ki->algo = dnskey.algorithm;
dns_rdata_toregion(keyrdata, &r);
- ki->tag = dst_region_computeid(&r, ki->algo);
+ ki->tag = dst_region_computeid(&r);
ki->dst = NULL;
if (!match_key_dsset(ki, dsset, strictness)) {
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
- " RSA | RSAMD5 | DH | RSASHA1 |\n"
+ " DH | RSASHA1 |\n"
" NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
fatal("no algorithm specified");
}
- if (strcasecmp(algname, "RSA") == 0) {
- fprintf(stderr, "The use of RSA (RSAMD5) is not "
- "recommended.\nIf you still wish to "
- "use RSA (RSAMD5) please specify "
- "\"-a RSAMD5\"\n");
- if (freeit != NULL)
- free(freeit);
- return (1);
- } else {
- r.base = algname;
- r.length = strlen(algname);
- ret = dns_secalg_fromtext(&alg, &r);
- if (ret != ISC_R_SUCCESS)
- fatal("unknown algorithm %s", algname);
- if (alg == DST_ALG_DH)
- options |= DST_TYPE_KEY;
+ r.base = algname;
+ r.length = strlen(algname);
+ ret = dns_secalg_fromtext(&alg, &r);
+ if (ret != ISC_R_SUCCESS) {
+ fatal("unknown algorithm %s", algname);
+ }
+ if (alg == DST_ALG_DH) {
+ options |= DST_TYPE_KEY;
}
if (use_nsec3) {
<listitem>
<para>
Selects the cryptographic algorithm. The value of
- <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+ <option>algorithm</option> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para>
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n");
- fprintf(stderr, " RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
- " |\n");
+ fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
- fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fatal("no algorithm specified");
}
- if (strcasecmp(algname, "RSA") == 0) {
- fprintf(stderr, "The use of RSA (RSAMD5) is not "
- "recommended.\nIf you still wish to "
- "use RSA (RSAMD5) please specify "
- "\"-a RSAMD5\"\n");
- INSIST(freeit == NULL);
- return (1);
- } else {
- r.base = algname;
- r.length = strlen(algname);
- ret = dns_secalg_fromtext(&alg, &r);
- if (ret != ISC_R_SUCCESS) {
- fatal("unknown algorithm %s", algname);
- }
- if (alg == DST_ALG_DH) {
- options |= DST_TYPE_KEY;
- }
+ r.base = algname;
+ r.length = strlen(algname);
+ ret = dns_secalg_fromtext(&alg, &r);
+ if (ret != ISC_R_SUCCESS) {
+ fatal("unknown algorithm %s", algname);
+ }
+ if (alg == DST_ALG_DH) {
+ options |= DST_TYPE_KEY;
}
if (!dst_algorithm_supported(alg)) {
}
switch (alg) {
- case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
}
switch(alg) {
- case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
- of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+ of <option>algorithm</option> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
* Remove old key file, if told to (and if
* it isn't the same as the new file)
*/
- if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) {
+ if (removefile) {
isc_buffer_init(&buf, oldname, sizeof(oldname));
dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
keystruct.datalen = r.length;
keystruct.data = r.base;
- if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
- keystruct.algorithm == DST_ALG_RSAMD5) &&
+ if ((keystruct.algorithm == DST_ALG_RSASHA1) &&
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"%s key '%s' has a weak exponent",
dns_rdata_toregion(&rdata, &r);
isc_region_consume(&r, 12);
- keyid = dst_region_computeid(&r, kd.algorithm);
+ keyid = dst_region_computeid(&r);
snprintf(buf, sizeof(buf), "\n keyid: %u", keyid);
CHECK(putstr(text, buf));
return t
def t_ALGNAME(self, t):
- r'(?i)\b(RSAMD5|DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
+ r'(?i)\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper()
return t
keyttl = None
coverage = None
directory = None
- valid_key_sz_per_algo = {'RSAMD5': [1024, 4096],
- 'RSASHA1': [1024, 4096],
+ valid_key_sz_per_algo = {'RSASHA1': [1024, 4096],
'NSEC3RSASHA1': [512, 4096],
'RSASHA256': [1024, 4096],
'RSASHA512': [1024, 4096],
# set default algorithm policies
# these can use default settings
- self.alg_policy['RSAMD5'] = copy(p)
- self.alg_policy['RSAMD5'].algorithm = "RSAMD5"
- self.alg_policy['RSAMD5'].name = "RSAMD5"
-
self.alg_policy['RSASHA1'] = copy(p)
self.alg_policy['RSASHA1'].algorithm = "RSASHA1"
self.alg_policy['RSASHA1'].name = "RSASHA1"
} else {
isc_buffer_usedregion(&b, &r);
- if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
+ if ((alg == DST_ALG_RSASHA1) &&
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
"%s key '%s' has a weak exponent",
ds.common.rdclass = key->rdclass;
ds.common.rdtype = dns_rdatatype_ds;
ds.algorithm = r.base[3];
- ds.key_tag = dst_region_computeid(&r, ds.algorithm);
+ ds.key_tag = dst_region_computeid(&r);
ds.digest_type = digest_type;
ds.digest = digest;
ds.length = digestlen;
RETERR(dst__openssl_init(mctx, engine));
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#if USE_OPENSSL
- RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
- DST_ALG_RSAMD5));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
#if USE_PKCS11
RETERR(dst__pkcs11_init(mctx, engine));
- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
proto = isc_buffer_getuint8(source);
alg = isc_buffer_getuint8(source);
- id = dst_region_computeid(&r, alg);
- rid = dst_region_computerid(&r, alg);
+ id = dst_region_computeid(&r);
+ rid = dst_region_computerid(&r);
if ((flags & DNS_KEYFLAG_EXTENDED) != 0) {
if (isc_buffer_remaininglength(source) < 2)
if (key1->key_id != key2->key_id) {
if (!match_revoked_key)
return (false);
- if (key1->key_alg == DST_ALG_RSAMD5)
- return (false);
if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
(key2->key_flags & DNS_KEYFLAG_REVOKE))
return (false);
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
return (ret);
isc_buffer_usedregion(&dnsbuf, &r);
- key->key_id = dst_region_computeid(&r, key->key_alg);
- key->key_rid = dst_region_computerid(&r, key->key_alg);
+ key->key_id = dst_region_computeid(&r);
+ key->key_rid = dst_region_computerid(&r);
return (ISC_R_SUCCESS);
}
for (j = 0; j < priv->nelements; j++) {
for (i = 0; i < RSA_NTAGS; i++)
- if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
+ if (priv->elements[j].tag == TAG(DST_ALG_RSA, i))
break;
if (i == RSA_NTAGS)
return (-1);
{
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (alg) {
- case DST_ALG_RSAMD5:
+ case DST_ALG_RSA:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
- case DST_ALG_RSAMD5:
- fprintf(fp, "(RSA)\n");
- break;
case DST_ALG_DH:
fprintf(fp, "(DH)\n");
break;
#define TAG_ALG(tag) ((unsigned int)(tag) >> TAG_SHIFT)
#define TAG(alg, off) (((alg) << TAG_SHIFT) + (off))
-/* These are used by both RSA-MD5 and RSA-SHA1 */
+/* These are used by RSA-SHA1, RSASHA256 and RSASHA512 */
#define RSA_NTAGS 11
-#define TAG_RSA_MODULUS ((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
-#define TAG_RSA_PUBLICEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
-#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
-#define TAG_RSA_PRIME1 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 3)
-#define TAG_RSA_PRIME2 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 4)
-#define TAG_RSA_EXPONENT1 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
-#define TAG_RSA_EXPONENT2 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
-#define TAG_RSA_COEFFICIENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
-#define TAG_RSA_ENGINE ((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
-#define TAG_RSA_LABEL ((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
+#define TAG_RSA_MODULUS ((DST_ALG_RSA << TAG_SHIFT) + 0)
+#define TAG_RSA_PUBLICEXPONENT ((DST_ALG_RSA << TAG_SHIFT) + 1)
+#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSA << TAG_SHIFT) + 2)
+#define TAG_RSA_PRIME1 ((DST_ALG_RSA << TAG_SHIFT) + 3)
+#define TAG_RSA_PRIME2 ((DST_ALG_RSA << TAG_SHIFT) + 4)
+#define TAG_RSA_EXPONENT1 ((DST_ALG_RSA << TAG_SHIFT) + 5)
+#define TAG_RSA_EXPONENT2 ((DST_ALG_RSA << TAG_SHIFT) + 6)
+#define TAG_RSA_COEFFICIENT ((DST_ALG_RSA << TAG_SHIFT) + 7)
+#define TAG_RSA_ENGINE ((DST_ALG_RSA << TAG_SHIFT) + 8)
+#define TAG_RSA_LABEL ((DST_ALG_RSA << TAG_SHIFT) + 9)
#define DH_NTAGS 4
#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0)
/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */
-#define DNS_KEYALG_RSA DNS_KEYALG_RSAMD5
+#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */
#define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */
#define DNS_KEYALG_DSA 3 /*%< DSA KEY */
#define DNS_KEYALG_NSEC3DSA 6
/* DST algorithm codes */
#define DST_ALG_UNKNOWN 0
+#define DST_ALG_RSA 1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */
#define DST_ALG_RSAMD5 1
-#define DST_ALG_RSA DST_ALG_RSAMD5 /*%< backwards compatibility */
#define DST_ALG_DH 2
#define DST_ALG_DSA 3
#define DST_ALG_ECC 4
*/
uint16_t
-dst_region_computeid(const isc_region_t *source, unsigned int alg);
+dst_region_computeid(const isc_region_t *source);
uint16_t
-dst_region_computerid(const isc_region_t *source, unsigned int alg);
+dst_region_computerid(const isc_region_t *source);
/*%<
* Computes the (revoked) key id of the key stored in the provided
- * region with the given algorithm.
+ * region.
*
* Requires:
*\li "source" contains a valid, non-NULL region.
#include "dst_internal.h"
uint16_t
-dst_region_computeid(const isc_region_t *source, unsigned int alg) {
+dst_region_computeid(const isc_region_t *source) {
uint32_t ac;
const unsigned char *p;
int size;
p = source->base;
size = source->length;
- if (alg == DST_ALG_RSAMD5)
- return ((p[size - 3] << 8) + p[size - 2]);
-
for (ac = 0; size > 1; size -= 2, p += 2)
ac += ((*p) << 8) + *(p + 1);
}
uint16_t
-dst_region_computerid(const isc_region_t *source, unsigned int alg) {
+dst_region_computerid(const isc_region_t *source) {
uint32_t ac;
const unsigned char *p;
int size;
p = source->base;
size = source->length;
- if (alg == DST_ALG_RSAMD5)
- return ((p[size - 3] << 8) + p[size - 2]);
-
ac = ((*p) << 8) + *(p + 1);
ac |= DNS_KEYFLAG_REVOKE;
for (size -= 2, p +=2; size > 1; size -= 2, p += 2)
const EVP_MD *type = NULL;
UNUSED(key);
- REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
- dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
return (ISC_R_NOMEMORY);
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
- type = EVP_md5(); /* MD5 + RSA */
- break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
opensslrsa_destroyctx(dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
- dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
- dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
- REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
- dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
RSA *rsa;
int bits;
- REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
- dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
isc_result_t ret;
unsigned int i;
- REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
- key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
token_key:
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
- mech.mechanism = CKM_MD5_RSA_PKCS;
- break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
isc_result_t ret;
unsigned int i;
- REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
- key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
ISC_R_FAILURE);
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
- mech.mechanism = CKM_MD5_RSA_PKCS;
- break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
pk11_context_t *pk11_ctx;
isc_result_t ret;
- REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
- key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
}
switch (key->key_alg) {
- case DST_ALG_RSAMD5:
- mech.mechanism = CKM_MD5;
- break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA_1;
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
- REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
- key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
}
switch (key->key_alg) {
- case DST_ALG_RSAMD5:
- der = md5_der;
- derlen = sizeof(md5_der);
- hashlen = ISC_MD5_DIGESTLENGTH;
- break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
- REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
- key->key_alg == DST_ALG_RSASHA1 ||
+ REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
REQUIRE(rsa != NULL);
switch (key->key_alg) {
- case DST_ALG_RSAMD5:
- der = md5_der;
- derlen = sizeof(md5_der);
- hashlen = ISC_MD5_DIGESTLENGTH;
- break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
- case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
#define SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
- { DNS_KEYALG_RSAMD5, "RSA", 0 }, \
{ DNS_KEYALG_DH, "DH", 0 }, \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
if (result != ISC_R_SUCCESS)
return (result);
- /* Ensure there's at least enough data to compute a key ID for MD5 */
- if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 7)
- return (ISC_R_UNEXPECTEDEND);
-
return (ISC_R_SUCCESS);
}
} else {
dns_rdata_toregion(rdata, &tmpr);
snprintf(buf, sizeof(buf), "[key id = %u]",
- dst_region_computeid(&tmpr, algorithm));
+ dst_region_computeid(&tmpr));
RETERR(str_totext(buf, target));
}
RETERR(str_totext(" ; key id = ", target));
dns_rdata_toregion(rdata, &tmpr);
snprintf(buf, sizeof(buf), "%u",
- dst_region_computeid(&tmpr, algorithm));
+ dst_region_computeid(&tmpr));
RETERR(str_totext(buf, target));
}
return (ISC_R_SUCCESS);
RETERR(dns_name_fromwire(&name, source, dctx, options, target));
}
- /*
- * RSAMD5 computes key ID differently from other
- * algorithms: we need to ensure there's enough data
- * present for the computation
- */
- if (algorithm == DST_ALG_RSAMD5 && sr.length < 3)
- return (ISC_R_UNEXPECTEDEND);
-
isc_buffer_activeregion(source, &sr);
isc_buffer_forward(source, sr.length);
return (mem_tobuffer(target, sr.base, sr.length));
if (result != ISC_R_SUCCESS)
return (result);
- /* Ensure there's at least enough data to compute a key ID for MD5 */
- if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 19)
- return (ISC_R_UNEXPECTEDEND);
-
return (ISC_R_SUCCESS);
}
/* Skip over refresh, addhd, and removehd */
isc_region_consume(&tmpr, 12);
snprintf(buf, sizeof(buf), "%u",
- dst_region_computeid(&tmpr, algorithm));
+ dst_region_computeid(&tmpr));
RETERR(str_totext(buf, target));
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
--- /dev/null
+/zone.data
dns_secalg_t alg;
bool expect;
} testcases[] = {
- /* XXXOND: Why isn't this failing? */
{
"testdata/dst/test1.data",
"testdata/dst/test1.ecdsa256sig",
0x27, 0x7f, 0xb6, 0xe0, 0x04, 0x12, 0xd2, 0x81
};
-static unsigned char sigmd5[256] = {
- 0xc0, 0x99, 0x90, 0xd6, 0xea, 0xc1, 0x5f, 0xc7,
- 0x23, 0x60, 0xfc, 0x13, 0x3d, 0xcc, 0xda, 0x93,
- 0x19, 0xf7, 0x22, 0xa9, 0x55, 0xbe, 0x70, 0x3c,
- 0x87, 0x24, 0x8a, 0x7e, 0xa7, 0x59, 0x58, 0xd3,
- 0x0e, 0x7c, 0x50, 0x3c, 0x81, 0x0f, 0x7a, 0x2b,
- 0xb1, 0x94, 0x21, 0x87, 0xe4, 0x87, 0xcd, 0x2b,
- 0xb9, 0xf1, 0xb8, 0x26, 0xc1, 0x02, 0xf4, 0x30,
- 0x83, 0x41, 0x89, 0x61, 0xcc, 0x3d, 0xe3, 0x0f,
- 0xec, 0x4a, 0x74, 0x95, 0x10, 0x65, 0xac, 0xd1,
- 0xf5, 0x95, 0xe9, 0x99, 0xa8, 0x45, 0x98, 0x99,
- 0xb5, 0xfd, 0x7a, 0x78, 0x80, 0xe5, 0x00, 0x33,
- 0xa5, 0x54, 0xe5, 0xa3, 0xc0, 0x1b, 0x6c, 0xb9,
- 0x77, 0x52, 0x6f, 0xe5, 0x85, 0xa8, 0xfa, 0x45,
- 0x78, 0x49, 0x14, 0xa0, 0x10, 0x58, 0x40, 0x80,
- 0x90, 0xc6, 0x55, 0x52, 0x6d, 0x46, 0x58, 0x50,
- 0x3d, 0x5e, 0x40, 0x25, 0x51, 0x7c, 0xc4, 0x12,
- 0x87, 0x2d, 0x7b, 0x10, 0xcd, 0x80, 0xec, 0x5d,
- 0x27, 0x15, 0x09, 0x37, 0x1f, 0xa7, 0x86, 0x15,
- 0xd1, 0xdd, 0xf1, 0x86, 0x1e, 0x42, 0x3a, 0xf9,
- 0x5a, 0xed, 0x33, 0x07, 0xa9, 0x98, 0x08, 0x79,
- 0xc5, 0xa4, 0x09, 0x95, 0x6e, 0x12, 0xfe, 0xee,
- 0x49, 0x61, 0xe0, 0x99, 0xaa, 0x34, 0xa5, 0xca,
- 0x82, 0xd3, 0x9b, 0x1c, 0x5b, 0x79, 0xf5, 0x0e,
- 0x2c, 0x6c, 0x3b, 0x48, 0xd1, 0xbc, 0xd0, 0xda,
- 0x73, 0xba, 0xe1, 0x81, 0x48, 0x27, 0x39, 0x2f,
- 0x98, 0x77, 0x08, 0xb3, 0xf7, 0x38, 0x28, 0x6d,
- 0x02, 0x56, 0xfa, 0x31, 0xbb, 0x14, 0x81, 0x6b,
- 0x3c, 0x24, 0xa2, 0x68, 0x7a, 0x0a, 0x53, 0xbd,
- 0x9d, 0x57, 0xd0, 0x99, 0x10, 0x28, 0x78, 0x69,
- 0x31, 0x93, 0xa4, 0x73, 0x8d, 0x1a, 0xe4, 0xdc,
- 0x0c, 0x15, 0xb8, 0x51, 0xd8, 0x66, 0x6a, 0x95,
- 0x56, 0x17, 0x0a, 0x45, 0x72, 0xb5, 0xb8, 0xc4
-};
-
static unsigned char sigsha256[256] = {
0x83, 0x53, 0x15, 0xfc, 0xca, 0xdb, 0xf6, 0x0d,
0x53, 0x24, 0x5b, 0x5a, 0x8e, 0xd0, 0xbe, 0x5e,
dst_context_destroy(&ctx);
- /* RSAMD5 */
-
- key->key_alg = DST_ALG_RSAMD5;
-
- ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
- false, 0, &ctx);
- assert_int_equal(ret, ISC_R_SUCCESS);
-
- r.base = d;
- r.length = 10;
- ret = dst_context_adddata(ctx, &r);
- assert_int_equal(ret, ISC_R_SUCCESS);
-
- r.base = sigmd5;
- r.length = 256;
- ret = dst_context_verify(ctx, &r);
- assert_int_equal(ret, ISC_R_SUCCESS);
-
- dst_context_destroy(&ctx);
-
/* RSASHA256 */
key->key_alg = DST_ALG_RSASHA256;
return (0);
}
-#endif
+#endif /* HAVE_CMOCKA */
}
static dns_keytag_t
-compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
+compute_keytag(dns_rdata_t *rdata) {
isc_region_t r;
dns_rdata_toregion(rdata, &r);
- return (dst_region_computeid(&r, key->algorithm));
+ return (dst_region_computeid(&r));
}
/*%
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- keytag = compute_keytag(&rdata, &key);
+ keytag = compute_keytag(&rdata);
for (result = dns_rdataset_first(sigrdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(sigrdataset))
dns_rdataset_current(rdataset, keyrdata);
result = dns_rdata_tostruct(keyrdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- keytag = compute_keytag(keyrdata, &key);
+ keytag = compute_keytag(keyrdata);
if (keyid != keytag || algorithm != key.algorithm)
continue;
dns_rdata_reset(&newdsrdata);
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
isc_result_t result;
- bool logit, foundrsa = false, foundmd5 = false;
+ bool logit, foundrsa = false;
const char *algorithm;
result = dns_db_findnode(db, &zone->origin, false, &node);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
INSIST(result == ISC_R_SUCCESS);
- if ((dnskey.algorithm == DST_ALG_RSASHA1 ||
- dnskey.algorithm == DST_ALG_RSAMD5) &&
- dnskey.datalen > 1 && dnskey.data[0] == 1 &&
- dnskey.data[1] == 3)
+ /* RFC 3110, section 4: Performance Considerations:
+ *
+ * A public exponent of 3 minimizes the effort needed to verify
+ * a signature. Use of 3 as the public exponent is weak for
+ * confidentiality uses since, if the same data can be collected
+ * encrypted under three different keys with an exponent of 3
+ * then, using the Chinese Remainder Theorem [NETSEC], the
+ * original plain text can be easily recovered. If a key is
+ * known to be used only for authentication, as is the case with
+ * DNSSEC, then an exponent of 3 is acceptable. However other
+ * applications in the future may wish to leverage DNS
+ * distributed keys for applications that do require
+ * confidentiality. For keys which might have such other uses,
+ * a more conservative choice would be 65537 (F4, the fourth
+ * fermat number).
+ */
+ if (dnskey.algorithm == DST_ALG_RSASHA1 &&
+ dnskey.datalen > 1 && dnskey.data[0] == 1 &&
+ dnskey.data[1] == 3)
{
if (dnskey.algorithm == DST_ALG_RSASHA1) {
logit = !foundrsa;
foundrsa = true;
algorithm = "RSASHA1";
- } else {
- logit = !foundmd5;
- foundmd5 = true;
- algorithm = "RSAMD5";
}
- if (logit)
+ if (logit) {
dns_zone_log(zone, ISC_LOG_WARNING,
"weak %s (%u) key found "
"(exponent=3)", algorithm,
dnskey.algorithm);
- if (foundrsa && foundmd5)
- break;
+ }
}
dns_rdata_reset(&rdata);
}
dns_rdata_toregion(&tuple->rdata, &r);
- keyid = dst_region_computeid(&r, dnskey.algorithm);
+ keyid = dst_region_computeid(&r);
buf[0] = dnskey.algorithm;
buf[1] = (keyid & 0xff00) >> 8;
continue;
alg = tuple->rdata.data[3];
- if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
+ if (alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
if (tuple->rdata.type == dns_rdatatype_dnskey) {
uint8_t alg;
alg = tuple->rdata.data[3];
- if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
+ if (alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
dns_rdata_toregion(&tuple->rdata, &r);
- keyid = dst_region_computeid(&r, dnskey.algorithm);
+ keyid = dst_region_computeid(&r);
buf[0] = dnskey.algorithm;
buf[1] = (keyid & 0xff00) >> 8;
dns_rdata_toregion(&tuple->rdata, &r);
algorithm = dnskey.algorithm;
- keyid = dst_region_computeid(&r, algorithm);
+ keyid = dst_region_computeid(&r);
result = dns_zone_signwithkey(zone, algorithm, keyid,
(tuple->op == DNS_DIFFOP_DEL));
projects / thirdparty / bind9.git / commitdiff
