+2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
+ test. [RT #20453]
+
2737. [func] UPDATE requests can leak existance information.
[RT #17261]
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.23 2008/09/25 04:02:38 tbox Exp $
+# $Id: clean.sh,v 1.24 2009/10/27 22:25:37 marka Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
+rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns2/private.secure.example.db
rm -f */example.bk
rm -f dig.out.*
-#!/bin/sh
+#!/bin/sh -e
#
# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.28 2009/07/19 04:18:04 each Exp $
+# $Id: sign.sh,v 1.29 2009/10/27 22:25:37 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.19 2008/09/25 04:02:38 tbox Exp $
+; $Id: example.db.in,v 1.20 2009/10/27 22:25:37 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
ns.multiple A 10.53.0.3
*.wild A 10.0.0.27
+
+rsasha256 NS ns.rsasha256
+ns.rsasha256 A 10.53.0.3
+
+rsasha512 NS ns.rsasha512
+ns.rsasha512 A 10.53.0.3
-#!/bin/sh
+#!/bin/sh -e
#
# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.33 2009/07/19 04:18:04 each Exp $
+# $Id: sign.sh,v 1.34 2009/10/27 22:25:37 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
( cd ../ns3 && sh sign.sh )
-for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown optout-unknown multiple
+for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
+ optout-unknown multiple rsasha256 rsasha512
do
cp ../ns3/dsset-$subdomain.example. .
done
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.33 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: named.conf,v 1.34 2009/10/27 22:25:37 marka Exp $ */
// NS3
file "rfc2335.example.bk";
};
+zone "rsasha256.example" {
+ type master;
+ file "rsasha256.example.db.signed";
+};
+
+zone "rsasha512.example" {
+ type master;
+ file "rsasha512.example.db.signed";
+};
+
include "trusted.conf";
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha256.example.db.in,v 1.2 2009/10/27 22:25:37 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha512.example.db.in,v 1.2 2009/10/27 22:25:37 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
-#!/bin/sh
+#!/bin/sh -e
#
# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.28 2009/09/25 06:47:50 each Exp $
+# $Id: sign.sh,v 1.29 2009/10/27 22:25:37 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
mv $zonefile.signed $zonefile
$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
+
+#
+# A RSASHA256 zone.
+#
+zone=rsasha256.example.
+infile=rsasha256.example.db.in
+zonefile=rsasha256.example.db
+
+keyname=`$KEYGEN -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+
+#
+# A RSASHA512 zone.
+#
+zone=rsasha512.example.
+infile=rsasha512.example.db.in
+zonefile=rsasha512.example.db
+
+keyname=`$KEYGEN -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
-#!/bin/sh
+#!/bin/sh -e
#
# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001 Internet Software Consortium.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.16 2009/03/02 23:47:43 tbox Exp $
+# $Id: setup.sh,v 1.17 2009/10/27 22:25:37 marka Exp $
../../../tools/genrandom 400 random.data
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.53 2008/09/25 04:02:38 tbox Exp $
+# $Id: tests.sh,v 1.54 2009/10/27 22:25:37 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking positive validation RSASHA256 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation RSASHA512 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking cd bit on a query that should fail ($n)"
ret=0
$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
-AC_REVISION($Revision: 1.486 $)
+AC_REVISION($Revision: 1.487 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
else
AC_MSG_RESULT(no)
fi
+ AC_CHECK_FUNCS(EVP_sha256 EVP_sha512)
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
+
;;
esac
socklen_t, char *, socklen_t, unsigned int);],
[ return (0);],
[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)],
+ AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
+ [Define to the buffer length type used by getnameinfo(3).])
+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
+ [Define to the flags type used by getnameinfo(3).])],
[AC_TRY_COMPILE([
#include <sys/types.h>
#include <sys/socket.h>
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.44 2009/10/24 09:46:18 fdupont Exp $
+ * $Id: dst_api.c,v 1.45 2009/10/27 22:25:37 marka Exp $
*/
/*! \file */
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
#ifdef OPENSSL
RETERR(dst__openssl_init(engine));
- RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
- RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
- RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
- RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256]));
- RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
+ DST_ALG_RSAMD5));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
+ DST_ALG_RSASHA1));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
+ DST_ALG_NSEC3RSASHA1));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
+ DST_ALG_RSASHA256));
+ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
+ DST_ALG_RSASHA512));
#ifdef HAVE_OPENSSL_DSA
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_internal.h,v 1.22 2009/10/24 09:46:19 fdupont Exp $ */
+/* $Id: dst_internal.h,v 1.23 2009/10/27 22:25:37 marka Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
-isc_result_t dst__opensslrsa_init(struct dst_func **funcp);
+isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
+ unsigned char algorithm);
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
isc_result_t dst__openssldh_init(struct dst_func **funcp);
isc_result_t dst__gssapi_init(struct dst_func **funcp);
/*
* Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.33 2009/10/24 09:46:19 fdupont Exp $
+ * $Id: opensslrsa_link.c,v 1.34 2009/10/27 22:25:37 marka Exp $
*/
#ifdef OPENSSL
+#include <config.h>
+
#ifndef USE_EVP
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA512)
+#define USE_EVP 0
+#else
#define USE_EVP 1
#endif
+#endif
-#include <config.h>
#include <isc/entropy.h>
#include <isc/md5.h>
static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
-#if defined(USE_EVP) && OPENSSL_VERSION_NUMBER < 0x00908000L
-/*
- * OpenSSL 0.9.7 doesn't support SHA2.
- * Provide the method functions we need.
- */
-
-/*
- * Use our namespace, not OpenSSL's.
- */
-#define EVP_sha256 ISC_EVP_sha256
-#define EVP_sha512 ISC_EVP_sha512
-
-/*
- * OpensSSL 0.9.8 defines these.
- */
-#if 0
-#define NID_sha256WithRSAEncryption 668
-#define NID_sha256 672
-#define NID_sha512WithRSAEncryption 670
-#define NID_sha512 674
-#else
-#define NID_sha256WithRSAEncryption 0
-#define NID_sha256 0
-#define NID_sha512WithRSAEncryption 0
-#define NID_sha512 0
-#endif
-
-static int init256(EVP_MD_CTX *ctx)
- { isc_sha256_init(ctx->md_data); return 1; }
-static int update256(EVP_MD_CTX *ctx,const void *data, unsigned long count)
- { isc_sha256_update(ctx->md_data,data,count); return 1; }
-static int final256(EVP_MD_CTX *ctx,unsigned char *md)
- { isc_sha256_final(md,ctx->md_data); return 1; }
-
-static const EVP_MD sha256_md=
- {
- NID_sha256,
- NID_sha256WithRSAEncryption,
- ISC_SHA256_DIGESTLENGTH,
- 0,
- init256,
- update256,
- final256,
- NULL,
- NULL,
- EVP_PKEY_RSA_method,
- ISC_SHA256_BLOCK_LENGTH,
- sizeof(EVP_MD *)+sizeof(isc_sha256_t),
- };
-
-static const EVP_MD *EVP_sha256(void)
- { return(&sha256_md); }
-
-static int init512(EVP_MD_CTX *ctx)
- { isc_sha512_init(ctx->md_data); return 1; }
-static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
- { isc_sha512_update(ctx->md_data,data,count); return 1; }
-static int final512(EVP_MD_CTX *ctx,unsigned char *md)
- { isc_sha512_final(md,ctx->md_data); return 1; }
-
-static const EVP_MD sha512_md=
- {
- NID_sha512,
- NID_sha512WithRSAEncryption,
- ISC_SHA512_DIGESTLENGTH,
- 0,
- init512,
- update512,
- final512,
- NULL,
- NULL,
- EVP_PKEY_RSA_method,
- ISC_SHA512_BLOCK_LENGTH,
- sizeof(EVP_MD *)+sizeof(isc_sha512_t),
- };
-
-static const EVP_MD *EVP_sha512(void)
- { return(&sha512_md); }
-#endif
-
static isc_result_t
opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
#if USE_EVP
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
break;
+#ifdef HAVE_EVP_SHA256
case DST_ALG_RSASHA256:
type = EVP_sha256(); /* SHA256 + RSA */
break;
+#endif
+#ifdef HAVE_EVP_SHA512
case DST_ALG_RSASHA512:
type = EVP_sha512();
break;
+#endif
default:
INSIST(0);
}
return (ISC_R_SUCCESS);
}
+#if ! USE_EVP && OPENSSL_VERSION_NUMBER < 0x00908000L
+/*
+ * Digest prefixes from RFC XXXX (draft-ietf-dnsext-dnssec-rsasha256-14).
+ */
+static unsigned char sha256_prefix[] =
+ { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
+static unsigned char sha512_prefix[] =
+ { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
+#define PREFIXLEN sizeof(sha512_prefix)
+#else
+#define PREFIXLEN 0
+#endif
+
static isc_result_t
opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
dst_key_t *key = dctx->key;
#else
RSA *rsa = key->keydata.rsa;
/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
- unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+ unsigned char digest[PREFIXLEN + ISC_SHA512_DIGESTLENGTH];
int status;
int type = 0;
unsigned int digestlen = 0;
unsigned long err;
const char* file;
int line;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ unsigned int prefixlen = 0;
+ const unsigned char *prefix = NULL;
+#endif
#endif
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_final(digest, sha256ctx);
- type = NID_sha256;
digestlen = ISC_SHA256_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ prefix = sha256_prefix;
+ prefixlen = sizeof(sha256_prefix);
+#else
+ type = NID_sha256;
+#endif
}
break;
case DST_ALG_RSASHA512:
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_final(digest, sha512ctx);
- type = NID_sha512;
digestlen = ISC_SHA512_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ prefix = sha512_prefix;
+ prefixlen = sizeof(sha512_prefix);
+#else
+ type = NID_sha512;
+#endif
}
break;
default:
INSIST(0);
}
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ INSIST(type != 0);
+ status = RSA_sign(type, digest, digestlen, r.base,
+ &siglen, rsa);
+ break;
+
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
+ INSIST(prefix != NULL);
+ INSIST(prefixlen != 0);
+ INSIST(prefixlen + digestlen <= sizeof(digest));
+
+ memmove(digest + prefixlen, digest, digestlen);
+ memcpy(digest, prefix, prefixlen);
+ status = RSA_private_encrypt(digestlen + prefixlen,
+ digest, r.base, rsa,
+ RSA_PKCS1_PADDING);
+ if (status < 0)
+ status = 0;
+ else
+ siglen = status;
+ break;
+
+ default:
+ INSIST(0);
+ }
+#else
+ INSIST(type != 0);
status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
+#endif
if (status == 0) {
err = ERR_peek_error_line(&file, &line);
if (err != 0U) {
int type = 0;
unsigned int digestlen = 0;
RSA *rsa = key->keydata.rsa;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ unsigned int prefixlen = 0;
+ const unsigned char *prefix = NULL;
+#endif
#endif
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_final(digest, sha256ctx);
- type = NID_sha256;
digestlen = ISC_SHA256_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ prefix = sha256_prefix;
+ prefixlen = sizeof(sha256_prefix);
+#else
+ type = NID_sha256;
+#endif
}
break;
case DST_ALG_RSASHA512:
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_final(digest, sha512ctx);
- type = NID_sha512;
digestlen = ISC_SHA512_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ prefix = sha512_prefix;
+ prefixlen = sizeof(sha512_prefix);
+#else
+ type = NID_sha512;
+#endif
}
break;
default:
INSIST(0);
}
- if (sig->length < (unsigned int) RSA_size(rsa))
+ if (sig->length != (unsigned int) RSA_size(rsa))
return (DST_R_VERIFYFAILURE);
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ INSIST(type != 0);
+ status = RSA_verify(type, digest, digestlen, sig->base,
+ RSA_size(rsa), rsa);
+ break;
+
+ case DST_ALG_RSASHA256:
+ case DST_ALG_RSASHA512:
+ {
+ /*
+ * 1024 is big enough for all valid RSA bit sizes
+ * for use with DNSSEC.
+ */
+ unsigned char original[PREFIXLEN + 1024];
+
+ INSIST(prefix != NULL);
+ INSIST(prefixlen != 0U);
+
+ if (RSA_size(rsa) > (int)sizeof(original))
+ return (DST_R_VERIFYFAILURE);
+
+ status = RSA_public_decrypt(sig->length, sig->base,
+ original, rsa,
+ RSA_PKCS1_PADDING);
+ if (status <= 0)
+ return (DST_R_VERIFYFAILURE);
+ if (status != (int)(prefixlen + digestlen))
+ return (DST_R_VERIFYFAILURE);
+ if (memcmp(original, prefix, prefixlen))
+ return (DST_R_VERIFYFAILURE);
+ if (memcmp(original + prefixlen, digest, digestlen))
+ return (DST_R_VERIFYFAILURE);
+ status = 1;
+ }
+ break;
+
+ default:
+ INSIST(0);
+ }
+#else
+ INSIST(type != 0);
status = RSA_verify(type, digest, digestlen, sig->base,
- RSA_size(rsa), rsa);
+ RSA_size(rsa), rsa);
+#endif
#endif
if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
};
isc_result_t
-dst__opensslrsa_init(dst_func_t **funcp) {
+dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
REQUIRE(funcp != NULL);
- if (*funcp == NULL)
- *funcp = &opensslrsa_functions;
+
+ if (*funcp == NULL) {
+ switch (algorithm) {
+ case DST_ALG_RSASHA256:
+#if defined(HAVE_EVP_SHA256) || !USE_EVP
+ *funcp = &opensslrsa_functions;
+#endif
+ break;
+ case DST_ALG_RSASHA512:
+#if defined(HAVE_EVP_SHA512) || !USE_EVP
+ *funcp = &opensslrsa_functions;
+#endif
+ break;
+ default:
+ *funcp = &opensslrsa_functions;
+ break;
+ }
+ }
return (ISC_R_SUCCESS);
}
projects / thirdparty / bind9.git / commitdiff
