mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 07:19:59 -04:00
Reject incorrect RSA key lengths during key generation and and sign/verify context creation (#45043)
(cherry picked from commit239e9dc81c) (cherry picked from commit264e17e739) (cherry picked from commit2540059b7b)
This commit is contained in:
Mukund Sivaraman
parent
4973497287
commit
4cf12b3916
2 changed files with 58 additions and 0 deletions
4
CHANGES
4
CHANGES
|
|
@ -1,3 +1,7 @@
|
|||
4601. [bug] Reject incorrect RSA key lengths during key
|
||||
generation and and sign/verify context
|
||||
creation. [RT #45043]
|
||||
|
||||
4599. [bug] Fix inconsistencies in inline signing time
|
||||
comparison that were introduced with the
|
||||
introduction of rdatasetheader->resign_lsb.
|
||||
|
|
|
|||
|
|
@ -260,6 +260,33 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
|
|||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
|
||||
dctx->key->key_alg == DST_ALG_RSASHA512);
|
||||
|
||||
/*
|
||||
* Reject incorrect RSA key lengths.
|
||||
*/
|
||||
switch (dctx->key->key_alg) {
|
||||
case DST_ALG_RSAMD5:
|
||||
case DST_ALG_RSASHA1:
|
||||
case DST_ALG_NSEC3RSASHA1:
|
||||
/* From RFC 3110 */
|
||||
if (dctx->key->key_size > 4096)
|
||||
return (ISC_R_FAILURE);
|
||||
break;
|
||||
case DST_ALG_RSASHA256:
|
||||
/* From RFC 5702 */
|
||||
if ((dctx->key->key_size < 512) ||
|
||||
(dctx->key->key_size > 4096))
|
||||
return (ISC_R_FAILURE);
|
||||
break;
|
||||
case DST_ALG_RSASHA512:
|
||||
/* From RFC 5702 */
|
||||
if ((dctx->key->key_size < 1024) ||
|
||||
(dctx->key->key_size > 4096))
|
||||
return (ISC_R_FAILURE);
|
||||
break;
|
||||
default:
|
||||
INSIST(0);
|
||||
}
|
||||
|
||||
#if USE_EVP
|
||||
evp_md_ctx = EVP_MD_CTX_create();
|
||||
if (evp_md_ctx == NULL)
|
||||
|
|
@ -913,6 +940,33 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|||
EVP_PKEY *pkey = EVP_PKEY_new();
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Reject incorrect RSA key lengths.
|
||||
*/
|
||||
switch (key->key_alg) {
|
||||
case DST_ALG_RSAMD5:
|
||||
case DST_ALG_RSASHA1:
|
||||
case DST_ALG_NSEC3RSASHA1:
|
||||
/* From RFC 3110 */
|
||||
if (key->key_size > 4096)
|
||||
goto err;
|
||||
break;
|
||||
case DST_ALG_RSASHA256:
|
||||
/* From RFC 5702 */
|
||||
if ((key->key_size < 512) ||
|
||||
(key->key_size > 4096))
|
||||
goto err;
|
||||
break;
|
||||
case DST_ALG_RSASHA512:
|
||||
/* From RFC 5702 */
|
||||
if ((key->key_size < 1024) ||
|
||||
(key->key_size > 4096))
|
||||
goto err;
|
||||
break;
|
||||
default:
|
||||
INSIST(0);
|
||||
}
|
||||
|
||||
if (rsa == NULL || e == NULL || cb == NULL)
|
||||
goto err;
|
||||
#if USE_EVP
|
||||
|
|
|
|||
Loading…
Reference in a new issue