mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-27 04:43:08 -04:00
Merge branch '22-remove-DSA-algorithm' into 'master'
Remove support for obsoleted and insecure DSA and DSA-NSEC3-SHA1 algorithms See merge request isc-projects/bind9!348
This commit is contained in:
Ondřej Surý
commit
4ec0f300a4
36 changed files with 155 additions and 2064 deletions
3
CHANGES
3
CHANGES
|
|
@ -1,3 +1,6 @@
|
|||
5045. [cleanup] Remove support for DNSSEC algorithms 3 (DSA)
|
||||
and 6 (DSA-NSEC3-SHA1). [GL #22]
|
||||
|
||||
5044. [cleanup] If "dnssec-enable" is no, then "dnssec-validation"
|
||||
now also defaults to no. [GL #388]
|
||||
|
||||
|
|
|
|||
|
|
@ -299,8 +299,7 @@
|
|||
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
|
||||
A default value for this option can be set in algorithm policies
|
||||
as well as in policy classes or zone policies. If no policy is
|
||||
configured, the default is 1024 bits for DSA keys and 2048 for
|
||||
RSA.
|
||||
configured, the default is 2048 bits for RSA keys.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ class dnskey:
|
|||
|
||||
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
|
||||
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
|
||||
'RSASHA512', None, None, 'ECDSAP256SHA256',
|
||||
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
|
||||
'ECDSAP384SHA384', 'ED25519', 'ED448')
|
||||
|
||||
def __init__(self, key, directory=None, keyttl=None):
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ class PolicyLex:
|
|||
return t
|
||||
|
||||
def t_ALGNAME(self, t):
|
||||
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
|
||||
r'(?i)\b(RSAMD5|DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
|
||||
t.value = t.value.upper()
|
||||
return t
|
||||
|
||||
|
|
@ -132,9 +132,7 @@ class Policy:
|
|||
keyttl = None
|
||||
coverage = None
|
||||
directory = None
|
||||
valid_key_sz_per_algo = {'DSA': [512, 1024],
|
||||
'NSEC3DSA': [512, 1024],
|
||||
'RSAMD5': [1024, 4096],
|
||||
valid_key_sz_per_algo = {'RSAMD5': [1024, 4096],
|
||||
'RSASHA1': [1024, 4096],
|
||||
'NSEC3RSASHA1': [512, 4096],
|
||||
'RSASHA256': [1024, 4096],
|
||||
|
|
@ -264,19 +262,6 @@ class Policy:
|
|||
return False, 'ZSK key size %d outside valid range %s' \
|
||||
% (self.zsk_keysize, key_sz_range)
|
||||
|
||||
# Specific check for DSA keys
|
||||
if self.algorithm in ['DSA', 'NSEC3DSA'] and \
|
||||
self.ksk_keysize % 64 != 0:
|
||||
return False, \
|
||||
('KSK key size %d not divisible by 64 ' +
|
||||
'as required for DSA') % self.ksk_keysize
|
||||
|
||||
if self.algorithm in ['DSA', 'NSEC3DSA'] and \
|
||||
self.zsk_keysize % 64 != 0:
|
||||
return False, \
|
||||
('ZSK key size %d not divisible by 64 ' +
|
||||
'as required for DSA') % self.zsk_keysize
|
||||
|
||||
if self.algorithm in ['ECDSAP256SHA256', \
|
||||
'ECDSAP384SHA384', \
|
||||
'ED25519', \
|
||||
|
|
@ -335,16 +320,6 @@ class dnssec_policy:
|
|||
p.zsk_keysize = 2048;
|
||||
|
||||
# set default algorithm policies
|
||||
# these need a lower default key size:
|
||||
self.alg_policy['DSA'] = copy(p)
|
||||
self.alg_policy['DSA'].algorithm = "DSA"
|
||||
self.alg_policy['DSA'].name = "DSA"
|
||||
self.alg_policy['DSA'].ksk_keysize = 1024;
|
||||
|
||||
self.alg_policy['NSEC3DSA'] = copy(p)
|
||||
self.alg_policy['NSEC3DSA'].algorithm = "NSEC3DSA"
|
||||
self.alg_policy['NSEC3DSA'].name = "NSEC3DSA"
|
||||
self.alg_policy['NSEC3DSA'].ksk_keysize = 1024;
|
||||
|
||||
# these can use default settings
|
||||
self.alg_policy['RSAMD5'] = copy(p)
|
||||
|
|
|
|||
|
|
@ -25,15 +25,6 @@ class PolicyTest(unittest.TestCase):
|
|||
self.assertEqual(p.constructed(), False)
|
||||
self.assertEqual(p.validate(), (True, ""))
|
||||
|
||||
p = pol.policy('good_dsa.test', novalidate=True)
|
||||
self.assertEqual(p.get_name(), "good_dsa.test")
|
||||
self.assertEqual(p.constructed(), False)
|
||||
self.assertEqual(p.validate(), (True, ""))
|
||||
|
||||
p = pol.policy('bad_dsa.test', novalidate=True)
|
||||
self.assertEqual(p.validate(),
|
||||
(False, 'ZSK key size 769 not divisible by 64 as required for DSA'))
|
||||
|
||||
def test_prepublish(self):
|
||||
pol = policy.dnssec_policy()
|
||||
pol.load('test-policies/02-prepublish.pol')
|
||||
|
|
|
|||
|
|
@ -20,6 +20,11 @@ TOP=${SYSTEMTESTTOP:=.}/../../..
|
|||
# Make it absolute so that it continues to work after we cd.
|
||||
TOP=`cd $TOP && pwd`
|
||||
|
||||
# Default algorithm for testing
|
||||
DEFAULT_ALGORITHM=ECDSAP256SHA256
|
||||
DEFAULT_ALGORITHM_NUMBER=13
|
||||
DEFAULT_BITS=256
|
||||
|
||||
ARPANAME=$TOP/bin/tools/arpaname
|
||||
CDS=$TOP/bin/dnssec/dnssec-cds
|
||||
CHECKCONF=$TOP/bin/check/named-checkconf
|
||||
|
|
@ -378,7 +383,11 @@ copy_setports() {
|
|||
-e "s/@EXTRAPORT6@/${EXTRAPORT6}/g" \
|
||||
-e "s/@EXTRAPORT7@/${EXTRAPORT7}/g" \
|
||||
-e "s/@EXTRAPORT8@/${EXTRAPORT8}/g" \
|
||||
-e "s/@CONTROLPORT@/${CONTROLPORT}/g" $1 > $2
|
||||
-e "s/@CONTROLPORT@/${CONTROLPORT}/g" \
|
||||
-e "s/@DEFAULT_ALGORITHM@/${DEFAULT_ALGORITHM}/g" \
|
||||
-e "s/@DEFAULT_ALGORITHM_NUMBER@/${DEFAULT_ALGORITHM_NUMBER}/g" \
|
||||
-e "s/@DEFAULT_BITS@/${DEFAULT_BITS}/g" \
|
||||
$1 > $2
|
||||
}
|
||||
|
||||
#
|
||||
|
|
|
|||
|
|
@ -26,6 +26,11 @@ TOP=`cd $TOP && pwd`
|
|||
# Visual Studio build configurations are Release and Debug
|
||||
VSCONF=Debug
|
||||
|
||||
# Default algorithm for testing
|
||||
DEFAULT_ALGORITHM=ECDSAP256SHA256
|
||||
DEFAULT_ALGORITHM_NUMBER=13
|
||||
DEFAULT_BITS=256
|
||||
|
||||
ARPANAME=$TOP/Build/$VSCONF/arpaname@EXEEXT@
|
||||
CHECKCONF=$TOP/Build/$VSCONF/named-checkconf@EXEEXT@
|
||||
CHECKDS="$PYTHON `cygpath -w $TOP/bin/python/dnssec-checkds.py`"
|
||||
|
|
@ -361,7 +366,11 @@ copy_setports() {
|
|||
-e "s/${atsign}EXTRAPORT6${atsign}/${EXTRAPORT6}/g" \
|
||||
-e "s/${atsign}EXTRAPORT7${atsign}/${EXTRAPORT7}/g" \
|
||||
-e "s/${atsign}EXTRAPORT8${atsign}/${EXTRAPORT8}/g" \
|
||||
-e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" $1 > $2
|
||||
-e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" \
|
||||
-e "s/${atsign}DEFAULT_ALGORITM${atsign}/${DEFAULT_ALGORITHM}/g" \
|
||||
-e "s/${atsign}DEFAULT_ALGORITHM_NUMBER${atsign}/${DEFAULT_ALGORITHM_NUMBER}/g" \
|
||||
-e "s/${atsign}DEFAULT_BITS${atsign}/${DEFAULT_BITS}/g" \
|
||||
$1 > $2
|
||||
}
|
||||
|
||||
#
|
||||
|
|
|
|||
|
|
@ -23,8 +23,8 @@ infile=root.db.in
|
|||
zonefile=root.db
|
||||
outfile=root.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -24,8 +24,8 @@ zonefile=druz.db
|
|||
outfile=druz.pre
|
||||
dlvzone=utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -26,8 +26,8 @@ zonefile=child1.utld.db
|
|||
outfile=child1.signed
|
||||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -42,8 +42,8 @@ zonefile=child3.utld.db
|
|||
outfile=child3.signed
|
||||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -58,8 +58,8 @@ zonefile=child4.utld.db
|
|||
outfile=child4.signed
|
||||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -73,8 +73,8 @@ zonefile=child5.utld.db
|
|||
outfile=child5.signed
|
||||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -88,8 +88,8 @@ infile=child.db.in
|
|||
zonefile=child7.utld.db
|
||||
outfile=child7.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -103,8 +103,8 @@ infile=child.db.in
|
|||
zonefile=child8.utld.db
|
||||
outfile=child8.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -118,8 +118,8 @@ zonefile=child9.utld.db
|
|||
outfile=child9.signed
|
||||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -132,8 +132,8 @@ zonefile=child10.utld.db
|
|||
outfile=child10.signed
|
||||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -147,8 +147,8 @@ outfile=child1.druz.signed
|
|||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -164,8 +164,8 @@ outfile=child3.druz.signed
|
|||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -181,8 +181,8 @@ outfile=child4.druz.signed
|
|||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -197,8 +197,8 @@ outfile=child5.druz.signed
|
|||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -213,8 +213,8 @@ zonefile=child7.druz.db
|
|||
outfile=child7.druz.signed
|
||||
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
|
||||
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
|
||||
|
|
@ -228,8 +228,8 @@ infile=child.db.in
|
|||
zonefile=child8.druz.db
|
||||
outfile=child8.druz.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -243,8 +243,8 @@ zonefile=child9.druz.db
|
|||
outfile=child9.druz.signed
|
||||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -258,8 +258,8 @@ outfile=child10.druz.signed
|
|||
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -272,8 +272,8 @@ infile=dlv.db.in
|
|||
zonefile=dlv.utld.db
|
||||
outfile=dlv.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ infile=child.db.in
|
|||
zonefile=grand.child1.utld.db
|
||||
outfile=grand.child1.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -36,8 +36,8 @@ zonefile=grand.child3.utld.db
|
|||
outfile=grand.child3.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -51,8 +51,8 @@ zonefile=grand.child4.utld.db
|
|||
outfile=grand.child4.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -66,8 +66,8 @@ zonefile=grand.child5.utld.db
|
|||
outfile=grand.child5.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -81,8 +81,8 @@ zonefile=grand.child7.utld.db
|
|||
outfile=grand.child7.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -96,8 +96,8 @@ zonefile=grand.child8.utld.db
|
|||
outfile=grand.child8.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -111,8 +111,8 @@ zonefile=grand.child9.utld.db
|
|||
outfile=grand.child9.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -125,8 +125,8 @@ zonefile=grand.child10.utld.db
|
|||
outfile=grand.child10.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -138,8 +138,8 @@ infile=child.db.in
|
|||
zonefile=grand.child1.druz.db
|
||||
outfile=grand.child1.druz.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -153,8 +153,8 @@ zonefile=grand.child3.druz.db
|
|||
outfile=grand.child3.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -168,8 +168,8 @@ zonefile=grand.child4.druz.db
|
|||
outfile=grand.child4.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -183,8 +183,8 @@ zonefile=grand.child5.druz.db
|
|||
outfile=grand.child5.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -198,8 +198,8 @@ zonefile=grand.child7.druz.db
|
|||
outfile=grand.child7.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -213,8 +213,8 @@ zonefile=grand.child8.druz.db
|
|||
outfile=grand.child8.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -228,8 +228,8 @@ zonefile=grand.child9.druz.db
|
|||
outfile=grand.child9.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -242,8 +242,8 @@ zonefile=grand.child10.druz.db
|
|||
outfile=grand.child10.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -29,8 +29,8 @@ do
|
|||
cp ../ns3/dsset-$subdomain.example$TP .
|
||||
done
|
||||
|
||||
keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
@ -89,8 +89,8 @@ zone=in-addr.arpa.
|
|||
infile=in-addr.arpa.db.in
|
||||
zonefile=in-addr.arpa.db
|
||||
|
||||
keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
|
||||
|
|
@ -127,8 +127,8 @@ zone=badparam.
|
|||
infile=badparam.db.in
|
||||
zonefile=badparam.db
|
||||
|
||||
keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
|
||||
keyname2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
|
||||
keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
|
||||
keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ options {
|
|||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
notify yes;
|
||||
disable-algorithms . { DSA; };
|
||||
disable-algorithms . { @DEFAULT_ALGORITHM@; };
|
||||
dnssec-enable yes;
|
||||
dnssec-validation yes;
|
||||
dnssec-lookaside . trust-anchor dlv;
|
||||
|
|
|
|||
|
|
@ -147,10 +147,10 @@ status=`expr $status + $ret`
|
|||
|
||||
if [ -x ${DELV} ] ; then
|
||||
ret=0
|
||||
echo_i "checking postive validation NSEC using dns_client ($n)"
|
||||
echo_i "checking positive validation NSEC using dns_client ($n)"
|
||||
$DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1
|
||||
grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
|
||||
grep "a.example..*.RRSIG.A 3 2 300 .*" delv.out$n > /dev/null || ret=1
|
||||
grep "a.example..*.RRSIG.A $DEFAULT_ALGORITHM_NUMBER 2 300 .*" delv.out$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
|
@ -222,7 +222,7 @@ if [ -x ${DELV} ] ; then
|
|||
echo_i "checking positive wildcard validation NSEC using dns_client ($n)"
|
||||
$DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1
|
||||
grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1
|
||||
grep "a.wild.example..*RRSIG.A 3 2 300.*" delv.out$n > /dev/null || ret=1
|
||||
grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
|
@ -1190,7 +1190,7 @@ n=`expr $n + 1`
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "checking that lookups succeed after disabling a algorithm works ($n)"
|
||||
echo_i "checking that lookups succeed after disabling an algorithm ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \
|
||||
> dig.out.ns2.test$n || ret=1
|
||||
|
|
@ -2997,11 +2997,11 @@ echo_i "check dig's +nocrypto flag ($n)"
|
|||
ret=0
|
||||
$DIG $DIGOPTS +norec +nocrypto DNSKEY . \
|
||||
@10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
|
||||
grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
|
||||
grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
|
||||
grep -E '256 [0-9]+ 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
|
||||
grep -E 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS +norec +nocrypto DS example \
|
||||
@10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
|
||||
grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
|
||||
grep -E 'DS.* [0-9]+ [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
|
@ -3137,12 +3137,8 @@ do
|
|||
2) # Diffie Helman
|
||||
alg=`expr $alg + 1`
|
||||
continue;;
|
||||
3) # DSA/SHA1
|
||||
size="-b 512";;
|
||||
5) # RSA/SHA-1
|
||||
size="-b 1024";;
|
||||
6) # DSA-NSEC3-SHA1
|
||||
size="-b 512";;
|
||||
7) # RSASHA1-NSEC3-SHA1
|
||||
size="-b 1024";;
|
||||
8) # RSA/SHA-256
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ infile=signed.db.in
|
|||
zonefile=signed.db.signed
|
||||
outfile=signed.db.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ infile=signed.db.in
|
|||
zonefile=signed.db.signed
|
||||
outfile=signed.db.signed
|
||||
|
||||
keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -118,7 +118,7 @@ rm -f ns3/test-?.bk
|
|||
rm -f ns3/test-?.bk.signed
|
||||
rm -f ns3/test-?.bk.signed.jnl
|
||||
rm -f import.key Kimport*
|
||||
rm -f checkdsa checkecdsa
|
||||
rm -f checkecdsa
|
||||
rm -f ns3/a-file
|
||||
rm -f ns*/named.lock
|
||||
rm -f dig.out.*
|
||||
|
|
|
|||
|
|
@ -133,7 +133,7 @@ zone=externalkey
|
|||
rm -f K${zone}.+*+*.key
|
||||
rm -f K${zone}.+*+*.private
|
||||
|
||||
for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA
|
||||
for alg in ECDSAP256SHA256 NSEC3RSASHA1
|
||||
do
|
||||
k1=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone`
|
||||
k2=`$KEYGEN -q -a $alg -b 1024 -n zone $zone`
|
||||
|
|
|
|||
|
|
@ -945,13 +945,11 @@ n=`expr $n + 1`
|
|||
echo_i "testing adding external keys to a inline zone ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
|
||||
for alg in 3 7 13
|
||||
for alg in 7 13
|
||||
do
|
||||
[ $alg = 3 -a ! -f checkdsa ] && continue;
|
||||
[ $alg = 13 -a ! -f checkecdsa ] && continue;
|
||||
|
||||
case $alg in
|
||||
3) echo_i "checking DSA";;
|
||||
7) echo_i "checking NSEC3RSASHA1";;
|
||||
13) echo_i "checking ECDSAP256SHA256";;
|
||||
*) echo_i "checking $alg";;
|
||||
|
|
|
|||
|
|
@ -134,12 +134,12 @@ algorithm policy RSASHA1:
|
|||
zsk_standby None
|
||||
keyttl None
|
||||
|
||||
algorithm policy DSA:
|
||||
algorithm policy RSASHA256:
|
||||
inherits None
|
||||
directory None
|
||||
algorithm DSA
|
||||
algorithm RSASHA256
|
||||
coverage None
|
||||
ksk_keysize 1024
|
||||
ksk_keysize 2048
|
||||
zsk_keysize 2048
|
||||
ksk_rollperiod None
|
||||
zsk_rollperiod None
|
||||
|
|
@ -151,6 +151,23 @@ algorithm policy DSA:
|
|||
zsk_standby None
|
||||
keyttl None
|
||||
|
||||
algorithm policy ECDSAP256SHA256:
|
||||
inherits None
|
||||
directory None
|
||||
algorithm ECDSAP256SHA256
|
||||
coverage None
|
||||
ksk_keysize None
|
||||
zsk_keysize None
|
||||
ksk_rollperiod None
|
||||
zsk_rollperiod None
|
||||
ksk_prepublish None
|
||||
ksk_postpublish None
|
||||
zsk_prepublish None
|
||||
zsk_postpublish None
|
||||
ksk_standby None
|
||||
zsk_standby None
|
||||
keyttl None
|
||||
|
||||
policy extra:
|
||||
inherits default
|
||||
directory None
|
||||
|
|
|
|||
|
|
@ -31,7 +31,8 @@ if len(sys.argv) > 0:
|
|||
|
||||
# print algorithm policies
|
||||
print(pp.alg_policy['RSASHA1'])
|
||||
print(pp.alg_policy['DSA'])
|
||||
print(pp.alg_policy['RSASHA256'])
|
||||
print(pp.alg_policy['ECDSAP256SHA256'])
|
||||
|
||||
# print another named policy
|
||||
print(pp.named_policy['extra'])
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@ zone=example.
|
|||
infile=example.db.in
|
||||
zonefile=example.db
|
||||
|
||||
keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >> $zonefile
|
||||
|
|
|
|||
|
|
@ -16,8 +16,8 @@ zone=example.
|
|||
infile=example.db.in
|
||||
zonefile=example.db
|
||||
|
||||
keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
|
||||
keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
|
|||
prog=$0
|
||||
|
||||
args=""
|
||||
alg="-a RSAMD5 -b 1024"
|
||||
alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS"
|
||||
quiet=0
|
||||
|
||||
msg1="cryptography"
|
||||
|
|
|
|||
|
|
@ -16,5 +16,5 @@ $SHELL clean.sh
|
|||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -n HOST -T KEY key.example.nil.`
|
||||
key=`$KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.`
|
||||
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
|
||||
|
|
|
|||
|
|
@ -373,6 +373,11 @@
|
|||
usually long after their end-of-life date and they are
|
||||
neither developed nor supported by their respective vendors.
|
||||
</para>
|
||||
<para>
|
||||
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
|
||||
removed from BIND as the DSA key length is limited to 1024
|
||||
bits and this is not considered secure enough.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
|
|
|||
|
|
@ -44,9 +44,9 @@ LIBS = @LIBS@
|
|||
DSTOBJS = @DST_EXTRA_OBJS@ \
|
||||
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
|
||||
gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ \
|
||||
openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
|
||||
openssl_link.@O@ openssldh_link.@O@ \
|
||||
opensslecdsa_link.@O@ openssleddsa_link.@O@ opensslrsa_link.@O@ \
|
||||
pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
|
||||
pkcs11rsa_link.@O@ \
|
||||
pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ pkcs11.@O@ \
|
||||
key.@O@
|
||||
|
||||
|
|
@ -82,9 +82,9 @@ OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
|
|||
DSTSRCS = @DST_EXTRA_SRCS@ @PKCS11LINKSRCS@ \
|
||||
dst_api.c dst_lib.c dst_parse.c \
|
||||
dst_result.c gssapi_link.c gssapictx.c hmac_link.c \
|
||||
openssl_link.c openssldh_link.c openssldsa_link.c \
|
||||
openssl_link.c openssldh_link.c \
|
||||
opensslecdsa_link.c openssleddsa_link.c opensslrsa_link.c \
|
||||
pkcs11dsa_link.c pkcs11rsa_link.c \
|
||||
pkcs11rsa_link.c \
|
||||
pkcs11ecdsa_link.c pkcs11eddsa_link.c pkcs11.c \
|
||||
key.c
|
||||
|
||||
|
|
|
|||
|
|
@ -190,8 +190,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
|
|||
DST_ALG_RSASHA256));
|
||||
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
|
||||
DST_ALG_RSASHA512));
|
||||
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
|
||||
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
|
||||
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
|
||||
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
|
||||
#ifdef HAVE_OPENSSL_ED25519
|
||||
|
|
@ -209,8 +207,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
|
|||
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
|
||||
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
|
||||
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
|
||||
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
|
||||
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
|
||||
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
|
||||
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
|
||||
#ifdef HAVE_PKCS11_ED25519
|
||||
|
|
@ -1190,10 +1186,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
|
|||
case DST_ALG_RSASHA512:
|
||||
*n = (key->key_size + 7) / 8;
|
||||
break;
|
||||
case DST_ALG_DSA:
|
||||
case DST_ALG_NSEC3DSA:
|
||||
*n = DNS_SIG_DSASIGSIZE;
|
||||
break;
|
||||
case DST_ALG_ECDSA256:
|
||||
*n = DNS_SIG_ECDSA256SIZE;
|
||||
break;
|
||||
|
|
@ -1522,8 +1514,6 @@ issymmetric(const dst_key_t *key) {
|
|||
case DST_ALG_NSEC3RSASHA1:
|
||||
case DST_ALG_RSASHA256:
|
||||
case DST_ALG_RSASHA512:
|
||||
case DST_ALG_DSA:
|
||||
case DST_ALG_NSEC3DSA:
|
||||
case DST_ALG_DH:
|
||||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
|
|
|
|||
|
|
@ -53,7 +53,6 @@
|
|||
#include <dst/dst.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/dsa.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
|
|
@ -109,7 +108,6 @@ struct dst_key {
|
|||
union {
|
||||
void *generic;
|
||||
gss_ctx_id_t gssctx;
|
||||
DSA *dsa;
|
||||
DH *dh;
|
||||
#if USE_OPENSSL
|
||||
EVP_PKEY *pkey;
|
||||
|
|
@ -229,7 +227,6 @@ isc_result_t dst__openssldh_init(struct dst_func **funcp);
|
|||
#if USE_OPENSSL
|
||||
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
|
||||
unsigned char algorithm);
|
||||
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
|
||||
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
|
||||
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
|
||||
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
|
||||
|
|
|
|||
|
|
@ -96,12 +96,6 @@ static struct parse_map map[] = {
|
|||
{TAG_DH_PRIVATE, "Private_value(x):"},
|
||||
{TAG_DH_PUBLIC, "Public_value(y):"},
|
||||
|
||||
{TAG_DSA_PRIME, "Prime(p):"},
|
||||
{TAG_DSA_SUBPRIME, "Subprime(q):"},
|
||||
{TAG_DSA_BASE, "Base(g):"},
|
||||
{TAG_DSA_PRIVATE, "Private_value(x):"},
|
||||
{TAG_DSA_PUBLIC, "Public_value(y):"},
|
||||
|
||||
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
|
||||
{TAG_ECDSA_ENGINE, "Engine:" },
|
||||
{TAG_ECDSA_LABEL, "Label:" },
|
||||
|
|
@ -232,26 +226,6 @@ check_dh(const dst_private_t *priv) {
|
|||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
check_dsa(const dst_private_t *priv, bool external) {
|
||||
int i, j;
|
||||
|
||||
if (external)
|
||||
return ((priv->nelements == 0)? 0 : -1);
|
||||
|
||||
if (priv->nelements != DSA_NTAGS)
|
||||
return (-1);
|
||||
|
||||
for (i = 0; i < DSA_NTAGS; i++) {
|
||||
for (j = 0; j < priv->nelements; j++)
|
||||
if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
|
||||
break;
|
||||
if (j == priv->nelements)
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
check_ecdsa(const dst_private_t *priv, bool external) {
|
||||
int i, j;
|
||||
|
|
@ -370,9 +344,6 @@ check_data(const dst_private_t *priv, const unsigned int alg,
|
|||
return (check_rsa(priv, external));
|
||||
case DST_ALG_DH:
|
||||
return (check_dh(priv));
|
||||
case DST_ALG_DSA:
|
||||
case DST_ALG_NSEC3DSA:
|
||||
return (check_dsa(priv, external));
|
||||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
return (check_ecdsa(priv, external));
|
||||
|
|
@ -696,18 +667,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
|
|||
case DST_ALG_DH:
|
||||
fprintf(fp, "(DH)\n");
|
||||
break;
|
||||
case DST_ALG_DSA:
|
||||
fprintf(fp, "(DSA)\n");
|
||||
break;
|
||||
case DST_ALG_RSASHA1:
|
||||
fprintf(fp, "(RSASHA1)\n");
|
||||
break;
|
||||
case DST_ALG_NSEC3RSASHA1:
|
||||
fprintf(fp, "(NSEC3RSASHA1)\n");
|
||||
break;
|
||||
case DST_ALG_NSEC3DSA:
|
||||
fprintf(fp, "(NSEC3DSA)\n");
|
||||
break;
|
||||
case DST_ALG_RSASHA256:
|
||||
fprintf(fp, "(RSASHA256)\n");
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -1,693 +0,0 @@
|
|||
/*
|
||||
* Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*
|
||||
* Portions Copyright (C) Network Associates, Inc.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
|
||||
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
|
||||
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
|
||||
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
|
||||
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#if !USE_PKCS11
|
||||
|
||||
#include <pk11/site.h>
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <isc/mem.h>
|
||||
#include <isc/nonce.h>
|
||||
#include <isc/random.h>
|
||||
#include <isc/safe.h>
|
||||
#include <isc/sha1.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <dst/result.h>
|
||||
|
||||
#include "dst_internal.h"
|
||||
#include "dst_openssl.h"
|
||||
#include "dst_parse.h"
|
||||
|
||||
#include <openssl/dsa.h>
|
||||
|
||||
static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
|
||||
|
||||
#if !HAVE_DSA_GET0_PQG
|
||||
static void
|
||||
DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
|
||||
const BIGNUM **g)
|
||||
{
|
||||
if (p != NULL)
|
||||
*p = d->p;
|
||||
if (q != NULL)
|
||||
*q = d->q;
|
||||
if (g != NULL)
|
||||
*g = d->g;
|
||||
}
|
||||
|
||||
static int
|
||||
DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
|
||||
if (p == NULL || q == NULL || g == NULL)
|
||||
return 0;
|
||||
BN_free(d->p);
|
||||
BN_free(d->q);
|
||||
BN_free(d->g);
|
||||
d->p = p;
|
||||
d->q = q;
|
||||
d->g = g;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) {
|
||||
if (pub_key != NULL)
|
||||
*pub_key = d->pub_key;
|
||||
if (priv_key != NULL)
|
||||
*priv_key = d->priv_key;
|
||||
}
|
||||
|
||||
static int
|
||||
DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) {
|
||||
/* Note that it is valid for priv_key to be NULL */
|
||||
if (pub_key == NULL)
|
||||
return 0;
|
||||
|
||||
BN_free(d->pub_key);
|
||||
BN_free(d->priv_key);
|
||||
d->pub_key = pub_key;
|
||||
d->priv_key = priv_key;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
|
||||
*pr = sig->r;
|
||||
*ps = sig->s;
|
||||
}
|
||||
|
||||
static int
|
||||
DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
|
||||
if (r == NULL || s == NULL)
|
||||
return 0;
|
||||
|
||||
BN_clear_free(sig->r);
|
||||
BN_clear_free(sig->s);
|
||||
sig->r = r;
|
||||
sig->s = s;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
#define DSA_clear_flags(d, x) (d)->flags &= ~(x)
|
||||
|
||||
#endif /* !HAVE_DSA_GET0_PQG */
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
|
||||
EVP_MD_CTX *evp_md_ctx;
|
||||
|
||||
UNUSED(key);
|
||||
|
||||
evp_md_ctx = EVP_MD_CTX_create();
|
||||
if (evp_md_ctx == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
|
||||
if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) {
|
||||
EVP_MD_CTX_destroy(evp_md_ctx);
|
||||
return (ISC_R_FAILURE);
|
||||
}
|
||||
|
||||
dctx->ctxdata.evp_md_ctx = evp_md_ctx;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static void
|
||||
openssldsa_destroyctx(dst_context_t *dctx) {
|
||||
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
||||
|
||||
if (evp_md_ctx != NULL) {
|
||||
EVP_MD_CTX_destroy(evp_md_ctx);
|
||||
dctx->ctxdata.evp_md_ctx = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
|
||||
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
||||
|
||||
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
|
||||
return (ISC_R_FAILURE);
|
||||
}
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static int
|
||||
BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
|
||||
int bytes = size - BN_num_bytes(bn);
|
||||
while (bytes-- > 0)
|
||||
*buf++ = 0;
|
||||
BN_bn2bin(bn, buf);
|
||||
return (size);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
|
||||
dst_key_t *key = dctx->key;
|
||||
DSA *dsa = key->keydata.dsa;
|
||||
isc_region_t region;
|
||||
DSA_SIG *dsasig;
|
||||
const BIGNUM *r = 0, *s = NULL;
|
||||
unsigned int klen;
|
||||
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
||||
EVP_PKEY *pkey;
|
||||
unsigned char *sigbuf;
|
||||
const unsigned char *sb;
|
||||
unsigned int siglen;
|
||||
|
||||
isc_buffer_availableregion(sig, ®ion);
|
||||
if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
|
||||
return (ISC_R_NOSPACE);
|
||||
|
||||
pkey = EVP_PKEY_new();
|
||||
if (pkey == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
|
||||
EVP_PKEY_free(pkey);
|
||||
return (ISC_R_FAILURE);
|
||||
}
|
||||
sigbuf = malloc(EVP_PKEY_size(pkey));
|
||||
if (sigbuf == NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
return (ISC_R_NOMEMORY);
|
||||
}
|
||||
if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
|
||||
EVP_PKEY_free(pkey);
|
||||
free(sigbuf);
|
||||
return (dst__openssl_toresult3(dctx->category,
|
||||
"EVP_SignFinal",
|
||||
ISC_R_FAILURE));
|
||||
}
|
||||
INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
|
||||
EVP_PKEY_free(pkey);
|
||||
/* Convert from Dss-Sig-Value (RFC2459). */
|
||||
dsasig = DSA_SIG_new();
|
||||
if (dsasig == NULL) {
|
||||
free(sigbuf);
|
||||
return (ISC_R_NOMEMORY);
|
||||
}
|
||||
sb = sigbuf;
|
||||
if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
|
||||
free(sigbuf);
|
||||
return (dst__openssl_toresult3(dctx->category,
|
||||
"d2i_DSA_SIG",
|
||||
ISC_R_FAILURE));
|
||||
}
|
||||
free(sigbuf);
|
||||
|
||||
klen = (key->key_size - 512)/64;
|
||||
if (klen > 255)
|
||||
return (ISC_R_FAILURE);
|
||||
*region.base = klen;
|
||||
isc_region_consume(®ion, 1);
|
||||
|
||||
DSA_SIG_get0(dsasig, &r, &s);
|
||||
BN_bn2bin_fixed(r, region.base, ISC_SHA1_DIGESTLENGTH);
|
||||
isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH);
|
||||
BN_bn2bin_fixed(s, region.base, ISC_SHA1_DIGESTLENGTH);
|
||||
isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH);
|
||||
DSA_SIG_free(dsasig);
|
||||
isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
dst_key_t *key = dctx->key;
|
||||
DSA *dsa = key->keydata.dsa;
|
||||
BIGNUM *r = NULL, *s = NULL;
|
||||
int status = 0;
|
||||
unsigned char *cp = sig->base;
|
||||
DSA_SIG *dsasig;
|
||||
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
||||
unsigned int siglen;
|
||||
unsigned char digest[ISC_SHA1_DIGESTLENGTH];
|
||||
|
||||
/* Only use EVP for the digest */
|
||||
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
|
||||
return (ISC_R_FAILURE);
|
||||
}
|
||||
|
||||
if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) {
|
||||
return (DST_R_VERIFYFAILURE);
|
||||
}
|
||||
|
||||
cp++; /*%< Skip T */
|
||||
dsasig = DSA_SIG_new();
|
||||
if (dsasig == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
|
||||
cp += ISC_SHA1_DIGESTLENGTH;
|
||||
s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
|
||||
DSA_SIG_set0(dsasig, r, s);
|
||||
|
||||
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
|
||||
|
||||
DSA_SIG_free(dsasig);
|
||||
switch (status) {
|
||||
case 1:
|
||||
return (ISC_R_SUCCESS);
|
||||
case 0:
|
||||
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
|
||||
default:
|
||||
return (dst__openssl_toresult3(dctx->category,
|
||||
"DSA_do_verify",
|
||||
DST_R_VERIFYFAILURE));
|
||||
}
|
||||
}
|
||||
|
||||
static bool
|
||||
openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
DSA *dsa1, *dsa2;
|
||||
const BIGNUM *pub_key1 = NULL, *priv_key1 = NULL;
|
||||
const BIGNUM *pub_key2 = NULL, *priv_key2 = NULL;
|
||||
const BIGNUM *p1 = NULL, *q1 = NULL, *g1 = NULL;
|
||||
const BIGNUM *p2 = NULL, *q2 = NULL, *g2 = NULL;
|
||||
|
||||
dsa1 = key1->keydata.dsa;
|
||||
dsa2 = key2->keydata.dsa;
|
||||
|
||||
if (dsa1 == NULL && dsa2 == NULL)
|
||||
return (true);
|
||||
else if (dsa1 == NULL || dsa2 == NULL)
|
||||
return (false);
|
||||
|
||||
DSA_get0_key(dsa1, &pub_key1, &priv_key1);
|
||||
DSA_get0_key(dsa2, &pub_key2, &priv_key2);
|
||||
DSA_get0_pqg(dsa1, &p1, &q1, &g1);
|
||||
DSA_get0_pqg(dsa2, &p2, &q2, &g2);
|
||||
|
||||
if (BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0 ||
|
||||
BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0)
|
||||
return (false);
|
||||
|
||||
if (priv_key1 != NULL || priv_key2 != NULL) {
|
||||
if (priv_key1 == NULL || priv_key2 == NULL)
|
||||
return (false);
|
||||
if (BN_cmp(priv_key1, priv_key2))
|
||||
return (false);
|
||||
}
|
||||
return (true);
|
||||
}
|
||||
|
||||
static int
|
||||
progress_cb(int p, int n, BN_GENCB *cb) {
|
||||
union {
|
||||
void *dptr;
|
||||
void (*fptr)(int);
|
||||
} u;
|
||||
|
||||
UNUSED(n);
|
||||
|
||||
u.dptr = BN_GENCB_get_arg(cb);
|
||||
if (u.fptr != NULL)
|
||||
u.fptr(p);
|
||||
return (1);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
DSA *dsa;
|
||||
unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
|
||||
BN_GENCB *cb;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
BN_GENCB _cb;
|
||||
#endif
|
||||
union {
|
||||
void *dptr;
|
||||
void (*fptr)(int);
|
||||
} u;
|
||||
|
||||
UNUSED(unused);
|
||||
|
||||
isc_nonce_buf(rand_array, sizeof(rand_array));
|
||||
|
||||
dsa = DSA_new();
|
||||
if (dsa == NULL)
|
||||
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
cb = BN_GENCB_new();
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
if (cb == NULL) {
|
||||
DSA_free(dsa);
|
||||
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif
|
||||
if (callback == NULL) {
|
||||
BN_GENCB_set_old(cb, NULL, NULL);
|
||||
} else {
|
||||
u.fptr = callback;
|
||||
BN_GENCB_set(cb, &progress_cb, u.dptr);
|
||||
}
|
||||
|
||||
if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
|
||||
ISC_SHA1_DIGESTLENGTH, NULL, NULL,
|
||||
cb))
|
||||
{
|
||||
DSA_free(dsa);
|
||||
BN_GENCB_free(cb);
|
||||
return (dst__openssl_toresult2("DSA_generate_parameters_ex",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
BN_GENCB_free(cb);
|
||||
cb = NULL;
|
||||
|
||||
if (DSA_generate_key(dsa) == 0) {
|
||||
DSA_free(dsa);
|
||||
return (dst__openssl_toresult2("DSA_generate_key",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
|
||||
DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
|
||||
|
||||
key->keydata.dsa = dsa;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static bool
|
||||
openssldsa_isprivate(const dst_key_t *key) {
|
||||
DSA *dsa = key->keydata.dsa;
|
||||
const BIGNUM *priv_key = NULL;
|
||||
|
||||
DSA_get0_key(dsa, NULL, &priv_key);
|
||||
return (dsa != NULL && priv_key != NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
openssldsa_destroy(dst_key_t *key) {
|
||||
DSA *dsa = key->keydata.dsa;
|
||||
DSA_free(dsa);
|
||||
key->keydata.dsa = NULL;
|
||||
}
|
||||
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
DSA *dsa;
|
||||
const BIGNUM *pub_key, *p = NULL, *q = NULL, *g = NULL;
|
||||
isc_region_t r;
|
||||
int dnslen;
|
||||
unsigned int t, p_bytes;
|
||||
|
||||
REQUIRE(key->keydata.dsa != NULL);
|
||||
|
||||
dsa = key->keydata.dsa;
|
||||
|
||||
isc_buffer_availableregion(data, &r);
|
||||
|
||||
DSA_get0_key(dsa, &pub_key, NULL);
|
||||
DSA_get0_pqg(dsa, &p, &q, &g);
|
||||
|
||||
t = (BN_num_bytes(p) - 64) / 8;
|
||||
if (t > 8)
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
p_bytes = 64 + 8 * t;
|
||||
|
||||
dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
|
||||
if (r.length < (unsigned int) dnslen)
|
||||
return (ISC_R_NOSPACE);
|
||||
|
||||
*r.base = t;
|
||||
isc_region_consume(&r, 1);
|
||||
|
||||
BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH);
|
||||
isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
||||
BN_bn2bin_fixed(p, r.base, key->key_size/8);
|
||||
isc_region_consume(&r, p_bytes);
|
||||
BN_bn2bin_fixed(g, r.base, key->key_size/8);
|
||||
isc_region_consume(&r, p_bytes);
|
||||
BN_bn2bin_fixed(pub_key, r.base, key->key_size/8);
|
||||
isc_region_consume(&r, p_bytes);
|
||||
|
||||
isc_buffer_add(data, dnslen);
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
DSA *dsa;
|
||||
BIGNUM *pub_key, *p, *q, *g;
|
||||
isc_region_t r;
|
||||
unsigned int t, p_bytes;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
|
||||
UNUSED(mctx);
|
||||
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
if (r.length == 0)
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
dsa = DSA_new();
|
||||
if (dsa == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
|
||||
|
||||
t = (unsigned int) *r.base;
|
||||
isc_region_consume(&r, 1);
|
||||
if (t > 8) {
|
||||
DSA_free(dsa);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
p_bytes = 64 + 8 * t;
|
||||
|
||||
if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
|
||||
DSA_free(dsa);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
|
||||
q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
|
||||
isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
||||
|
||||
p = BN_bin2bn(r.base, p_bytes, NULL);
|
||||
isc_region_consume(&r, p_bytes);
|
||||
|
||||
g = BN_bin2bn(r.base, p_bytes, NULL);
|
||||
isc_region_consume(&r, p_bytes);
|
||||
|
||||
pub_key = BN_bin2bn(r.base, p_bytes, NULL);
|
||||
isc_region_consume(&r, p_bytes);
|
||||
|
||||
if (pub_key == NULL || p == NULL || q == NULL || g == NULL) {
|
||||
DSA_free(dsa);
|
||||
if (p != NULL) BN_free(p);
|
||||
if (q != NULL) BN_free(q);
|
||||
if (g != NULL) BN_free(g);
|
||||
return (ISC_R_NOMEMORY);
|
||||
}
|
||||
|
||||
DSA_set0_key(dsa, pub_key, NULL);
|
||||
DSA_set0_pqg(dsa, p, q, g);
|
||||
|
||||
key->key_size = p_bytes * 8;
|
||||
|
||||
isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
|
||||
|
||||
key->keydata.dsa = dsa;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
int cnt = 0;
|
||||
DSA *dsa;
|
||||
const BIGNUM *pub_key = NULL, *priv_key = NULL;
|
||||
const BIGNUM *p = NULL, *q = NULL, *g = NULL;
|
||||
dst_private_t priv;
|
||||
unsigned char bufs[5][128];
|
||||
|
||||
if (key->keydata.dsa == NULL)
|
||||
return (DST_R_NULLKEY);
|
||||
|
||||
if (key->external) {
|
||||
priv.nelements = 0;
|
||||
return (dst__privstruct_writefile(key, &priv, directory));
|
||||
}
|
||||
|
||||
dsa = key->keydata.dsa;
|
||||
|
||||
DSA_get0_key(dsa, &pub_key, &priv_key);
|
||||
DSA_get0_pqg(dsa, &p, &q, &g);
|
||||
|
||||
priv.elements[cnt].tag = TAG_DSA_PRIME;
|
||||
priv.elements[cnt].length = BN_num_bytes(p);
|
||||
BN_bn2bin(p, bufs[cnt]);
|
||||
priv.elements[cnt].data = bufs[cnt];
|
||||
cnt++;
|
||||
|
||||
priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
|
||||
priv.elements[cnt].length = BN_num_bytes(q);
|
||||
BN_bn2bin(q, bufs[cnt]);
|
||||
priv.elements[cnt].data = bufs[cnt];
|
||||
cnt++;
|
||||
|
||||
priv.elements[cnt].tag = TAG_DSA_BASE;
|
||||
priv.elements[cnt].length = BN_num_bytes(g);
|
||||
BN_bn2bin(g, bufs[cnt]);
|
||||
priv.elements[cnt].data = bufs[cnt];
|
||||
cnt++;
|
||||
|
||||
priv.elements[cnt].tag = TAG_DSA_PRIVATE;
|
||||
priv.elements[cnt].length = BN_num_bytes(priv_key);
|
||||
BN_bn2bin(priv_key, bufs[cnt]);
|
||||
priv.elements[cnt].data = bufs[cnt];
|
||||
cnt++;
|
||||
|
||||
priv.elements[cnt].tag = TAG_DSA_PUBLIC;
|
||||
priv.elements[cnt].length = BN_num_bytes(pub_key);
|
||||
BN_bn2bin(pub_key, bufs[cnt]);
|
||||
priv.elements[cnt].data = bufs[cnt];
|
||||
cnt++;
|
||||
|
||||
priv.nelements = cnt;
|
||||
return (dst__privstruct_writefile(key, &priv, directory));
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
DSA *dsa = NULL;
|
||||
BIGNUM *pub_key = NULL, *priv_key = NULL;
|
||||
BIGNUM *p = NULL, *q = NULL, *g = NULL;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
#define DST_RET(a) {ret = a; goto err;}
|
||||
|
||||
/* read private key file */
|
||||
ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
return (ret);
|
||||
|
||||
if (key->external) {
|
||||
if (priv.nelements != 0)
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
if (pub == NULL)
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
key->keydata.pkey = pub->keydata.pkey;
|
||||
pub->keydata.pkey = NULL;
|
||||
key->key_size = pub->key_size;
|
||||
dst__privstruct_free(&priv, mctx);
|
||||
isc_safe_memwipe(&priv, sizeof(priv));
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
dsa = DSA_new();
|
||||
if (dsa == NULL)
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
|
||||
key->keydata.dsa = dsa;
|
||||
|
||||
for (i = 0; i < priv.nelements; i++) {
|
||||
BIGNUM *bn;
|
||||
bn = BN_bin2bn(priv.elements[i].data,
|
||||
priv.elements[i].length, NULL);
|
||||
if (bn == NULL)
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
|
||||
switch (priv.elements[i].tag) {
|
||||
case TAG_DSA_PRIME:
|
||||
p = bn;
|
||||
break;
|
||||
case TAG_DSA_SUBPRIME:
|
||||
q = bn;
|
||||
break;
|
||||
case TAG_DSA_BASE:
|
||||
g = bn;
|
||||
break;
|
||||
case TAG_DSA_PRIVATE:
|
||||
priv_key = bn;
|
||||
break;
|
||||
case TAG_DSA_PUBLIC:
|
||||
pub_key = bn;
|
||||
break;
|
||||
}
|
||||
}
|
||||
dst__privstruct_free(&priv, mctx);
|
||||
isc_safe_memwipe(&priv, sizeof(priv));
|
||||
DSA_set0_key(dsa, pub_key, priv_key);
|
||||
DSA_set0_pqg(dsa, p, q, g);
|
||||
key->key_size = BN_num_bits(p);
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
err:
|
||||
if (p != NULL)
|
||||
BN_free(p);
|
||||
if (q != NULL)
|
||||
BN_free(q);
|
||||
if (g != NULL)
|
||||
BN_free(g);
|
||||
openssldsa_destroy(key);
|
||||
dst__privstruct_free(&priv, mctx);
|
||||
isc_safe_memwipe(&priv, sizeof(priv));
|
||||
return (ret);
|
||||
}
|
||||
|
||||
static dst_func_t openssldsa_functions = {
|
||||
openssldsa_createctx,
|
||||
NULL, /*%< createctx2 */
|
||||
openssldsa_destroyctx,
|
||||
openssldsa_adddata,
|
||||
openssldsa_sign,
|
||||
openssldsa_verify,
|
||||
NULL, /*%< verify2 */
|
||||
NULL, /*%< computesecret */
|
||||
openssldsa_compare,
|
||||
NULL, /*%< paramcompare */
|
||||
openssldsa_generate,
|
||||
openssldsa_isprivate,
|
||||
openssldsa_destroy,
|
||||
openssldsa_todns,
|
||||
openssldsa_fromdns,
|
||||
openssldsa_tofile,
|
||||
openssldsa_parse,
|
||||
NULL, /*%< cleanup */
|
||||
NULL, /*%< fromlabel */
|
||||
NULL, /*%< dump */
|
||||
NULL, /*%< restore */
|
||||
};
|
||||
|
||||
isc_result_t
|
||||
dst__openssldsa_init(dst_func_t **funcp) {
|
||||
REQUIRE(funcp != NULL);
|
||||
if (*funcp == NULL)
|
||||
*funcp = &openssldsa_functions;
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
#endif /* !USE_PKCS11 */
|
||||
File diff suppressed because it is too large
Load diff
|
|
@ -108,8 +108,6 @@
|
|||
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
|
||||
{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
|
||||
{ DNS_KEYALG_DH, "DH", 0 }, \
|
||||
{ DNS_KEYALG_DSA, "DSA", 0 }, \
|
||||
{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
|
||||
{ DNS_KEYALG_ECC, "ECC", 0 }, \
|
||||
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
|
||||
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
|
||||
|
|
|
|||
|
|
@ -12,8 +12,3 @@
|
|||
#pragma once
|
||||
|
||||
/*! \file pk11/site.h */
|
||||
|
||||
#ifdef HAVE_GETPASSPHRASE
|
||||
#undef getpass
|
||||
#define getpass(x) getpassphrase(x)
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -81,7 +81,6 @@ struct pk11_token {
|
|||
static ISC_LIST(pk11_token_t) tokens;
|
||||
|
||||
static pk11_token_t *best_rsa_token;
|
||||
static pk11_token_t *best_dsa_token;
|
||||
static pk11_token_t *best_dh_token;
|
||||
static pk11_token_t *best_ecdsa_token;
|
||||
static pk11_token_t *best_eddsa_token;
|
||||
|
|
@ -238,9 +237,6 @@ pk11_finalize(void) {
|
|||
if (token == best_rsa_token) {
|
||||
best_rsa_token = NULL;
|
||||
}
|
||||
if (token == best_dsa_token) {
|
||||
best_dsa_token = NULL;
|
||||
}
|
||||
if (token == best_dh_token) {
|
||||
best_dh_token = NULL;
|
||||
}
|
||||
|
|
@ -563,35 +559,6 @@ scan_slots(void) {
|
|||
}
|
||||
}
|
||||
|
||||
/* Check for DSA support */
|
||||
bad = false;
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
|
||||
&mechInfo);
|
||||
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
|
||||
bad = true;
|
||||
PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
|
||||
}
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
|
||||
&mechInfo);
|
||||
if ((rv != CKR_OK) ||
|
||||
((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
|
||||
bad = true;
|
||||
PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
|
||||
}
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo);
|
||||
if ((rv != CKR_OK) ||
|
||||
((mechInfo.flags & CKF_SIGN) == 0) ||
|
||||
((mechInfo.flags & CKF_VERIFY) == 0)) {
|
||||
bad = true;
|
||||
PK11_TRACEM(CKM_DSA_SHA1);
|
||||
}
|
||||
if (!bad) {
|
||||
token->operations |= 1 << OP_DSA;
|
||||
if (best_dsa_token == NULL) {
|
||||
best_dsa_token = token;
|
||||
}
|
||||
}
|
||||
|
||||
/* Check for DH support */
|
||||
bad = false;
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
|
||||
|
|
@ -684,9 +651,6 @@ pk11_get_best_token(pk11_optype_t optype) {
|
|||
case OP_RSA:
|
||||
token = best_rsa_token;
|
||||
break;
|
||||
case OP_DSA:
|
||||
token = best_dsa_token;
|
||||
break;
|
||||
case OP_DH:
|
||||
token = best_dh_token;
|
||||
break;
|
||||
|
|
@ -1035,8 +999,6 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
|
|||
if (token == NULL) {
|
||||
if (optype == OP_RSA) {
|
||||
token = best_rsa_token;
|
||||
} else if (optype == OP_DSA) {
|
||||
token = best_dsa_token;
|
||||
} else if (optype == OP_DH) {
|
||||
token = best_dh_token;
|
||||
} else if (optype == OP_ECDSA) {
|
||||
|
|
@ -1076,7 +1038,6 @@ pk11_dump_tokens(void) {
|
|||
|
||||
printf("DEFAULTS\n");
|
||||
printf("\tbest_rsa_token=%p\n", best_rsa_token);
|
||||
printf("\tbest_dsa_token=%p\n", best_dsa_token);
|
||||
printf("\tbest_dh_token=%p\n", best_dh_token);
|
||||
printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token);
|
||||
printf("\tbest_eddsa_token=%p\n", best_eddsa_token);
|
||||
|
|
@ -1097,12 +1058,6 @@ pk11_dump_tokens(void) {
|
|||
first = false;
|
||||
printf("RSA");
|
||||
}
|
||||
if (token->operations & (1 << OP_DSA)) {
|
||||
if (!first)
|
||||
printf(",");
|
||||
first = false;
|
||||
printf("DSA");
|
||||
}
|
||||
if (token->operations & (1 << OP_DH)) {
|
||||
if (!first)
|
||||
printf(",");
|
||||
|
|
|
|||
|
|
@ -2965,14 +2965,12 @@
|
|||
./lib/dns/nta.c C 2014,2015,2016,2017,2018
|
||||
./lib/dns/openssl_link.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018
|
||||
./lib/dns/openssldh_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
|
||||
./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
|
||||
./lib/dns/opensslecdsa_link.c C 2012,2013,2014,2015,2016,2017,2018
|
||||
./lib/dns/openssleddsa_link.c C 2017,2018
|
||||
./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
|
||||
./lib/dns/order.c C 2002,2004,2005,2007,2015,2016,2017,2018
|
||||
./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018
|
||||
./lib/dns/pkcs11.c C 2014,2016,2017,2018
|
||||
./lib/dns/pkcs11dsa_link.c C 2014,2015,2016,2017,2018
|
||||
./lib/dns/pkcs11ecdsa_link.c C 2014,2015,2016,2017,2018
|
||||
./lib/dns/pkcs11eddsa_link.c C 2017,2018
|
||||
./lib/dns/pkcs11rsa_link.c C 2014,2015,2016,2017,2018
|
||||
|
|
|
|||
Loading…
Reference in a new issue