_GET0 */
-#if !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
-/*
- * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
- * are from OpenSSL 1.1.0.
- */
-void
-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {
- if (pub_key != NULL) {
- *pub_key = dh->pub_key;
- }
- if (priv_key != NULL) {
- *priv_key = dh->priv_key;
- }
-}
-
-int
-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
- if (pub_key != NULL) {
- BN_free(dh->pub_key);
- dh->pub_key = pub_key;
- }
-
- if (priv_key != NULL) {
- BN_free(dh->priv_key);
- dh->priv_key = priv_key;
- }
-
- return (1);
-}
-
-void
-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
- const BIGNUM **g) {
- if (p != NULL) {
- *p = dh->p;
- }
- if (q != NULL) {
- *q = dh->q;
- }
- if (g != NULL) {
- *g = dh->g;
- }
-}
-
-int
-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
- /* If the fields p and g in d are NULL, the corresponding input
- * parameters MUST be non-NULL. q may remain NULL.
- */
- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) {
- return (0);
- }
-
- if (p != NULL) {
- BN_free(dh->p);
- dh->p = p;
- }
- if (q != NULL) {
- BN_free(dh->q);
- dh->q = q;
- }
- if (g != NULL) {
- BN_free(dh->g);
- dh->g = g;
- }
-
- if (q != NULL) {
- dh->length = BN_num_bits(q);
- }
-
- return (1);
-}
-#endif /* !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
-
#if !HAVE_ERR_GET_ERROR_ALL
static const char err_empty_string = '\0';
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
#endif /* !HAVE_ECDSA_SIG_GET0 */
-#if !HAVE_DH_GET0_KEY
-void
-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
-
-int
-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
-
-void
-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
-
-int
-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-#endif /* !HAVE_DH_GET0_KEY */
-
#if !HAVE_ERR_GET_ERROR_ALL
unsigned long
ERR_get_error_all(const char **file, int *line, const char **func,
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0 AND ISC
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*
- * Copyright (C) Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file */
-
-#include <ctype.h>
-#include <inttypes.h>
-#include <stdbool.h>
-
-#include <openssl/bn.h>
-#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/core_names.h>
-#endif
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/param_build.h>
-#endif
-#include <openssl/dh.h>
-
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-#include "openssl_shim.h"
-
-#define PRIME2 "02"
-
-#define PRIME768 \
- "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
- "A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
- "F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFF" \
- "F"
-
-#define PRIME1024 \
- "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \
- "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \
- "5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
- "B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
-
-#define PRIME1536 \
- "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
- "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
- "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
- "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
- "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
- "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
- "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
- "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
-
-#define DST_RET(a) \
- { \
- ret = a; \
- goto err; \
- }
-
-static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
-
-static isc_result_t
-openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- isc_buffer_t *secret) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dhpub, *dhpriv;
- const BIGNUM *pub_key = NULL;
- int secret_len = 0;
-#else
- EVP_PKEY_CTX *ctx = NULL;
- EVP_PKEY *dhpub, *dhpriv;
- size_t secret_len = 0;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- isc_region_t r;
- unsigned int len;
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- REQUIRE(pub->keydata.dh != NULL);
- REQUIRE(priv->keydata.dh != NULL);
-
- dhpub = pub->keydata.dh;
- dhpriv = priv->keydata.dh;
-
- len = DH_size(dhpriv);
-#else
- REQUIRE(pub->keydata.pkey != NULL);
- REQUIRE(priv->keydata.pkey != NULL);
-
- dhpub = pub->keydata.pkey;
- dhpriv = priv->keydata.pkey;
-
- len = EVP_PKEY_get_size(dhpriv);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- isc_buffer_availableregion(secret, &r);
- if (r.length < len) {
- return (ISC_R_NOSPACE);
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH_get0_key(dhpub, &pub_key, NULL);
- secret_len = DH_compute_key(r.base, pub_key, dhpriv);
- if (secret_len <= 0) {
- return (dst__openssl_toresult2("DH_compute_key",
- DST_R_COMPUTESECRETFAILURE));
- }
-#else
- ctx = EVP_PKEY_CTX_new_from_pkey(NULL, dhpriv, NULL);
- if (ctx == NULL) {
- return (dst__openssl_toresult2("EVP_PKEY_CTX_new_from_pkey",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_derive_init(ctx) != 1) {
- EVP_PKEY_CTX_free(ctx);
- return (dst__openssl_toresult2("EVP_PKEY_derive_init",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_derive_set_peer(ctx, dhpub) != 1) {
- EVP_PKEY_CTX_free(ctx);
- return (dst__openssl_toresult2("EVP_PKEY_derive_set_peer",
- DST_R_OPENSSLFAILURE));
- }
- secret_len = r.length;
- if (EVP_PKEY_derive(ctx, r.base, &secret_len) != 1 || secret_len == 0) {
- EVP_PKEY_CTX_free(ctx);
- return (dst__openssl_toresult2("EVP_PKEY_derive",
- DST_R_COMPUTESECRETFAILURE));
- }
- EVP_PKEY_CTX_free(ctx);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- isc_buffer_add(secret, (unsigned int)secret_len);
-
- return (ISC_R_SUCCESS);
-}
-
-static bool
-openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- bool ret = true;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh1, *dh2;
- const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
- const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
- const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-#else
- EVP_PKEY *pkey1, *pkey2;
- BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
- BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
- BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- dh1 = key1->keydata.dh;
- dh2 = key2->keydata.dh;
-
- if (dh1 == NULL && dh2 == NULL) {
- return (true);
- } else if (dh1 == NULL || dh2 == NULL) {
- return (false);
- }
-
- DH_get0_key(dh1, &pub_key1, &priv_key1);
- DH_get0_key(dh2, &pub_key2, &priv_key2);
- DH_get0_pqg(dh1, &p1, NULL, &g1);
- DH_get0_pqg(dh2, &p2, NULL, &g2);
-#else
- pkey1 = key1->keydata.pkey;
- pkey2 = key2->keydata.pkey;
-
- if (pkey1 == NULL && pkey2 == NULL) {
- return (true);
- } else if (pkey1 == NULL || pkey2 == NULL) {
- return (false);
- }
-
- EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_P, &p1);
- EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
- EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
- EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
- EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PUB_KEY, &pub_key1);
- EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2);
- EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1);
- EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/
-
- if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
- BN_cmp(pub_key1, pub_key2) != 0)
- {
- DST_RET(false);
- }
-
- if (priv_key1 != NULL || priv_key2 != NULL) {
- if (priv_key1 == NULL || priv_key2 == NULL ||
- BN_cmp(priv_key1, priv_key2) != 0)
- {
- DST_RET(false);
- }
- }
-
-err:
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- if (p1 != NULL) {
- BN_free(p1);
- }
- if (p2 != NULL) {
- BN_free(p2);
- }
- if (g1 != NULL) {
- BN_free(g1);
- }
- if (g2 != NULL) {
- BN_free(g2);
- }
- if (pub_key1 != NULL) {
- BN_free(pub_key1);
- }
- if (pub_key2 != NULL) {
- BN_free(pub_key2);
- }
- if (priv_key1 != NULL) {
- BN_clear_free(priv_key1);
- }
- if (priv_key2 != NULL) {
- BN_clear_free(priv_key2);
- }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
- */
-
- return (ret);
-}
-
-static bool
-openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
- bool ret = true;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh1, *dh2;
- const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-#else
- EVP_PKEY *pkey1, *pkey2;
- BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- dh1 = key1->keydata.dh;
- dh2 = key2->keydata.dh;
-
- if (dh1 == NULL && dh2 == NULL) {
- return (true);
- } else if (dh1 == NULL || dh2 == NULL) {
- return (false);
- }
-
- DH_get0_pqg(dh1, &p1, NULL, &g1);
- DH_get0_pqg(dh2, &p2, NULL, &g2);
-#else
- pkey1 = key1->keydata.pkey;
- pkey2 = key2->keydata.pkey;
-
- if (pkey1 == NULL && pkey2 == NULL) {
- return (true);
- } else if (pkey1 == NULL || pkey2 == NULL) {
- return (false);
- }
-
- EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_P, &p1);
- EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
- EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
- EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
- DST_RET(false);
- }
-
-err:
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- if (p1 != NULL) {
- BN_free(p1);
- }
- if (p2 != NULL) {
- BN_free(p2);
- }
- if (g1 != NULL) {
- BN_free(g1);
- }
- if (g2 != NULL) {
- BN_free(g2);
- }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
- */
-
- return (ret);
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
-static int
-progress_cb(int p, int n, BN_GENCB *cb) {
- union {
- void *dptr;
- void (*fptr)(int);
- } u;
-
- UNUSED(n);
-
- u.dptr = BN_GENCB_get_arg(cb);
- if (u.fptr != NULL) {
- u.fptr(p);
- }
- return (1);
-}
-#else
-static int
-progress_cb(EVP_PKEY_CTX *ctx) {
- union {
- void *dptr;
- void (*fptr)(int);
- } u;
-
- u.dptr = EVP_PKEY_CTX_get_app_data(ctx);
- if (u.fptr != NULL) {
- int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
- u.fptr(p);
- }
- return (1);
-}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
-static isc_result_t
-openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- isc_result_t ret;
- union {
- void *dptr;
- void (*fptr)(int);
- } u;
- BIGNUM *p = NULL, *g = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh = NULL;
- BN_GENCB *cb = NULL;
-#else
- OSSL_PARAM_BLD *bld = NULL;
- OSSL_PARAM *params = NULL;
- EVP_PKEY_CTX *param_ctx = NULL;
- EVP_PKEY_CTX *ctx = NULL;
- EVP_PKEY *param_pkey = NULL;
- EVP_PKEY *pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- dh = DH_new();
- if (dh == NULL) {
- DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
- }
-#else
- bld = OSSL_PARAM_BLD_new();
- if (bld == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
- param_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
- if (param_ctx == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- if (generator == 0) {
- /*
- * When `generator` is 0, we have three pre-computed `p` and `g`
- * static parameters which we can use.
- */
- if (key->key_size == 768 || key->key_size == 1024 ||
- key->key_size == 1536)
- {
- if (key->key_size == 768) {
- p = BN_dup(bn768);
- } else if (key->key_size == 1024) {
- p = BN_dup(bn1024);
- } else {
- p = BN_dup(bn1536);
- }
- g = BN_dup(bn2);
- if (p == NULL || g == NULL) {
- DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
- }
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (DH_set0_pqg(dh, p, NULL, g) != 1) {
- DST_RET(dst__openssl_toresult2(
- "DH_set0_pqg", DST_R_OPENSSLFAILURE));
- }
-#else
- if (OSSL_PARAM_BLD_push_uint(bld,
- OSSL_PKEY_PARAM_FFC_PBITS,
- key->key_size) != 1)
- {
- DST_RET(dst__openssl_toresult2(
- "OSSL_PARAM_BLD_push_uint",
- DST_R_OPENSSLFAILURE));
- }
- if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P,
- p) != 1 ||
- OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G,
- g) != 1)
- {
- DST_RET(dst__openssl_toresult2(
- "OSSL_PARAM_BLD_push_BN",
- DST_R_OPENSSLFAILURE));
- }
- params = OSSL_PARAM_BLD_to_param(bld);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- } else {
- /*
- * If the requested size is not present in our
- * pre-computed set, we will use `generator` 2 to
- * generate new parameters.
- */
- generator = 2;
- }
- }
-
- if (generator != 0) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (callback != NULL) {
- cb = BN_GENCB_new();
- if (cb == NULL) {
- DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
- }
- u.fptr = callback;
- BN_GENCB_set(cb, progress_cb, u.dptr);
- }
-
- if (!DH_generate_parameters_ex(dh, key->key_size, generator,
- cb))
- {
- DST_RET(dst__openssl_toresult2("DH_generate_parameters_"
- "ex",
- DST_R_OPENSSLFAILURE));
- }
-#else
- if (OSSL_PARAM_BLD_push_int(bld, OSSL_PKEY_PARAM_DH_GENERATOR,
- generator) != 1)
- {
- DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_"
- "int",
- DST_R_OPENSSLFAILURE));
- }
- if (OSSL_PARAM_BLD_push_utf8_string(
- bld, OSSL_PKEY_PARAM_FFC_TYPE, "generator", 0) != 1)
- {
- DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_"
- "utf8_string",
- DST_R_OPENSSLFAILURE));
- }
- if (OSSL_PARAM_BLD_push_uint(bld, OSSL_PKEY_PARAM_FFC_PBITS,
- key->key_size) != 1)
- {
- DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_"
- "uint",
- DST_R_OPENSSLFAILURE));
- }
- params = OSSL_PARAM_BLD_to_param(bld);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (DH_generate_key(dh) == 0) {
- DST_RET(dst__openssl_toresult2("DH_generate_key",
- DST_R_OPENSSLFAILURE));
- }
- key->keydata.dh = dh;
- dh = NULL;
-#else
- if (params == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
-
- if (generator == 0) {
- if (EVP_PKEY_fromdata_init(param_ctx) != 1) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_fromdata(param_ctx, ¶m_pkey,
- OSSL_KEYMGMT_SELECT_ALL, params) != 1 ||
- param_pkey == NULL)
- {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
- DST_R_OPENSSLFAILURE));
- }
- } else {
- if (EVP_PKEY_paramgen_init(param_ctx) != 1) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_paramgen_init",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_CTX_set_params(param_ctx, params) != 1) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_set_"
- "params",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_paramgen(param_ctx, ¶m_pkey) != 1 ||
- param_pkey == NULL)
- {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_paramgen",
- DST_R_OPENSSLFAILURE));
- }
- }
-
- /*
- * Now `param_pkey` holds the DH parameters (either pre-coumputed or
- * newly generated) so we will generate a new public/private key-pair
- * using those parameters and put it into `pkey`.
- */
- ctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_pkey, NULL);
- if (ctx == NULL) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_from_pkey",
- DST_R_OPENSSLFAILURE));
- }
- if (callback != NULL) {
- u.fptr = callback;
- EVP_PKEY_CTX_set_app_data(ctx, u.dptr);
- EVP_PKEY_CTX_set_cb(ctx, progress_cb);
- }
- if (EVP_PKEY_keygen_init(ctx) != 1) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_keygen(ctx, &pkey) != 1 || pkey == NULL) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
- DST_R_OPENSSLFAILURE));
- }
-
- key->keydata.pkey = pkey;
- pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- ret = ISC_R_SUCCESS;
-
-err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (dh != NULL) {
- DH_free(dh);
- }
- if (cb != NULL) {
- BN_GENCB_free(cb);
- }
-#else
- if (param_pkey != NULL) {
- EVP_PKEY_free(param_pkey);
- }
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
- if (param_ctx != NULL) {
- EVP_PKEY_CTX_free(param_ctx);
- }
- if (ctx != NULL) {
- EVP_PKEY_CTX_free(ctx);
- }
- if (params != NULL) {
- OSSL_PARAM_free(params);
- }
- if (bld != NULL) {
- OSSL_PARAM_BLD_free(bld);
- }
- if (p != NULL) {
- BN_free(p);
- }
- if (g != NULL) {
- BN_free(g);
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- return (ret);
-}
-
-static bool
-openssldh_isprivate(const dst_key_t *key) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh = key->keydata.dh;
- const BIGNUM *priv_key = NULL;
-
- DH_get0_key(dh, NULL, &priv_key);
-
- return (dh != NULL && priv_key != NULL);
-#else
- bool ret;
- EVP_PKEY *pkey;
- BIGNUM *priv_key = NULL;
-
- pkey = key->keydata.pkey;
- if (pkey == NULL) {
- return (false);
- }
-
- ret = (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
- &priv_key) == 1 &&
- priv_key != NULL);
- if (priv_key != NULL) {
- BN_clear_free(priv_key);
- }
-
- return (ret);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-}
-
-static void
-openssldh_destroy(dst_key_t *key) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh = key->keydata.dh;
-
- if (dh == NULL) {
- return;
- }
-
- DH_free(dh);
- key->keydata.dh = NULL;
-#else
- EVP_PKEY *pkey = key->keydata.pkey;
-
- if (pkey == NULL) {
- return;
- }
-
- EVP_PKEY_free(pkey);
- key->keydata.pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-}
-
-static void
-uint16_toregion(uint16_t val, isc_region_t *region) {
- *region->base = (val & 0xff00) >> 8;
- isc_region_consume(region, 1);
- *region->base = (val & 0x00ff);
- isc_region_consume(region, 1);
-}
-
-static uint16_t
-uint16_fromregion(isc_region_t *region) {
- uint16_t val;
- unsigned char *cp = region->base;
-
- val = ((unsigned int)(cp[0])) << 8;
- val |= ((unsigned int)(cp[1]));
-
- isc_region_consume(region, 2);
-
- return (val);
-}
-
-static isc_result_t
-openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- isc_result_t ret = ISC_R_SUCCESS;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh;
- const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
-#else
- EVP_PKEY *pkey;
- BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- isc_region_t r;
- uint16_t dnslen, plen, glen, publen;
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- REQUIRE(key->keydata.dh != NULL);
-
- dh = key->keydata.dh;
- DH_get0_pqg(dh, &p, NULL, &g);
- DH_get0_key(dh, &pub_key, NULL);
-#else
- REQUIRE(key->keydata.pkey != NULL);
-
- pkey = key->keydata.pkey;
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- isc_buffer_availableregion(data, &r);
-
- if (BN_cmp(g, bn2) == 0 &&
- (BN_cmp(p, bn768) == 0 || BN_cmp(p, bn1024) == 0 ||
- BN_cmp(p, bn1536) == 0))
- {
- plen = 1;
- glen = 0;
- } else {
- plen = BN_num_bytes(p);
- glen = BN_num_bytes(g);
- }
-
- publen = BN_num_bytes(pub_key);
- dnslen = plen + glen + publen + 6;
- if (r.length < (unsigned int)dnslen) {
- DST_RET(ISC_R_NOSPACE);
- }
-
- uint16_toregion(plen, &r);
- if (plen == 1) {
- if (BN_cmp(p, bn768) == 0) {
- *r.base = 1;
- } else if (BN_cmp(p, bn1024) == 0) {
- *r.base = 2;
- } else {
- *r.base = 3;
- }
- } else {
- BN_bn2bin(p, r.base);
- }
- isc_region_consume(&r, plen);
-
- uint16_toregion(glen, &r);
- if (glen > 0) {
- BN_bn2bin(g, r.base);
- }
- isc_region_consume(&r, glen);
-
- uint16_toregion(publen, &r);
- BN_bn2bin(pub_key, r.base);
- isc_region_consume(&r, publen);
-
- isc_buffer_add(data, dnslen);
-
-err:
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- if (p != NULL) {
- BN_free(p);
- }
- if (g != NULL) {
- BN_free(g);
- }
- if (pub_key != NULL) {
- BN_free(pub_key);
- }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
- */
-
- return (ret);
-}
-
-static isc_result_t
-openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- isc_result_t ret;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh;
-#else
- OSSL_PARAM_BLD *bld = NULL;
- OSSL_PARAM *params = NULL;
- EVP_PKEY_CTX *ctx = NULL;
- EVP_PKEY *pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
- int key_size;
- isc_region_t r;
- uint16_t plen, glen, publen;
- int special = 0;
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0) {
- return (ISC_R_SUCCESS);
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- dh = DH_new();
- if (dh == NULL) {
- DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
- }
-#else
- bld = OSSL_PARAM_BLD_new();
- if (bld == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
- ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
- if (ctx == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- /*
- * Read the prime length. 1 & 2 are table entries, > 16 means a
- * prime follows, otherwise an error.
- */
- if (r.length < 2) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- plen = uint16_fromregion(&r);
- if (plen < 16 && plen != 1 && plen != 2) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- if (r.length < plen) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- if (plen == 1 || plen == 2) {
- if (plen == 1) {
- special = *r.base;
- isc_region_consume(&r, 1);
- } else {
- special = uint16_fromregion(&r);
- }
- switch (special) {
- case 1:
- p = BN_dup(bn768);
- break;
- case 2:
- p = BN_dup(bn1024);
- break;
- case 3:
- p = BN_dup(bn1536);
- break;
- default:
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- } else {
- p = BN_bin2bn(r.base, plen, NULL);
- isc_region_consume(&r, plen);
- }
-
- /*
- * Read the generator length. This should be 0 if the prime was
- * special, but it might not be. If it's 0 and the prime is not
- * special, we have a problem.
- */
- if (r.length < 2) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- glen = uint16_fromregion(&r);
- if (r.length < glen) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- if (special != 0) {
- if (glen == 0) {
- g = BN_dup(bn2);
- } else {
- g = BN_bin2bn(r.base, glen, NULL);
- if (g != NULL && BN_cmp(g, bn2) != 0) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- }
- } else {
- if (glen == 0) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- g = BN_bin2bn(r.base, glen, NULL);
- }
- isc_region_consume(&r, glen);
-
- if (p == NULL || g == NULL) {
- DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
- }
-
- key_size = BN_num_bits(p);
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (DH_set0_pqg(dh, p, NULL, g) != 1) {
- DST_RET(dst__openssl_toresult2("DH_set0_pqg",
- DST_R_OPENSSLFAILURE));
- }
-
- /* These are now managed by OpenSSL */
- p = NULL;
- g = NULL;
-#else
- if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 ||
- OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) != 1)
- {
- DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
- DST_R_OPENSSLFAILURE));
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- if (r.length < 2) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- publen = uint16_fromregion(&r);
- if (r.length < publen) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- pub_key = BN_bin2bn(r.base, publen, NULL);
- if (pub_key == NULL) {
- DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
- }
-
- isc_region_consume(&r, publen);
-
- isc_buffer_forward(data, plen + glen + publen + 6);
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
-#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
- (LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
- /*
- * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when
- * DH structure is empty, hence we cannot use DH_get0_key().
- */
- dh->pub_key = pub_key;
-#else /* LIBRESSL_VERSION_NUMBER */
- if (DH_set0_key(dh, pub_key, NULL) != 1) {
- DST_RET(dst__openssl_toresult2("DH_set0_key",
- DST_R_OPENSSLFAILURE));
- }
-#endif /* LIBRESSL_VERSION_NUMBER */
-
- /* This is now managed by OpenSSL */
- pub_key = NULL;
-
- key->keydata.dh = dh;
- dh = NULL;
-#else
- if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key) != 1)
- {
- DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
- DST_R_OPENSSLFAILURE));
- }
- params = OSSL_PARAM_BLD_to_param(bld);
- if (params == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_fromdata_init(ctx) != 1) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_fromdata(ctx, &pkey, OSSL_KEYMGMT_SELECT_ALL, params) !=
- 1 ||
- pkey == NULL)
- {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
- DST_R_OPENSSLFAILURE));
- }
-
- key->keydata.pkey = pkey;
- pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- key->key_size = (unsigned int)key_size;
-
- ret = ISC_R_SUCCESS;
-
-err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (dh != NULL) {
- DH_free(dh);
- }
-#else
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
- if (ctx != NULL) {
- EVP_PKEY_CTX_free(ctx);
- }
- if (params != NULL) {
- OSSL_PARAM_free(params);
- }
- if (bld != NULL) {
- OSSL_PARAM_BLD_free(bld);
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- if (p != NULL) {
- BN_free(p);
- }
- if (g != NULL) {
- BN_free(g);
- }
- if (pub_key != NULL) {
- BN_free(pub_key);
- }
-
- return (ret);
-}
-
-static isc_result_t
-openssldh_tofile(const dst_key_t *key, const char *directory) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh;
- const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
-#else
- EVP_PKEY *pkey;
- BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- dst_private_t priv;
- unsigned char *bufs[4] = { NULL };
- unsigned short i = 0;
- isc_result_t result;
-
- if (key->external) {
- return (DST_R_EXTERNALKEY);
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (key->keydata.dh == NULL) {
- return (DST_R_NULLKEY);
- }
-
- dh = key->keydata.dh;
- DH_get0_key(dh, &pub_key, &priv_key);
- DH_get0_pqg(dh, &p, NULL, &g);
-#else
- if (key->keydata.pkey == NULL) {
- return (DST_R_NULLKEY);
- }
-
- pkey = key->keydata.pkey;
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- priv.elements[i].tag = TAG_DH_PRIME;
- priv.elements[i].length = BN_num_bytes(p);
- bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
- BN_bn2bin(p, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_DH_GENERATOR;
- priv.elements[i].length = BN_num_bytes(g);
- bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
- BN_bn2bin(g, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_DH_PRIVATE;
- priv.elements[i].length = BN_num_bytes(priv_key);
- bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
- BN_bn2bin(priv_key, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_DH_PUBLIC;
- priv.elements[i].length = BN_num_bytes(pub_key);
- bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
- BN_bn2bin(pub_key, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.nelements = i;
- result = dst__privstruct_writefile(key, &priv, directory);
-
- while (i--) {
- if (bufs[i] != NULL) {
- isc_mem_put(key->mctx, bufs[i],
- priv.elements[i].length);
- }
- }
-
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- if (p != NULL) {
- BN_free(p);
- }
- if (g != NULL) {
- BN_free(g);
- }
- if (pub_key != NULL) {
- BN_free(pub_key);
- }
- if (priv_key != NULL) {
- BN_clear_free(priv_key);
- }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
- */
-
- return (result);
-}
-
-static isc_result_t
-openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- int i;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- DH *dh = NULL;
-#else
- OSSL_PARAM_BLD *bld = NULL;
- OSSL_PARAM *params = NULL;
- EVP_PKEY_CTX *ctx = NULL;
- EVP_PKEY *pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
- int key_size = 0;
- isc_mem_t *mctx;
-
- UNUSED(pub);
- mctx = key->mctx;
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS) {
- return (ret);
- }
-
- if (key->external) {
- DST_RET(DST_R_EXTERNALKEY);
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- dh = DH_new();
- if (dh == NULL) {
- DST_RET(ISC_R_NOMEMORY);
- }
-#else
- bld = OSSL_PARAM_BLD_new();
- if (bld == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
- ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
- if (ctx == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- for (i = 0; i < priv.nelements; i++) {
- BIGNUM *bn;
- bn = BN_bin2bn(priv.elements[i].data, priv.elements[i].length,
- NULL);
- if (bn == NULL) {
- DST_RET(ISC_R_NOMEMORY);
- }
-
- switch (priv.elements[i].tag) {
- case TAG_DH_PRIME:
- p = bn;
- key_size = BN_num_bits(p);
- break;
- case TAG_DH_GENERATOR:
- g = bn;
- break;
- case TAG_DH_PRIVATE:
- priv_key = bn;
- break;
- case TAG_DH_PUBLIC:
- pub_key = bn;
- break;
- }
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (DH_set0_key(dh, pub_key, priv_key) != 1) {
- DST_RET(dst__openssl_toresult2("DH_set0_key",
- DST_R_OPENSSLFAILURE));
- }
- if (DH_set0_pqg(dh, p, NULL, g) != 1) {
- DST_RET(dst__openssl_toresult2("DH_set0_pqg",
- DST_R_OPENSSLFAILURE));
- }
-
- /* These are now managed by OpenSSL */
- pub_key = NULL;
- priv_key = NULL;
- p = NULL;
- g = NULL;
-
- key->keydata.dh = dh;
- dh = NULL;
-#else
- if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key) !=
- 1 ||
- OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key) !=
- 1 ||
- OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 ||
- OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) != 1)
- {
- DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
- DST_R_OPENSSLFAILURE));
- }
- params = OSSL_PARAM_BLD_to_param(bld);
- if (params == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_fromdata_init(ctx) != 1) {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_fromdata(ctx, &pkey, OSSL_KEYMGMT_SELECT_ALL, params) !=
- 1 ||
- pkey == NULL)
- {
- DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
- DST_R_OPENSSLFAILURE));
- }
-
- key->keydata.pkey = pkey;
- pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
-
- key->key_size = (unsigned int)key_size;
- ret = ISC_R_SUCCESS;
-
-err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- if (dh != NULL) {
- DH_free(dh);
- }
-#else
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
- if (ctx != NULL) {
- EVP_PKEY_CTX_free(ctx);
- }
- if (params != NULL) {
- OSSL_PARAM_free(params);
- }
- if (bld != NULL) {
- OSSL_PARAM_BLD_free(bld);
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- if (p != NULL) {
- BN_free(p);
- }
- if (g != NULL) {
- BN_free(g);
- }
- if (pub_key != NULL) {
- BN_free(pub_key);
- }
- if (priv_key != NULL) {
- BN_clear_free(priv_key);
- }
- if (ret != ISC_R_SUCCESS) {
- openssldh_destroy(key);
- }
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
-
- return (ret);
-}
-
-static void
-openssldh_cleanup(void) {
- BN_free(bn2);
- bn2 = NULL;
-
- BN_free(bn768);
- bn768 = NULL;
-
- BN_free(bn1024);
- bn1024 = NULL;
-
- BN_free(bn1536);
- bn1536 = NULL;
-}
-
-static dst_func_t openssldh_functions = {
- NULL, /*%< createctx */
- NULL, /*%< createctx2 */
- NULL, /*%< destroyctx */
- NULL, /*%< adddata */
- NULL, /*%< openssldh_sign */
- NULL, /*%< openssldh_verify */
- NULL, /*%< openssldh_verify2 */
- openssldh_computesecret,
- openssldh_compare,
- openssldh_paramcompare,
- openssldh_generate,
- openssldh_isprivate,
- openssldh_destroy,
- openssldh_todns,
- openssldh_fromdns,
- openssldh_tofile,
- openssldh_parse,
- openssldh_cleanup,
- NULL, /*%< fromlabel */
- NULL, /*%< dump */
- NULL, /*%< restore */
-};
-
-isc_result_t
-dst__openssldh_init(dst_func_t **funcp) {
- REQUIRE(funcp != NULL);
- if (*funcp == NULL) {
- if (BN_hex2bn(&bn2, PRIME2) == 0 || bn2 == NULL) {
- goto cleanup;
- }
- if (BN_hex2bn(&bn768, PRIME768) == 0 || bn768 == NULL) {
- goto cleanup;
- }
- if (BN_hex2bn(&bn1024, PRIME1024) == 0 || bn1024 == NULL) {
- goto cleanup;
- }
- if (BN_hex2bn(&bn1536, PRIME1536) == 0 || bn1536 == NULL) {
- goto cleanup;
- }
- *funcp = &openssldh_functions;
- }
- return (ISC_R_SUCCESS);
-
-cleanup:
- if (bn2 != NULL) {
- BN_free(bn2);
- }
- if (bn768 != NULL) {
- BN_free(bn768);
- }
- if (bn1024 != NULL) {
- BN_free(bn1024);
- }
- if (bn1536 != NULL) {
- BN_free(bn1536);
- }
- return (ISC_R_NOMEMORY);
-}
/* RFC2535 section 7, RFC3110 */
-#define SECALGNAMES \
- { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, { DNS_KEYALG_DH, "DH", 0 }, \
- { DNS_KEYALG_DSA, "DSA", 0 }, \
- { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
- { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
- { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
- { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
- { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
- { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
- { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
- { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \
- { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
- { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \
- { DNS_KEYALG_ED25519, "ED25519", 0 }, \
- { DNS_KEYALG_ED448, "ED448", 0 }, \
- { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
- { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
- { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \
- 0, NULL, 0 \
+#define SECALGNAMES \
+ { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
+ { DNS_KEYALG_DH_DEPRECATED, "DH", 0 }, \
+ { DNS_KEYALG_DSA, "DSA", 0 }, \
+ { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+ { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
+ { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
+ { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
+ { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
+ { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
+ { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
+ { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \
+ { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
+ { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \
+ { DNS_KEYALG_ED25519, "ED25519", 0 }, \
+ { DNS_KEYALG_ED448, "ED448", 0 }, \
+ { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
+ { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
+ { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \
+ 0, NULL, 0 \
}
/* RFC2535 section 7.1 */
REQUIRE(VALID_RESOLVER(resolver));
- /*
- * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
- */
if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) {
return (false);
}
isc_result_t
dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) {
- dns_tkeyctx_t *tctx;
-
REQUIRE(mctx != NULL);
REQUIRE(tctxp != NULL && *tctxp == NULL);
- tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
- tctx->mctx = NULL;
+ dns_tkeyctx_t *tctx = isc_mem_get(mctx, sizeof(*tctx));
+ *tctx = (dns_tkeyctx_t){
+ .mctx = NULL,
+ };
isc_mem_attach(mctx, &tctx->mctx);
- tctx->dhkey = NULL;
- tctx->domain = NULL;
- tctx->gsscred = NULL;
- tctx->gssapi_keytab = NULL;
*tctxp = tctx;
return (ISC_R_SUCCESS);
*tctxp = NULL;
mctx = tctx->mctx;
- if (tctx->dhkey != NULL) {
- dst_key_free(&tctx->dhkey);
- }
if (tctx->domain != NULL) {
if (dns_name_dynamic(tctx->domain)) {
dns_name_free(tctx->domain, mctx);
}
}
-static isc_result_t
-compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
- isc_region_t *serverrandomness, isc_buffer_t *secret) {
- isc_md_t *md;
- isc_region_t r, r2;
- unsigned char digests[ISC_MAX_MD_SIZE * 2];
- unsigned char *digest1, *digest2;
- unsigned int digestslen, digestlen1 = 0, digestlen2 = 0;
- unsigned int i;
- isc_result_t result;
-
- isc_buffer_usedregion(shared, &r);
-
- md = isc_md_new();
- if (md == NULL) {
- return (ISC_R_NOSPACE);
- }
-
- /*
- * MD5 ( query data | DH value ).
- */
- digest1 = digests;
-
- result = isc_md_init(md, ISC_MD_MD5);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- result = isc_md_update(md, queryrandomness->base,
- queryrandomness->length);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- result = isc_md_update(md, r.base, r.length);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- result = isc_md_final(md, digest1, &digestlen1);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- result = isc_md_reset(md);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- /*
- * MD5 ( server data | DH value ).
- */
- digest2 = digests + digestlen1;
-
- result = isc_md_init(md, ISC_MD_MD5);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- result = isc_md_update(md, serverrandomness->base,
- serverrandomness->length);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- result = isc_md_update(md, r.base, r.length);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- result = isc_md_final(md, digest2, &digestlen2);
- if (result != ISC_R_SUCCESS) {
- goto end;
- }
-
- isc_md_free(md);
- md = NULL;
-
- digestslen = digestlen1 + digestlen2;
-
- /*
- * XOR ( DH value, MD5-1 | MD5-2).
- */
- isc_buffer_availableregion(secret, &r);
- isc_buffer_usedregion(shared, &r2);
- if (r.length < digestslen || r.length < r2.length) {
- return (ISC_R_NOSPACE);
- }
- if (r2.length > digestslen) {
- memmove(r.base, r2.base, r2.length);
- for (i = 0; i < digestslen; i++) {
- r.base[i] ^= digests[i];
- }
- isc_buffer_add(secret, r2.length);
- } else {
- memmove(r.base, digests, digestslen);
- for (i = 0; i < r2.length; i++) {
- r.base[i] ^= r2.base[i];
- }
- isc_buffer_add(secret, digestslen);
- }
- result = ISC_R_SUCCESS;
-end:
- if (md != NULL) {
- isc_md_free(md);
- }
- return (result);
-}
-
-static isc_result_t
-process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
- dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
- dns_rdata_tkey_t *tkeyout, dns_tsig_keyring_t *ring,
- dns_namelist_t *namelist) {
- isc_result_t result = ISC_R_SUCCESS;
- dns_name_t *keyname, ourname;
- dns_rdataset_t *keyset = NULL;
- dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
- bool found_key = false, found_incompatible = false;
- dst_key_t *pubkey = NULL;
- isc_buffer_t ourkeybuf, *shared = NULL;
- isc_region_t r, r2, ourkeyr;
- unsigned char keydata[DST_KEY_MAXSIZE];
- unsigned int sharedsize;
- isc_buffer_t secret;
- unsigned char *randomdata = NULL, secretdata[256];
- dns_ttl_t ttl = 0;
-
- if (tctx->dhkey == NULL) {
- tkey_log("process_dhtkey: tkey-dhkey not defined");
- tkeyout->error = dns_tsigerror_badalg;
- return (DNS_R_REFUSED);
- }
-
- if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
- tkey_log("process_dhtkey: algorithms other than "
- "hmac-md5 are not supported");
- tkeyout->error = dns_tsigerror_badalg;
- return (ISC_R_SUCCESS);
- }
-
- /*
- * Look for a DH KEY record that will work with ours.
- */
- for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
- result == ISC_R_SUCCESS && !found_key;
- result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
- {
- keyname = NULL;
- dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
- keyset = NULL;
- result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
- &keyset);
- if (result != ISC_R_SUCCESS) {
- continue;
- }
-
- for (result = dns_rdataset_first(keyset);
- result == ISC_R_SUCCESS && !found_key;
- result = dns_rdataset_next(keyset))
- {
- dns_rdataset_current(keyset, &keyrdata);
- pubkey = NULL;
- result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
- msg->mctx, &pubkey);
- if (result != ISC_R_SUCCESS) {
- dns_rdata_reset(&keyrdata);
- continue;
- }
- if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
- if (dst_key_paramcompare(pubkey, tctx->dhkey)) {
- found_key = true;
- ttl = keyset->ttl;
- break;
- } else {
- found_incompatible = true;
- }
- }
- dst_key_free(&pubkey);
- dns_rdata_reset(&keyrdata);
- }
- }
-
- if (!found_key) {
- if (found_incompatible) {
- tkey_log("process_dhtkey: found an incompatible key");
- tkeyout->error = dns_tsigerror_badkey;
- return (ISC_R_SUCCESS);
- } else {
- tkey_log("process_dhtkey: failed to find a key");
- return (DNS_R_FORMERR);
- }
- }
-
- add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist);
-
- isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
- RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
- isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
- dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
- dns_rdatatype_key, &ourkeyr);
-
- dns_name_init(&ourname, NULL);
- dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
-
- /*
- * XXXBEW The TTL should be obtained from the database, if it exists.
- */
- add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist);
-
- RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
- isc_buffer_allocate(msg->mctx, &shared, sharedsize);
-
- result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
- if (result != ISC_R_SUCCESS) {
- tkey_log("process_dhtkey: failed to compute shared secret: %s",
- isc_result_totext(result));
- goto failure;
- }
- dst_key_free(&pubkey);
-
- isc_buffer_init(&secret, secretdata, sizeof(secretdata));
-
- randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
-
- isc_nonce_buf(randomdata, TKEY_RANDOM_AMOUNT);
-
- r.base = randomdata;
- r.length = TKEY_RANDOM_AMOUNT;
- r2.base = tkeyin->key;
- r2.length = tkeyin->keylen;
- RETERR(compute_secret(shared, &r2, &r, &secret));
- isc_buffer_free(&shared);
-
- RETERR(dns_tsigkey_create(
- name, &tkeyin->algorithm, isc_buffer_base(&secret),
- isc_buffer_usedlength(&secret), true, signer, tkeyin->inception,
- tkeyin->expire, ring->mctx, ring, NULL));
-
- /* This key is good for a long time */
- tkeyout->inception = tkeyin->inception;
- tkeyout->expire = tkeyin->expire;
-
- tkeyout->key = randomdata;
- tkeyout->keylen = TKEY_RANDOM_AMOUNT;
-
- return (ISC_R_SUCCESS);
-
-failure:
- if (!ISC_LIST_EMPTY(*namelist)) {
- free_namelist(msg, namelist);
- }
- if (shared != NULL) {
- isc_buffer_free(&shared);
- }
- if (pubkey != NULL) {
- dst_key_free(&pubkey);
- }
- if (randomdata != NULL) {
- isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
- }
- return (result);
-}
-
static isc_result_t
process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
}
switch (tkeyin.mode) {
- case DNS_TKEYMODE_DIFFIEHELLMAN:
- tkeyout.error = dns_rcode_noerror;
- RETERR(process_dhtkey(msg, signer, keyname, &tkeyin, tctx,
- &tkeyout, ring, &namelist));
- break;
case DNS_TKEYMODE_GSSAPI:
tkeyout.error = dns_rcode_noerror;
RETERR(process_gsstkey(msg, keyname, &tkeyin, tctx, &tkeyout,
return (ISC_R_SUCCESS);
}
-isc_result_t
-dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key,
- const dns_name_t *name, const dns_name_t *algorithm,
- isc_buffer_t *nonce, uint32_t lifetime) {
- dns_rdata_tkey_t tkey;
- dns_rdata_t *rdata = NULL;
- isc_buffer_t *dynbuf = NULL;
- isc_region_t r;
- dns_name_t keyname;
- dns_namelist_t namelist;
- isc_result_t result;
- isc_stdtime_t now;
- dns_name_t *item;
-
- REQUIRE(msg != NULL);
- REQUIRE(key != NULL);
- REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
- REQUIRE(dst_key_isprivate(key));
- REQUIRE(name != NULL);
- REQUIRE(algorithm != NULL);
-
- tkey.common.rdclass = dns_rdataclass_any;
- tkey.common.rdtype = dns_rdatatype_tkey;
- ISC_LINK_INIT(&tkey.common, link);
- tkey.mctx = msg->mctx;
- dns_name_init(&tkey.algorithm, NULL);
- dns_name_clone(algorithm, &tkey.algorithm);
- isc_stdtime_get(&now);
- tkey.inception = now;
- tkey.expire = now + lifetime;
- tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
- if (nonce != NULL) {
- isc_buffer_usedregion(nonce, &r);
- } else {
- r.base = NULL;
- r.length = 0;
- }
- tkey.error = 0;
- tkey.key = r.base;
- tkey.keylen = r.length;
- tkey.other = NULL;
- tkey.otherlen = 0;
-
- RETERR(buildquery(msg, name, &tkey, false));
-
- dns_message_gettemprdata(msg, &rdata);
- isc_buffer_allocate(msg->mctx, &dynbuf, 1024);
- RETERR(dst_key_todns(key, dynbuf));
- isc_buffer_usedregion(dynbuf, &r);
- dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_key, &r);
- dns_message_takebuffer(msg, &dynbuf);
-
- dns_name_init(&keyname, NULL);
- dns_name_clone(dst_key_name(key), &keyname);
-
- ISC_LIST_INIT(namelist);
- add_rdata_to_list(msg, &keyname, rdata, 0, &namelist);
- item = ISC_LIST_HEAD(namelist);
- while (item != NULL) {
- dns_name_t *next = ISC_LIST_NEXT(item, link);
- ISC_LIST_UNLINK(namelist, item, link);
- dns_message_addname(msg, item, DNS_SECTION_ADDITIONAL);
- item = next;
- }
-
- return (ISC_R_SUCCESS);
-
-failure:
-
- if (dynbuf != NULL) {
- isc_buffer_free(&dynbuf);
- }
- return (result);
-}
-
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
return (result);
}
-isc_result_t
-dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- dst_key_t *key, isc_buffer_t *nonce,
- dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring) {
- dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
- dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
- dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
- dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
- dst_key_t *theirkey = NULL;
- dns_rdata_tkey_t qtkey, rtkey;
- unsigned char secretdata[256];
- unsigned int sharedsize;
- isc_buffer_t *shared = NULL, secret;
- isc_region_t r, r2;
- isc_result_t result;
- bool freertkey = false;
-
- REQUIRE(qmsg != NULL);
- REQUIRE(rmsg != NULL);
- REQUIRE(key != NULL);
- REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
- REQUIRE(dst_key_isprivate(key));
- if (outkey != NULL) {
- REQUIRE(*outkey == NULL);
- }
-
- if (rmsg->rcode != dns_rcode_noerror) {
- return (dns_result_fromrcode(rmsg->rcode));
- }
- RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
- RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
- freertkey = true;
-
- RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata, DNS_SECTION_ADDITIONAL));
- RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
- if (rtkey.error != dns_rcode_noerror ||
- rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
- rtkey.mode != qtkey.mode ||
- !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
- rmsg->rcode != dns_rcode_noerror)
- {
- tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
- "or error set(1)");
- result = DNS_R_INVALIDTKEY;
- dns_rdata_freestruct(&qtkey);
- goto failure;
- }
-
- dns_rdata_freestruct(&qtkey);
-
- dns_name_init(&keyname, NULL);
- dns_name_clone(dst_key_name(key), &keyname);
-
- ourkeyname = NULL;
- ourkeyset = NULL;
- RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
- dns_rdatatype_key, 0, &ourkeyname,
- &ourkeyset));
-
- result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
- while (result == ISC_R_SUCCESS) {
- theirkeyname = NULL;
- dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
- &theirkeyname);
- if (dns_name_equal(theirkeyname, ourkeyname)) {
- goto next;
- }
- theirkeyset = NULL;
- result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
- 0, &theirkeyset);
- if (result == ISC_R_SUCCESS) {
- RETERR(dns_rdataset_first(theirkeyset));
- break;
- }
- next:
- result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
- }
-
- if (theirkeyset == NULL) {
- tkey_log("dns_tkey_processdhresponse: failed to find server "
- "key");
- result = ISC_R_NOTFOUND;
- goto failure;
- }
-
- dns_rdataset_current(theirkeyset, &theirkeyrdata);
- RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata, rmsg->mctx,
- &theirkey));
-
- RETERR(dst_key_secretsize(key, &sharedsize));
- isc_buffer_allocate(rmsg->mctx, &shared, sharedsize);
-
- RETERR(dst_key_computesecret(theirkey, key, shared));
-
- isc_buffer_init(&secret, secretdata, sizeof(secretdata));
-
- r.base = rtkey.key;
- r.length = rtkey.keylen;
- if (nonce != NULL) {
- isc_buffer_usedregion(nonce, &r2);
- } else {
- r2.base = NULL;
- r2.length = 0;
- }
- RETERR(compute_secret(shared, &r2, &r, &secret));
-
- isc_buffer_usedregion(&secret, &r);
- result = dns_tsigkey_create(tkeyname, &rtkey.algorithm, r.base,
- r.length, true, NULL, rtkey.inception,
- rtkey.expire, rmsg->mctx, ring, outkey);
- isc_buffer_free(&shared);
- dns_rdata_freestruct(&rtkey);
- dst_key_free(&theirkey);
- return (result);
-
-failure:
- if (shared != NULL) {
- isc_buffer_free(&shared);
- }
-
- if (theirkey != NULL) {
- dst_key_free(&theirkey);
- }
-
- if (freertkey) {
- dns_rdata_freestruct(&rtkey);
- }
-
- return (result);
-}
-
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *gname, dns_gss_ctx_id_t *context,
}
alg = tuple->rdata.data[3];
- if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH ||
- alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1)
+ if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA ||
+ alg == DNS_KEYALG_RSASHA1)
{
nseconly = true;
}
if (keys != NULL && !nseconly) {
for (unsigned int i = 0; i < numkeys; i++) {
alg = dst_key_alg(keys[i]);
- if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH ||
- alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1)
+ if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA ||
+ alg == DNS_KEYALG_RSASHA1)
{
nseconly = true;
break;
}
/* NSEC3 cannot be used with certain key algorithms. */
- if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DH ||
- keyalg == DNS_KEYALG_DSA || keyalg == DNS_KEYALG_RSASHA1)
+ if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DSA ||
+ keyalg == DNS_KEYALG_RSASHA1)
{
badalg = keyalg;
}
static cfg_type_t cfg_type_viewopts;
static cfg_type_t cfg_type_zone;
-/*% tkey-dhkey */
-
-static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
- { "name", &cfg_type_qstring, 0 },
- { "keyid", &cfg_type_uint32, 0 },
- { NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey", cfg_parse_tuple,
- cfg_print_tuple, cfg_doc_tuple,
- &cfg_rep_tuple, tkey_dhkey_fields };
-
/*% listen-on */
static cfg_tuplefielddef_t listenon_tuple_fields[] = {
{ "tcp-listen-queue", &cfg_type_uint32, 0 },
{ "tcp-receive-buffer", &cfg_type_uint32, 0 },
{ "tcp-send-buffer", &cfg_type_uint32, 0 },
- { "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
+ { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "tkey-domain", &cfg_type_qstring, 0 },
{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
dbdiff_test \
dbiterator_test \
dbversion_test \
- dh_test \
dispatch_test \
dns64_test \
dst_test \
+++ /dev/null
-example-private. IN KEY 512 3 2 AAECAAAAgKVXnUOFKMvLvwO/VdY9bq+eOPBxrRWsDpcL9FJ9+hklVvii pcLOIhiKLeHI/u9vM2nhd8+opIW92+j2pB185MRgSrINQcC+XpI/xiDG HwE78bQ+2Ykb/memG+ctkVyrFGHtaJLCUGWrUHy1jbtvYeaKeS92jR/2 4oryt3N851u5
+++ /dev/null
-Private-key-format: v1.3
-Algorithm: 2 (DH)
-Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5lOB//////////8=
-Generator(g): Ag==
-Private_value(x): dLr0sfk/P1V0DfQ7Ke3IIaSM8nHjtrBRlMcQXRMVrLhbbKeCodvpSRtI0Nwtt38Df8dbGGtP676my2Ht2UHyL7rO0+ASv98NCysL0Xp6q2a7fn67iGFUBTg3jzXC89FYv4sYNeVLDGrKC3EjtGkalzgDVuzEC8CqRkWKeys3ufc=
-Public_value(y): pVedQ4Uoy8u/A79V1j1ur5448HGtFawOlwv0Un36GSVW+KKlws4iGIot4cj+728zaeF3z6ikhb3b6PakHXzkxGBKsg1BwL5ekj/GIMYfATvxtD7ZiRv+Z6Yb5y2RXKsUYe1oksJQZatQfLWNu29h5op5L3aNH/biivK3c3znW7k=
-Created: 20000101000000
-Publish: 20000101000000
-Activate: 20000101000000
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <sched.h> /* IWYU pragma: keep */
-#include <setjmp.h>
-#include <stdarg.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#define UNIT_TESTING
-#include <cmocka.h>
-
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/name.h>
-
-#include "dst_internal.h"
-
-#include <tests/dns.h>
-
-static int
-setup_test(void **state) {
- isc_result_t result;
-
- UNUSED(state);
-
- result = dst_lib_init(mctx, NULL);
-
- if (result != ISC_R_SUCCESS) {
- return (1);
- }
-
- return (0);
-}
-
-static int
-teardown_test(void **state) {
- UNUSED(state);
-
- dst_lib_destroy();
-
- return (0);
-}
-
-/* OpenSSL DH_compute_key() failure */
-ISC_RUN_TEST_IMPL(dh_computesecret) {
- dst_key_t *key = NULL;
- isc_buffer_t buf;
- unsigned char array[1024];
- isc_result_t result;
- dns_fixedname_t fname;
- dns_name_t *name;
-
- UNUSED(state);
-
- name = dns_fixedname_initname(&fname);
- isc_buffer_constinit(&buf, "dh.", 3);
- isc_buffer_add(&buf, 3);
- result = dns_name_fromtext(name, &buf, NULL, 0, NULL);
- assert_int_equal(result, ISC_R_SUCCESS);
-
- result = dst_key_fromfile(name, 18602, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_KEY, TESTS_DIR,
- mctx, &key);
- assert_int_equal(result, ISC_R_SUCCESS);
-
- isc_buffer_init(&buf, array, sizeof(array));
- result = dst_key_computesecret(key, key, &buf);
- assert_int_equal(result, DST_R_NOTPRIVATEKEY);
- result = key->func->computesecret(key, key, &buf);
- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
-
- dst_key_free(&key);
-}
-
-ISC_TEST_LIST_START
-ISC_TEST_ENTRY_CUSTOM(dh_computesecret, setup_test, teardown_test)
-ISC_TEST_LIST_END
-
-ISC_TEST_MAIN
/* EdDSA Public Key: different key */
{ "example.", 63663, "example2.", 37529, DST_ALG_ED25519,
DST_TYPE_PUBLIC, false },
-
- /* DH Keypair: self */
- { "example.", 65316, "example.", 65316, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, true },
-
- /* DH Keypair: different key */
- { "example.", 65316, "example2.", 19823, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
-
- /* DH Keypair: different key (with generator=5) */
- { "example.", 65316, "example3.", 17187, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
-
- /* DH Keypair: different private key */
- { "example.", 65316, "example-private.", 65316, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
-
- /* DH Public Key: self */
- { "example.", 65316, "example.", 65316, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_KEY, true },
-
- /* DH Public Key: different key */
- { "example.", 65316, "example2.", 19823, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_KEY, false },
-
- /* DH Public Key: different key (with generator=5) */
- { "example.", 65316, "example3.", 17187, DST_ALG_DH,
- DST_TYPE_PUBLIC | DST_TYPE_KEY, false },
};
unsigned int i;
projects / thirdparty / bind9.git / commitdiff
