From: Mark Andrews Date: Mon, 29 Sep 2014 00:18:54 +0000 (+1000) Subject: 3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 X-Git-Tag: v9.11.0a1~1378^2~12 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=80169c379dd4e0a6e164b7cac4bf5fa013c91138;p=thirdparty%2Fbind9.git 3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384. [RT #37183] --- diff --git a/CHANGES b/CHANGES index cfdbcae7bda..2e2f9865e8a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 + and ECDSAP384SHA384. [RT #37183] + 3956. [func] Notify messages are now rate limited by notify-rate and startup-notify-rate instead of serial-query-rate. [RT #24454] diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index a46d38218b4..167dc45f5d7 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -552,6 +552,9 @@ main(int argc, char **argv) { options |= DST_TYPE_KEY; } + if (!dst_algorithm_supported(alg)) + fatal("unsupported algorithm: %d", alg); + if (use_nsec3 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 && @@ -719,8 +722,13 @@ main(int argc, char **argv) { fatal("invalid DSS key size: %d", size); break; case DST_ALG_ECCGOST: + size = 256; + break; case DST_ALG_ECDSA256: + size = 256; + break; case DST_ALG_ECDSA384: + size = 384; break; case DST_ALG_HMACMD5: options |= DST_TYPE_KEY; diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 2e20d835d49..f53e9580ef5 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -74,3 +74,5 @@ rm -f ns4/named_dump.db rm -f ns3/badds.example.db rm -f delve.out* rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit +rm -f Kexample.* +rm -f keygen.err diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 2c10e086a69..8ebb43e2a8b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2640,5 +2640,52 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)" +ret=0 +alg=1 +until test $alg = 256 +do + size= + case $alg in + 1) size="-b 512";; + 2) # Diffie Helman + alg=`expr $alg + 1` + continue;; + 3) size="-b 512";; + 5) size="-b 512";; + 6) size="-b 512";; + 7) size="-b 512";; + 8) size="-b 512";; + 10) size="-b 1024";; + 157|160|161|162|163|164|165) # private - non standard + alg=`expr $alg + 1` + continue;; + esac + key1=`$KEYGEN -a $alg $size -n zone -r /dev/urandom example 2> keygen.err` + if grep "unsupported algorithm" keygen.err > /dev/null + then + alg=`expr $alg + 1` + continue + fi + if test -z "$key1" + then + echo "I: '$KEYGEN -a $alg': failed" + cat keygen.err + ret=1 + alg=`expr $alg + 1` + continue + fi + $SETTIME -I now+4d $key1.private > /dev/null + key2=`$KEYGEN -v 10 -r /dev/urandom -i 3d -S $key1.private 2> /dev/null` + test -f $key2.key -a -f $key2.private || { + ret=1 + echo "I: 'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=`expr $alg + 1` +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 696400c6c7b..b881880c7d8 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -295,10 +295,13 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { UNUSED(unused); UNUSED(callback); - if (key->key_alg == DST_ALG_ECDSA256) + if (key->key_alg == DST_ALG_ECDSA256) { group_nid = NID_X9_62_prime256v1; - else + key->key_size = DNS_KEY_ECDSA256SIZE * 4; + } else { group_nid = NID_secp384r1; + key->key_size = DNS_KEY_ECDSA384SIZE * 4; + } eckey = EC_KEY_new_by_curve_name(group_nid); if (eckey == NULL) @@ -433,6 +436,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, len); key->keydata.pkey = pkey; + key->key_size = len * 4; ret = ISC_R_SUCCESS; err: @@ -571,6 +575,10 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } key->keydata.pkey = pkey; + if (key->key_alg == DST_ALG_ECDSA256) + key->key_size = DNS_KEY_ECDSA256SIZE * 4; + else + key->key_size = DNS_KEY_ECDSA384SIZE * 4; ret = ISC_R_SUCCESS; err: diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c index c6a7bcdbbc8..23996487368 100644 --- a/lib/dns/opensslgost_link.c +++ b/lib/dns/opensslgost_link.c @@ -251,6 +251,7 @@ opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) { DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", DST_R_OPENSSLFAILURE)); key->keydata.pkey = pkey; + key->key_size = EVP_PKEY_bits(pkey); EVP_PKEY_CTX_free(ctx); return (ISC_R_SUCCESS); @@ -336,6 +337,7 @@ opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) { return (dst__openssl_toresult2("d2i_PUBKEY", DST_R_OPENSSLFAILURE)); key->keydata.pkey = pkey; + key->key_size = EVP_PKEY_bits(pkey); return (ISC_R_SUCCESS); } diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index 7925259f28a..d57be91970a 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -562,6 +562,11 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { memset(pk11_ctx, 0, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); + if (key->key_alg == DST_ALG_ECDSA256) + key->key_size = DNS_KEY_ECDSA256SIZE * 4; + else + key->key_size = DNS_KEY_ECDSA384SIZE * 4; + return (ISC_R_SUCCESS); err: @@ -716,6 +721,7 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, len); key->keydata.pkey = ec; + key->key_size = len * 4; return (ISC_R_SUCCESS); nomemory: @@ -1005,6 +1011,10 @@ pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); + if (key->key_alg == DST_ALG_ECDSA256) + key->key_size = DNS_KEY_ECDSA256SIZE * 4; + else + key->key_size = DNS_KEY_ECDSA384SIZE * 4; return (ISC_R_SUCCESS); @@ -1127,6 +1137,10 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, key->label = isc_mem_strdup(key->mctx, label); if (key->label == NULL) DST_RET(ISC_R_NOMEMORY); + if (key->key_alg == DST_ALG_ECDSA256) + key->key_size = DNS_KEY_ECDSA256SIZE * 4; + else + key->key_size = DNS_KEY_ECDSA384SIZE * 4; pk11_return_session(pk11_ctx); memset(pk11_ctx, 0, sizeof(*pk11_ctx)); diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c index 8471a194c1c..1816d734de2 100644 --- a/lib/dns/pkcs11gost_link.c +++ b/lib/dns/pkcs11gost_link.c @@ -73,6 +73,7 @@ #define ISC_GOST_SIGNATURELENGTH 64 #define ISC_GOST_PUBKEYLENGTH 64 +#define ISC_GOST_KEYSIZE 256 /* HASH methods */ @@ -523,6 +524,7 @@ pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) { DST_RET(ISC_R_NOMEMORY); memset(gost, 0, sizeof(*gost)); key->keydata.pkey = gost; + key->key_size = ISC_GOST_KEYSIZE; gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); if (gost->repr == NULL) @@ -680,6 +682,7 @@ pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH); key->keydata.pkey = gost; + key->key_size = ISC_GOST_KEYSIZE; return (ISC_R_SUCCESS); nomemory: @@ -867,6 +870,7 @@ pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(ISC_R_NOMEMORY); memset(gost, 0, sizeof(*gost)); key->keydata.pkey = gost; + key->key_size = ISC_GOST_KEYSIZE; gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);