+2726. [func] Added support for SHA-2 DNSSEC algorithms,
+ RSASHA256 and RSASHA512. [RT #20023]
+
2725. [doc] Added information about the file "managed-keys.bind"
to the ARM. [RT #20235]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keyfromlabel.c,v 1.22 2009/10/14 22:07:13 marka Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.23 2009/10/22 02:21:30 each Exp $ */
/*! \file */
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
- " NSEC3DSA | NSEC3RSASHA1";
+ " NSEC3DSA | NSEC3RSASHA1 |"
+ " RSASHA256 | RSASHA512";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.13 2009/10/16 15:37:01 jreed Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.14 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
- <option>algorithm</option> must be one of RSAMD5 (RSA),
- RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+ <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
These values are case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
- in which case NSEC3RSASHA1 will be used instead.
+ in which case NSEC3RSASHA1 will be used instead. (If
+ <option>-3</option> is used and an algorithm is specified,
+ that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
- <citetitle>RFC 2539</citetitle>,
- <citetitle>RFC 2845</citetitle>,
- <citetitle>RFC 4033</citetitle>.
+ <citetitle>RFC 4034</citetitle>.
</para>
</refsect1>
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.101 2009/10/12 20:48:10 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.102 2009/10/22 02:21:30 each Exp $ */
/*! \file */
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n");
- fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | "
- "NSEC3RSASHA1 | NSEC3DSA |\n");
+ fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
+ " | NSEC3DSA |\n");
+ fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
}
if (use_nsec3 &&
- alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
+ alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+ alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
+ case DNS_KEYALG_RSASHA256:
if (size != 0 && (size < 512 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
+ case DNS_KEYALG_RSASHA512:
+ if (size != 0 && (size < 1024 || size > MAX_RSA))
+ fatal("RSA key size %d out of range", size);
+ break;
case DNS_KEYALG_DH:
if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size);
}
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
- alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
+ alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
+ alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3RSASHA1:
+ case DNS_KEYALG_RSASHA256:
+ case DNS_KEYALG_RSASHA512:
param = rsa_exp;
break;
case DNS_KEYALG_DH:
param = generator;
break;
case DNS_KEYALG_DSA:
+ case DNS_KEYALG_NSEC3DSA:
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.30 2009/10/16 15:37:01 jreed Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.31 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
+ For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
- in which case NSEC3RSASHA1 will be used instead.
+ in which case NSEC3RSASHA1 will be used instead. (If
+ <option>-3</option> is used and an algorithm is specified,
+ that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
- size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
+ size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
- bits and an exact multiple of 64. HMAC-MD5 keys must be
+ bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
</para>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
- default.
+ default. Note that RSASHA256 and RSASHA512 algorithms
+ are NSEC3-capable.
</para>
</listitem>
</varlistentry>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>,
- <citetitle>RFC 4033</citetitle>.
+ <citetitle>RFC 4034</citetitle>.
</para>
</refsect1>
DNS Extensions working group J. Jansen
Internet-Draft NLnet Labs
-Intended status: Standards Track April 24, 2009
-Expires: October 26, 2009
+Intended status: Standards Track June 04, 2009
+Expires: December 6, 2009
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
for DNSSEC
- draft-ietf-dnsext-dnssec-rsasha256-13
+ draft-ietf-dnsext-dnssec-rsasha256-14
Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
- This Internet-Draft will expire on October 26, 2009.
+ This Internet-Draft will expire on December 6, 2009.
Copyright Notice
-Jansen Expires October 26, 2009 [Page 1]
+Jansen Expires December 6, 2009 [Page 1]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
5.2. Support for NSEC3 Denial of Existence . . . . . . . . . . 5
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. RSA/SHA-256 Key and Signature . . . . . . . . . . . . . . 6
- 6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 6
+ 6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource
-Jansen Expires October 26, 2009 [Page 2]
+Jansen Expires December 6, 2009 [Page 2]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
1. Introduction
-Jansen Expires October 26, 2009 [Page 3]
+Jansen Expires December 6, 2009 [Page 3]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
2.2. RSA/SHA-512 DNSKEY Resource Records
-Jansen Expires October 26, 2009 [Page 4]
+Jansen Expires December 6, 2009 [Page 4]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
3.2. RSA/SHA-512 RRSIG Resource Records
-Jansen Expires October 26, 2009 [Page 5]
+Jansen Expires December 6, 2009 [Page 5]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
- both NSEC and NSEC3 [RFC5155] negative answers. An authoritative
- server that does not implement NSEC3 MAY still serve zones that use
- RSA/SHA-2 with NSEC denial of existence.
+ negative answers in the form of both NSEC and NSEC3 with hash
+ algorithm 1, as defined in [RFC5155]. An authoritative server that
+ does not implement NSEC3 MAY still serve zones that use RSA/SHA-2
+ with NSEC denial of existence.
6. Examples
With this key, sign the following RRSet, consisting of 1 A record:
- www.example.net. 3600 IN A 123.123.123.123
+ www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created:
www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000
- 20000101000000 9033 example.net. KWgSIg3khRfyrHmtJU
- 5pzpsANyy27+HOZ6waMQ5kV690ljVmbHmGc8ULOfXw3aWmP0wJB
- ND/TQhjCvrb3T9ffQ== );{id = 9033}
+ 20000101000000 9033 example.net. kRCOH6u7l0QGy9qpC9
+ l1sLncJcOKFLJ7GhiUOibu4teYp5VE9RncriShZNz85mwlMgNEa
+ cFYK/lPtPiVYP4bwg== ;{id = 9033}
+
-6.2. RSA/SHA-512 Key and Signature
- Given a private key with the following values (in Base64):
-Jansen Expires October 26, 2009 [Page 6]
+Jansen Expires December 6, 2009 [Page 6]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
+6.2. RSA/SHA-512 Key and Signature
+
+ Given a private key with the following values (in Base64):
+
Private-key-format: v1.2
- Algorithm: 9 (RSASHA512)
- Modulus: 8Du9YHEwFNjO5iG9jrrNyKwRs5mAzJgXBrjbA49R/ESWJKw6eHH
- XfZaxnP+gVhZBDmqwND/SFwrEkN5LyH3HZ+/d/ECW+vT8Lxprqf
- haTfxQkV4OFjw/ikuTcBMoUIYfhO1NVPBcH1mWh34DWmu6eedzH
- IbdeNZnIkWSv4muchs=
+ Algorithm: 10 (RSASHA512)
+ Modulus: 0eg1M5b563zoq4k5ZEOnWmd2/BvpjzedJVdfIsDcMuuhE5SQ3pf
+ Q7qmdaeMlC6Nf8DKGoUPGPXe06cP27/WRODtxXquSUytkO0kJDk
+ 8KX8PtA0+yBWwy7UnZDyCkynO00Uuk8HPVtZeMO1pHtlAGVnc8V
+ jXZlNKdyit99waaE4s=
PublicExponent: AQAB
- PrivateExponent: sRm5YLHQ2m2DCdDx55j7P+bqHdcaRroQr5nzi8pKjIkbjumRKV3
- zmNhRFAa3cv9w8mnggIRUIzyC8LGQeLuRFjbv6uXDzoPX2O321j
- PlTUOwCYMTVnbkZUem6c+7iRd2v5zNNe9uiXex6T8CDXyhQhqYb
- 8q2AajPrTlRzv6uW8E=
- Prime1: +DPVg2OlfYqcNlm67T42608gjyqWFdVc0UtDDDBo+ABWavqp+Yk
- Fb/z/Ig+iBE901Q8RWdqVLND3PtGwWipIyw==
- Prime2: 98fQbOaWH3D/WFhnu47f1qOgaob/ss3FQ12QbUdRDpgfmdryHH7
- j1UGR2Xs0aRPwBASXYhgtamXtxLorXIFh8Q==
- Exponent1: j0UsbGlqr6sBPQZStnuBLBdCziFg/T1qFI4DJ9gR34YiXCJRV29
- Wqiw6AalQdnh/EjVeaKWaEoKVFbfoukNKPQ==
- Exponent2: 4YTy9ftVjd5p+f3UxEgBATnCatLebd6NeYfySRQM+YyJzp4RmNA
- BC/t3BQv3IuBrpyyKoFTDGUEWjOSpTLPR8Q==
- Coefficient: BpIAEwh5rlw9M8FpGHjpF5TxSdhCjnA8NT0tB+MB/k0msceyBbx
- avjzJXTi/QPk9PIO8Wv6eCzMQEM0QDZO53Q==
+ PrivateExponent: rFS1IPbJllFFgFc33B5DDlC1egO8e81P4fFadODbp56V7sphKa6
+ AZQCx8NYAew6VXFFPAKTw41QdHnK5kIYOwxvfFDjDcUGza88qbj
+ yrDPSJenkeZbISMUSSqy7AMFzEolkk6WSn6k3thUVRgSlqDoOV3
+ SEIAsrB043XzGrKIVE=
+ Prime1: 8mbtsu9Tl9v7tKSHdCIeprLIQXQLzxlSZun5T1n/OjvXSUtvD7x
+ nZJ+LHqaBj1dIgMbCq2U8O04QVcK3TS9GiQ==
+ Prime2: 3a6gkfs74d0Jb7yL4j4adAif4fcp7ZrGt7G5NRVDDY/Mv4TERAK
+ Ma0TKN3okKE0A7X+Rv2K84mhT4QLDlllEcw==
+ Exponent1: v3D5A9uuCn5rgVR7wgV8ba0/KSpsdSiLgsoA42GxiB1gvvs7gJM
+ MmVTDu/ZG1p1ZnpLbhh/S/Qd/MSwyNlxC+Q==
+ Exponent2: m+ezf9dsDvYQK+gzjOLWYeKq5xWYBEYFGa3BLocMiF4oxkzOZ3J
+ PZSWU/h1Fjp5RV7aPP0Vmx+hNjYMPIQ8Y5w==
+ Coefficient: Je5YhYpUron/WdOXjxNAxDubAp3i5X7UOUfhJcyIggqwY86IE0Q
+ /Bk0Dw4SC9zxnsimmdBXW2Izd8Lwuk8FQcQ==
The DNSKEY record for this key would be:
- example.net. 3600 IN DNSKEY (256 3 9 AwEAAfA7vWBxMBTYzuYhvY66z
- cisEbOZgMyYFwa42wOPUfxEliSsOnhx132WsZz/oFYWQQ5qsDQ/0
- hcKxJDeS8h9x2fv3fxAlvr0/C8aa6n4Wk38UJFeDhY8P4pLk3ATK
- FCGH4TtTVTwXB9Zlod+A1prunnncxyG3XjWZyJFkr+JrnIb
- );{id = 28237 (zsk), size = 1024b}
+ example.net. 3600 IN DNSKEY (256 3 10 AwEAAdHoNTOW+et86KuJOWRD
+ p1pndvwb6Y83nSVXXyLA3DLroROUkN6X0O6pnWnjJQujX/AyhqFD
+ xj13tOnD9u/1kTg7cV6rklMrZDtJCQ5PCl/D7QNPsgVsMu1J2Q8g
+ pMpztNFLpPBz1bWXjDtaR7ZQBlZ3PFY12ZTSncorffcGmhOL
+ );{id = 3740 (zsk), size = 1024b}
With this key, sign the following RRSet, consisting of 1 A record:
- www.example.net. 3600 IN A 123.123.123.123
+ www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created:
- www.example.net. 3600 IN RRSIG (A 9 3 3600 20300101000000
- 20000101000000 28237 example.net. mCanSdkQztEUOmslG
- z7VvfkKPMp4ftz3K1PTf2jdla4vUu/tRE585xymurMB+wXhrFcK
- dhm0egnPq8X/gmm0cmui/GQwFT5hmP5bL1ETuQsM3HOu3j9E3tq
- 4sFWIsUv3N6ohpYEbhj5jk0b/01EMUPM9y5rLzFHmYYujzKQwqu
- M= );{id = 28237}
-
-
-
-
+ www.example.net. 3600 IN RRSIG (A 10 3 3600 20300101000000
+ 20000101000000 3740 example.net. tsb4wnjRUDnB1BUi+t
+ 6TMTXThjVnG+eCkWqjvvjhzQL1d0YRoOe0CbxrVDYd0xDtsuJRa
+ eUw1ep94PzEWzr0iGYgZBWm/zpq+9fOuagYJRfDqfReKBzMweOL
+ DiNa8iP5g9vMhpuv6OPlvpXwm9Sa9ZXIbNl1MBGk0fthPgxdDLw
+ =);{id = 3740}
-Jansen Expires October 26, 2009 [Page 7]
+Jansen Expires December 6, 2009 [Page 7]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
7. IANA Considerations
-Jansen Expires October 26, 2009 [Page 8]
+Jansen Expires December 6, 2009 [Page 8]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
9. Acknowledgments
-Jansen Expires October 26, 2009 [Page 9]
+Jansen Expires December 6, 2009 [Page 9]
\f
-Internet-Draft DNSSEC RSA/SHA-2 April 2009
+Internet-Draft DNSSEC RSA/SHA-2 June 2009
Version 2.1", RFC 3447, February 2003.
-Jansen Expires October 26, 2009 [Page 10]
+Jansen Expires December 6, 2009 [Page 10]
\f
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.42 2009/10/20 04:39:48 marka Exp $
+ * $Id: dst_api.c,v 1.43 2009/10/22 02:21:30 each Exp $
*/
/*! \file */
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256]));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512]));
#ifdef HAVE_OPENSSL_DSA
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8;
break;
case DST_ALG_DSA:
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
case DST_ALG_DH:
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA || alg == DST_ALG_DH ||
alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
- alg == DST_ALG_NSEC3RSASHA1)
+ alg == DST_ALG_NSEC3RSASHA1 ||
+ alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512)
return (DST_R_NOCRYPTO);
#endif
return (DST_R_UNSUPPORTEDALG);
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_internal.h,v 1.20 2009/10/09 06:09:21 each Exp $ */
+/* $Id: dst_internal.h,v 1.21 2009/10/22 02:21:30 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
#include <isc/types.h>
#include <isc/md5.h>
#include <isc/sha1.h>
+#include <isc/sha2.h>
#include <isc/stdtime.h>
#include <isc/hmacmd5.h>
#include <isc/hmacsha.h>
dst_gssapi_signverifyctx_t *gssctx;
isc_md5_t *md5ctx;
isc_sha1_t *sha1ctx;
+ isc_sha256_t *sha256ctx;
+ isc_sha512_t *sha512ctx;
isc_hmacmd5_t *hmacmd5ctx;
isc_hmacsha1_t *hmacsha1ctx;
isc_hmacsha224_t *hmacsha224ctx;
/*%
* Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.21 2009/10/09 06:09:21 each Exp $
+ * $Id: dst_parse.c,v 1.22 2009/10/22 02:21:30 each Exp $
*/
#include <config.h>
case DST_ALG_NSEC3DSA:
fprintf(fp, "(NSEC3DSA)\n");
break;
+ case DST_ALG_RSASHA256:
+ fprintf(fp, "(RSASHA256)\n");
+ break;
+ case DST_ALG_RSASHA512:
+ fprintf(fp, "(RSASHA512)\n");
+ break;
case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n");
break;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keyvalues.h,v 1.26 2009/06/30 02:52:32 each Exp $ */
+/* $Id: keyvalues.h,v 1.27 2009/10/22 02:21:31 each Exp $ */
#ifndef DNS_KEYVALUES_H
#define DNS_KEYVALUES_H 1
#define DNS_KEYALG_ECC 4
#define DNS_KEYALG_RSASHA1 5
#define DNS_KEYALG_NSEC3RSASHA1 7
+#define DNS_KEYALG_RSASHA256 8
+#define DNS_KEYALG_RSASHA512 10
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst.h,v 1.22 2009/10/12 20:48:12 each Exp $ */
+/* $Id: dst.h,v 1.23 2009/10/22 02:21:31 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
#define DST_ALG_RSASHA1 5
#define DST_ALG_NSEC3DSA 6
#define DST_ALG_NSEC3RSASHA1 7
+#define DST_ALG_RSASHA256 8
+#define DST_ALG_RSASHA512 10
#define DST_ALG_HMACMD5 157
#define DST_ALG_GSSAPI 160
#define DST_ALG_HMACSHA1 161 /* XXXMPA */
/*
* Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.30 2009/10/20 02:59:19 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.31 2009/10/22 02:21:30 each Exp $
*/
#ifdef OPENSSL
#ifndef USE_EVP
#include <isc/entropy.h>
#include <isc/md5.h>
#include <isc/sha1.h>
+#include <isc/sha2.h>
#include <isc/mem.h>
#include <isc/string.h>
#include <isc/util.h>
static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
+#if defined(USE_EVP) && OPENSSL_VERSION_NUMBER < 0x00908000L
+/*
+ * OpenSSL 0.9.7 doesn't support SHA2.
+ * Provide the method functions we need.
+ */
+
+/*
+ * Use our namespace, not OpenSSL's.
+ */
+#define EVP_sha256 ISC_EVP_sha256
+#define EVP_sha512 ISC_EVP_sha512
+
+/*
+ * OpensSSL 0.9.8 defines these.
+ */
+#if 0
+#define NID_sha256WithRSAEncryption 668
+#define NID_sha256 672
+#define NID_sha512WithRSAEncryption 670
+#define NID_sha512 674
+#else
+#define NID_sha256WithRSAEncryption 0
+#define NID_sha256 0
+#define NID_sha512WithRSAEncryption 0
+#define NID_sha512 0
+#endif
+
+static int init256(EVP_MD_CTX *ctx)
+ { isc_sha256_init(ctx->md_data); return 1; }
+static int update256(EVP_MD_CTX *ctx,const void *data, unsigned long count)
+ { isc_sha256_update(ctx->md_data,data,count); return 1; }
+static int final256(EVP_MD_CTX *ctx,unsigned char *md)
+ { isc_sha256_final(md,ctx->md_data); return 1; }
+
+static const EVP_MD sha256_md=
+ {
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ ISC_SHA256_DIGESTLENGTH,
+ 0,
+ init256,
+ update256,
+ final256,
+ NULL,
+ NULL,
+ EVP_PKEY_RSA_method,
+ ISC_SHA256_BLOCK_LENGTH,
+ sizeof(EVP_MD *)+sizeof(isc_sha256_t),
+ };
+
+static const EVP_MD *EVP_sha256(void)
+ { return(&sha256_md); }
+
+static int init512(EVP_MD_CTX *ctx)
+ { isc_sha512_init(ctx->md_data); return 1; }
+static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+ { isc_sha512_update(ctx->md_data,data,count); return 1; }
+static int final512(EVP_MD_CTX *ctx,unsigned char *md)
+ { isc_sha512_final(md,ctx->md_data); return 1; }
+
+static const EVP_MD sha512_md=
+ {
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ ISC_SHA512_DIGESTLENGTH,
+ 0,
+ init512,
+ update512,
+ final512,
+ NULL,
+ NULL,
+ EVP_PKEY_RSA_method,
+ ISC_SHA512_BLOCK_LENGTH,
+ sizeof(EVP_MD *)+sizeof(isc_sha512_t),
+ };
+
+static const EVP_MD *EVP_sha512(void)
+ { return(&sha512_md); }
+#endif
+
static isc_result_t
opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
#if USE_EVP
EVP_MD_CTX *evp_md_ctx;
- const EVP_MD *type;
+ const EVP_MD *type = NULL;
#endif
UNUSED(key);
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
evp_md_ctx = EVP_MD_CTX_create();
if (evp_md_ctx == NULL)
return (ISC_R_NOMEMORY);
- if (dctx->key->key_alg == DST_ALG_RSAMD5)
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
type = EVP_md5(); /* MD5 + RSA */
- else
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
+ break;
+ case DST_ALG_RSASHA256:
+ type = EVP_sha256(); /* SHA256 + RSA */
+ break;
+ case DST_ALG_RSASHA512:
+ type = EVP_sha512();
+ break;
+ default:
+ INSIST(0);
+ }
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx);
}
dctx->ctxdata.evp_md_ctx = evp_md_ctx;
#else
- if (dctx->key->key_alg == DST_ALG_RSAMD5) {
- isc_md5_t *md5ctx;
-
- md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
- if (md5ctx == NULL)
- return (ISC_R_NOMEMORY);
- isc_md5_init(md5ctx);
- dctx->ctxdata.md5ctx = md5ctx;
- } else {
- isc_sha1_t *sha1ctx;
-
- sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
- if (sha1ctx == NULL)
- return (ISC_R_NOMEMORY);
- isc_sha1_init(sha1ctx);
- dctx->ctxdata.sha1ctx = sha1ctx;
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ {
+ isc_md5_t *md5ctx;
+
+ md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
+ if (md5ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ isc_md5_init(md5ctx);
+ dctx->ctxdata.md5ctx = md5ctx;
+ }
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ {
+ isc_sha1_t *sha1ctx;
+
+ sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+ if (sha1ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ isc_sha1_init(sha1ctx);
+ dctx->ctxdata.sha1ctx = sha1ctx;
+ }
+ break;
+ case DST_ALG_RSASHA256:
+ {
+ isc_sha256_t *sha256ctx;
+
+ sha256ctx = isc_mem_get(dctx->mctx,
+ sizeof(isc_sha256_t));
+ if (sha256ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ isc_sha256_init(sha256ctx);
+ dctx->ctxdata.sha256ctx = sha256ctx;
+ }
+ break;
+ case DST_ALG_RSASHA512:
+ {
+ isc_sha512_t *sha512ctx;
+
+ sha512ctx = isc_mem_get(dctx->mctx,
+ sizeof(isc_sha512_t));
+ if (sha512ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ isc_sha512_init(sha512ctx);
+ dctx->ctxdata.sha512ctx = sha512ctx;
+ }
+ break;
+ default:
+ INSIST(0);
}
#endif
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
if (evp_md_ctx != NULL) {
dctx->ctxdata.evp_md_ctx = NULL;
}
#else
- if (dctx->key->key_alg == DST_ALG_RSAMD5) {
- isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
- if (md5ctx != NULL) {
- isc_md5_invalidate(md5ctx);
- isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t));
- dctx->ctxdata.md5ctx = NULL;
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ {
+ isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+ if (md5ctx != NULL) {
+ isc_md5_invalidate(md5ctx);
+ isc_mem_put(dctx->mctx, md5ctx,
+ sizeof(isc_md5_t));
+ dctx->ctxdata.md5ctx = NULL;
+ }
}
- } else {
- isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
- if (sha1ctx != NULL) {
- isc_sha1_invalidate(sha1ctx);
- isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
- dctx->ctxdata.sha1ctx = NULL;
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ {
+ isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+ if (sha1ctx != NULL) {
+ isc_sha1_invalidate(sha1ctx);
+ isc_mem_put(dctx->mctx, sha1ctx,
+ sizeof(isc_sha1_t));
+ dctx->ctxdata.sha1ctx = NULL;
+ }
+ }
+ break;
+ case DST_ALG_RSASHA256:
+ {
+ isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+ if (sha256ctx != NULL) {
+ isc_sha256_invalidate(sha256ctx);
+ isc_mem_put(dctx->mctx, sha256ctx,
+ sizeof(isc_sha256_t));
+ dctx->ctxdata.sha256ctx = NULL;
+ }
+ }
+ break;
+ case DST_ALG_RSASHA512:
+ {
+ isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+ if (sha512ctx != NULL) {
+ isc_sha512_invalidate(sha512ctx);
+ isc_mem_put(dctx->mctx, sha512ctx,
+ sizeof(isc_sha512_t));
+ dctx->ctxdata.sha512ctx = NULL;
+ }
}
+ break;
+ default:
+ INSIST(0);
}
#endif
}
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
return (ISC_R_FAILURE);
}
#else
- if (dctx->key->key_alg == DST_ALG_RSAMD5) {
- isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
- isc_md5_update(md5ctx, data->base, data->length);
- } else {
- isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
- isc_sha1_update(sha1ctx, data->base, data->length);
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ {
+ isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+ isc_md5_update(md5ctx, data->base, data->length);
+ }
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ {
+ isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+ isc_sha1_update(sha1ctx, data->base, data->length);
+ }
+ break;
+ case DST_ALG_RSASHA256:
+ {
+ isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+ isc_sha256_update(sha256ctx, data->base, data->length);
+ }
+ break;
+ case DST_ALG_RSASHA512:
+ {
+ isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+ isc_sha512_update(sha512ctx, data->base, data->length);
+ }
+ break;
+ default:
+ INSIST(0);
}
#endif
return (ISC_R_SUCCESS);
EVP_PKEY *pkey = key->keydata.pkey;
#else
RSA *rsa = key->keydata.rsa;
- /* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
- unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+ /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
int status;
- int type;
- unsigned int digestlen;
+ int type = 0;
+ unsigned int digestlen = 0;
char *message;
unsigned long err;
const char* file;
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
isc_buffer_availableregion(sig, &r);
if (r.length < (unsigned int) RSA_size(rsa))
return (ISC_R_NOSPACE);
- if (dctx->key->key_alg == DST_ALG_RSAMD5) {
- isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
- isc_md5_final(md5ctx, digest);
- type = NID_md5;
- digestlen = ISC_MD5_DIGESTLENGTH;
- } else {
- isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
- isc_sha1_final(sha1ctx, digest);
- type = NID_sha1;
- digestlen = ISC_SHA1_DIGESTLENGTH;
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ {
+ isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+ isc_md5_final(md5ctx, digest);
+ type = NID_md5;
+ digestlen = ISC_MD5_DIGESTLENGTH;
+ }
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ {
+ isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+ isc_sha1_final(sha1ctx, digest);
+ type = NID_sha1;
+ digestlen = ISC_SHA1_DIGESTLENGTH;
+ }
+ break;
+ case DST_ALG_RSASHA256:
+ {
+ isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+ isc_sha256_final(digest, sha256ctx);
+ type = NID_sha256;
+ digestlen = ISC_SHA256_DIGESTLENGTH;
+ }
+ break;
+ case DST_ALG_RSASHA512:
+ {
+ isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+ isc_sha512_final(digest, sha512ctx);
+ type = NID_sha512;
+ digestlen = ISC_SHA512_DIGESTLENGTH;
+ }
+ break;
+ default:
+ INSIST(0);
}
status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
#else
- /* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
- unsigned char digest[ISC_SHA1_DIGESTLENGTH];
- int type;
- unsigned int digestlen;
+ /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+ int type = 0;
+ unsigned int digestlen = 0;
RSA *rsa = key->keydata.rsa;
#endif
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
#else
- if (dctx->key->key_alg == DST_ALG_RSAMD5) {
- isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
- isc_md5_final(md5ctx, digest);
- type = NID_md5;
- digestlen = ISC_MD5_DIGESTLENGTH;
- } else {
- isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
- isc_sha1_final(sha1ctx, digest);
- type = NID_sha1;
- digestlen = ISC_SHA1_DIGESTLENGTH;
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ {
+ isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+ isc_md5_final(md5ctx, digest);
+ type = NID_md5;
+ digestlen = ISC_MD5_DIGESTLENGTH;
+ }
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ {
+ isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+ isc_sha1_final(sha1ctx, digest);
+ type = NID_sha1;
+ digestlen = ISC_SHA1_DIGESTLENGTH;
+ }
+ break;
+ case DST_ALG_RSASHA256:
+ {
+ isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+ isc_sha256_final(digest, sha256ctx);
+ type = NID_sha256;
+ digestlen = ISC_SHA256_DIGESTLENGTH;
+ }
+ break;
+ case DST_ALG_RSASHA512:
+ {
+ isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+ isc_sha512_final(digest, sha512ctx);
+ type = NID_sha512;
+ digestlen = ISC_SHA512_DIGESTLENGTH;
+ }
+ break;
+ default:
+ INSIST(0);
}
if (sig->length < (unsigned int) RSA_size(rsa))
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rcode.c,v 1.11 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: rcode.c,v 1.12 2009/10/22 02:21:30 each Exp $ */
#include <config.h>
#include <ctype.h>
{ DNS_KEYALG_ECC, "ECC", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
+ { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
+ { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sha2.h,v 1.11 2009/02/06 23:47:42 tbox Exp $ */
+/* $Id: sha2.h,v 1.12 2009/10/22 02:21:31 each Exp $ */
/* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */
/* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */
/*** SHA-224/256/384/512 Function Prototypes ******************************/
void isc_sha224_init (isc_sha224_t *);
+void isc_sha224_invalidate (isc_sha224_t *);
void isc_sha224_update (isc_sha224_t *, const isc_uint8_t *, size_t);
void isc_sha224_final (isc_uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
char *isc_sha224_data (const isc_uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
void isc_sha256_init (isc_sha256_t *);
+void isc_sha256_invalidate (isc_sha256_t *);
void isc_sha256_update (isc_sha256_t *, const isc_uint8_t *, size_t);
void isc_sha256_final (isc_uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
char *isc_sha256_data (const isc_uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
void isc_sha384_init (isc_sha384_t *);
+void isc_sha384_invalidate (isc_sha384_t *);
void isc_sha384_update (isc_sha384_t *, const isc_uint8_t *, size_t);
void isc_sha384_final (isc_uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
char *isc_sha384_data (const isc_uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
void isc_sha512_init (isc_sha512_t *);
+void isc_sha512_invalidate (isc_sha512_t *);
void isc_sha512_update (isc_sha512_t *, const isc_uint8_t *, size_t);
void isc_sha512_final (isc_uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sha2.c,v 1.17 2009/02/06 23:47:42 tbox Exp $ */
+/* $Id: sha2.c,v 1.18 2009/10/22 02:21:31 each Exp $ */
/* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */
/* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */
EVP_DigestInit(context, EVP_sha224());
}
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+ EVP_MD_CTX_cleanup(context);
+}
+
void
isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
if (len == 0U) {
EVP_DigestInit(context, EVP_sha256());
}
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+ EVP_MD_CTX_cleanup(context);
+}
+
void
isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
if (len == 0U) {
EVP_DigestInit(context, EVP_sha512());
}
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+ EVP_MD_CTX_cleanup(context);
+}
+
void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
if (len == 0U) {
/* Calling with no data is valid - we do nothing */
EVP_DigestInit(context, EVP_sha384());
}
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+ EVP_MD_CTX_cleanup(context);
+}
+
void
isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
if (len == 0U) {
context->bitcount = 0;
}
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+ memset(context, 0, sizeof(isc_sha224_t));
+}
+
void
isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
isc_sha256_update((isc_sha256_t *)context, data, len);
context->bitcount = 0;
}
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+ memset(context, 0, sizeof(isc_sha256_t));
+}
+
#ifdef ISC_SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-256 round macros: */
context->bitcount[0] = context->bitcount[1] = 0;
}
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+ memset(context, 0, sizeof(isc_sha512_t));
+}
+
#ifdef ISC_SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-512 round macros: */
context->bitcount[0] = context->bitcount[1] = 0;
}
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+ memset(context, 0, sizeof(isc_sha384_t));
+}
+
void
isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
isc_sha512_update((isc_sha512_t *)context, data, len);
projects / thirdparty / bind9.git / commitdiff
