diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index c18da75b18..1415afadd1 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -387,9 +387,6 @@ main(int argc, char **argv) { if (ret != ISC_R_SUCCESS) { fatal("unknown algorithm %s", algname); } - if (alg == DST_ALG_DH) { - options |= DST_TYPE_KEY; - } if (use_nsec3) { switch (alg) { @@ -597,13 +594,6 @@ main(int argc, char **argv) { } } - if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - alg == DNS_KEYALG_DH) - { - fatal("a key with algorithm '%s' cannot be a zone key", - algname); - } - isc_buffer_init(&buf, filename, sizeof(filename) - 1); /* associate the key */ diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index f11b54b182..b1c5c46b5b 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -80,7 +80,6 @@ struct keygen_ctx { char *algname; char *nametype; char *type; - int generator; int protocol; int size; int signatory; @@ -143,14 +142,13 @@ usage(void) { fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n"); fprintf(stderr, " RSASHA256 | RSASHA512 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); - fprintf(stderr, " ED25519 | ED448 | DH\n"); + fprintf(stderr, " ED25519 | ED448\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA); - fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " ECDSAP256SHA256:\tignored\n"); fprintf(stderr, " ECDSAP384SHA384:\tignored\n"); fprintf(stderr, " ED25519:\tignored\n"); @@ -165,8 +163,6 @@ usage(void) { fprintf(stderr, " -E :\n"); fprintf(stderr, " name of an OpenSSL engine to use\n"); fprintf(stderr, " -f : KSK | REVOKE\n"); - fprintf(stderr, " -g : use specified generator " - "(DH only)\n"); fprintf(stderr, " -L : default key TTL\n"); fprintf(stderr, " -p : (default: 3 [dnssec])\n"); fprintf(stderr, " -s : strength value this key signs DNS " @@ -322,10 +318,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { fatal("unsupported algorithm: %s", algstr); } - if (ctx->alg == DST_ALG_DH) { - ctx->options |= DST_TYPE_KEY; - } - if (ctx->use_nsec3) { switch (ctx->alg) { case DST_ALG_RSASHA1: @@ -535,11 +527,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { fatal("RSA key size %d out of range", ctx->size); } break; - case DNS_KEYALG_DH: - if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) { - fatal("DH key size %d out of range", ctx->size); - } - break; case DST_ALG_ECDSA256: ctx->size = 256; break; @@ -554,10 +541,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { break; } - if (ctx->alg != DNS_KEYALG_DH && ctx->generator != 0) { - fatal("specified DH generator for a non-DH key"); - } - if (ctx->nametype == NULL) { if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */ fatal("no nametype specified"); @@ -607,12 +590,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } } - if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - ctx->alg == DNS_KEYALG_DH) - { - fatal("a key with algorithm %s cannot be a zone key", algstr); - } - switch (ctx->alg) { case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: @@ -621,10 +598,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { show_progress = true; break; - case DNS_KEYALG_DH: - param = ctx->generator; - break; - case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: @@ -950,11 +923,9 @@ main(int argc, char **argv) { } break; case 'g': - ctx.generator = strtol(isc_commandline_argument, &endp, - 10); - if (*endp != '\0' || ctx.generator <= 0) { - fatal("-g requires a positive number"); - } + fprintf(stderr, + "phased-out option -e " + "(was 'use specified generator (DH only)')\n"); break; case 'K': ctx.directory = isc_commandline_argument; diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index a06027ce58..6f69300a48 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -49,9 +49,7 @@ Options This option selects the cryptographic algorithm. For DNSSEC keys, the value of ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, - RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For - TKEY, the value must be DH (Diffie-Hellman); specifying this value - automatically sets the :option:`-T KEY <-T>` option as well. + RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. These values are case-insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index b24e88afea..d43e7d9fde 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -490,8 +490,6 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, uint16_t id, oldid; uint32_t rid, roldid; dns_secalg_t alg; - char filename[NAME_MAX]; - isc_buffer_t fileb; isc_stdtime_t now; if (exact != NULL) { @@ -502,21 +500,6 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, rid = dst_key_rid(dstkey); alg = dst_key_alg(dstkey); - /* - * For Diffie Hellman just check if there is a direct collision as - * they can't be revoked. Additionally dns_dnssec_findmatchingkeys - * only handles DNSKEY which is not used for HMAC. - */ - if (alg == DST_ALG_DH) { - isc_buffer_init(&fileb, filename, sizeof(filename)); - result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE, dir, - &fileb); - if (result != ISC_R_SUCCESS) { - return (true); - } - return (isc_file_exists(filename)); - } - ISC_LIST_INIT(matchkeys); isc_stdtime_get(&now); result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys); diff --git a/bin/named/config.c b/bin/named/config.c index 9c1469abc6..be9724ec71 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -119,7 +119,6 @@ options {\n\ tcp-listen-queue 10;\n\ tcp-receive-buffer 0;\n\ tcp-send-buffer 0;\n\ -# tkey-dhkey \n\ # tkey-domain \n\ # tkey-gssapi-credential \n\ transfer-message-size 20480;\n\ diff --git a/bin/named/main.c b/bin/named/main.c index 3c3a4e1cf7..752745d7fe 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -465,7 +465,7 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { static void list_dnssec_algorithms(isc_buffer_t *b) { for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) { - if (i == DST_ALG_DH || i == DST_ALG_GSSAPI || + if (i == DST_ALG_GSSAPI || (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST)) { continue; @@ -540,11 +540,7 @@ format_supported_algorithms(void (*emit)(isc_buffer_t *b)) { (*emit)(&b); isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", - (dst_algorithm_supported(DST_ALG_DH) && - dst_algorithm_supported(DST_ALG_HMACMD5)) - ? "yes" - : "non"); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", "no"); (*emit)(&b); isc_buffer_init(&b, buf, sizeof(buf)); diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index 5db786c64e..24acdcd0c2 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -48,32 +48,16 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, isc_result_t result; dns_tkeyctx_t *tctx = NULL; const char *s; - uint32_t n; dns_fixedname_t fname; dns_name_t *name; isc_buffer_t b; const cfg_obj_t *obj; - int type; result = dns_tkeyctx_create(mctx, &tctx); if (result != ISC_R_SUCCESS) { return (result); } - obj = NULL; - result = cfg_map_get(options, "tkey-dhkey", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(cfg_tuple_get(obj, "name")); - n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid")); - isc_buffer_constinit(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - name = dns_fixedname_initname(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); - type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; - RETERR(dst_key_fromfile(name, (dns_keytag_t)n, DNS_KEYALG_DH, - type, NULL, mctx, &tctx->dhkey)); - } - obj = NULL; result = cfg_map_get(options, "tkey-domain", &obj); if (result == ISC_R_SUCCESS) { diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 8f18733fd6..8ee01e1753 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -24,9 +24,7 @@ check_PROGRAMS = \ makejournal \ pipelined/pipequeries \ rndc/gencheck \ - rpz/dnsrps \ - tkey/keycreate \ - tkey/keydelete + rpz/dnsrps feature_test_CPPFLAGS = \ $(AM_CPPFLAGS) \ @@ -56,22 +54,6 @@ rpz_dnsrps_LDADD = \ $(LDADD) \ $(LIBDNS_LIBS) -tkey_keycreate_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) - -tkey_keycreate_LDADD = \ - $(LDADD) \ - $(LIBDNS_LIBS) - -tkey_keydelete_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) - -tkey_keydelete_LDADD = \ - $(LDADD) \ - $(LIBDNS_LIBS) - TESTS = if HAVE_PERLMOD_TIME_HIRES @@ -158,7 +140,6 @@ TESTS += \ staticstub \ stub \ synthfromdnssec \ - tkey \ tools \ transport-acl \ tsig \ diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index f56edb240c..baac0216ba 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -659,7 +659,7 @@ cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # -# A NSEC zone with occuded data at the delegation +# A NSEC zone with occluded data at the delegation # zone=occluded.example infile=occluded.example.db.in @@ -667,7 +667,7 @@ zonefile=occluded.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") -keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone") $DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" diff --git a/bin/tests/system/tkey/clean.sh b/bin/tests/system/tkey/clean.sh deleted file mode 100644 index f5df065aab..0000000000 --- a/bin/tests/system/tkey/clean.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -rm -f ./K* -rm -f ./dig.out.* -rm -f ./rndc.out.* -rm -f ns*/K* -rm -f ns*/_default.tsigkeys -rm -f ns*/managed-keys.bind* -rm -f ns*/named.conf -rm -f ns*/named.conf-e -rm -f ns*/named.lock -rm -f ns*/named.memstats -rm -f ns*/named.run diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c deleted file mode 100644 index d4c01d19c0..0000000000 --- a/bin/tests/system/tkey/keycreate.c +++ /dev/null @@ -1,260 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define CHECK(str, x) \ - { \ - if ((x) != ISC_R_SUCCESS) { \ - fprintf(stderr, "I:%s: %s\n", (str), \ - isc_result_totext(x)); \ - exit(-1); \ - } \ - } - -#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - -#define TIMEOUT 30 - -static char *ip_address = NULL; -static int port = 0; - -static dst_key_t *ourkey = NULL; -static isc_mem_t *mctx = NULL; -static isc_loopmgr_t *loopmgr = NULL; -static dns_tsigkey_t *tsigkey = NULL, *initialkey = NULL; -static dns_tsig_keyring_t *ring = NULL; -static unsigned char noncedata[16]; -static isc_buffer_t nonce; -static dns_requestmgr_t *requestmgr = NULL; -static const char *ownername_str = "."; - -static void -recvquery(void *arg) { - dns_request_t *request = (dns_request_t *)arg; - dns_message_t *query = dns_request_getarg(request); - dns_message_t *response = NULL; - isc_result_t result; - char keyname[256]; - isc_buffer_t keynamebuf; - int type; - - result = dns_request_getresult(request); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "I:request event result: %s\n", - isc_result_totext(result)); - exit(-1); - } - - dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); - - result = dns_request_getresponse(request, response, - DNS_MESSAGEPARSE_PRESERVEORDER); - CHECK("dns_request_getresponse", result); - - if (response->rcode != dns_rcode_noerror) { - result = dns_result_fromrcode(response->rcode); - fprintf(stderr, "I:response rcode: %s\n", - isc_result_totext(result)); - exit(-1); - } - - result = dns_tkey_processdhresponse(query, response, ourkey, &nonce, - &tsigkey, ring); - CHECK("dns_tkey_processdhresponse", result); - - /* - * Yes, this is a hack. - */ - isc_buffer_init(&keynamebuf, keyname, sizeof(keyname)); - result = dst_key_buildfilename(tsigkey->key, 0, "", &keynamebuf); - CHECK("dst_key_buildfilename", result); - printf("%.*s\n", (int)isc_buffer_usedlength(&keynamebuf), - (char *)isc_buffer_base(&keynamebuf)); - type = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_KEY; - result = dst_key_tofile(tsigkey->key, type, ""); - CHECK("dst_key_tofile", result); - - dns_message_detach(&query); - dns_message_detach(&response); - dns_request_destroy(&request); - isc_loopmgr_shutdown(loopmgr); -} - -static void -sendquery(void *arg) { - struct in_addr inaddr; - isc_sockaddr_t address; - isc_region_t r; - isc_result_t result; - dns_fixedname_t keyname; - dns_fixedname_t ownername; - isc_buffer_t namestr, keybuf; - unsigned char keydata[9]; - dns_message_t *query = NULL; - dns_request_t *request = NULL; - static char keystr[] = "0123456789ab"; - - UNUSED(arg); - - result = ISC_R_FAILURE; - if (inet_pton(AF_INET, ip_address, &inaddr) != 1) { - CHECK("inet_pton", result); - } - isc_sockaddr_fromin(&address, &inaddr, port); - - dns_fixedname_init(&keyname); - isc_buffer_constinit(&namestr, "tkeytest.", 9); - isc_buffer_add(&namestr, 9); - result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr, NULL, - 0, NULL); - CHECK("dns_name_fromtext", result); - - dns_fixedname_init(&ownername); - isc_buffer_constinit(&namestr, ownername_str, strlen(ownername_str)); - isc_buffer_add(&namestr, strlen(ownername_str)); - result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr, - NULL, 0, NULL); - CHECK("dns_name_fromtext", result); - - isc_buffer_init(&keybuf, keydata, 9); - result = isc_base64_decodestring(keystr, &keybuf); - CHECK("isc_base64_decodestring", result); - - isc_buffer_usedregion(&keybuf, &r); - - result = dns_tsigkey_create( - dns_fixedname_name(&keyname), DNS_TSIG_HMACMD5_NAME, - isc_buffer_base(&keybuf), isc_buffer_usedlength(&keybuf), false, - NULL, 0, 0, mctx, ring, &initialkey); - CHECK("dns_tsigkey_create", result); - - dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query); - - result = dns_tkey_builddhquery(query, ourkey, - dns_fixedname_name(&ownername), - DNS_TSIG_HMACMD5_NAME, &nonce, 3600); - CHECK("dns_tkey_builddhquery", result); - - result = dns_request_create(requestmgr, query, NULL, &address, NULL, - NULL, DNS_REQUESTOPT_TCP, initialkey, - TIMEOUT, 0, 0, isc_loop_main(loopmgr), - recvquery, query, &request); - CHECK("dns_request_create", result); -} - -int -main(int argc, char *argv[]) { - char *ourkeyname = NULL; - isc_nm_t *netmgr = NULL; - isc_sockaddr_t bind_any; - dns_dispatchmgr_t *dispatchmgr = NULL; - dns_dispatch_t *dispatchv4 = NULL; - dns_view_t *view = NULL; - dns_tkeyctx_t *tctx = NULL; - isc_log_t *log = NULL; - isc_logconfig_t *logconfig = NULL; - isc_result_t result; - int type; - - if (argc < 4) { - fprintf(stderr, "I:no DH key provided\n"); - exit(-1); - } - ip_address = argv[1]; - port = atoi(argv[2]); - ourkeyname = argv[3]; - - if (argc >= 5) { - ownername_str = argv[4]; - } - - isc_mem_debugging = ISC_MEM_DEBUGRECORD; - - isc_managers_create(&mctx, 1, &loopmgr, &netmgr); - - isc_log_create(mctx, &log, &logconfig); - - RUNCHECK(dst_lib_init(mctx, NULL)); - - RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr)); - - isc_sockaddr_any(&bind_any); - RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4)); - RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL, - &requestmgr)); - - RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); - RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); - - RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); - dns_view_setkeyring(view, ring); - dns_tsigkeyring_detach(&ring); - - type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; - result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey); - CHECK("dst_key_fromnamedfile", result); - - isc_buffer_init(&nonce, noncedata, sizeof(noncedata)); - isc_nonce_buf(noncedata, sizeof(noncedata)); - isc_buffer_add(&nonce, sizeof(noncedata)); - - isc_loopmgr_setup(loopmgr, sendquery, NULL); - isc_loopmgr_run(loopmgr); - - dns_requestmgr_shutdown(requestmgr); - dns_requestmgr_detach(&requestmgr); - dns_dispatch_detach(&dispatchv4); - dns_dispatchmgr_detach(&dispatchmgr); - - dst_key_free(&ourkey); - dns_tsigkey_detach(&initialkey); - dns_tsigkey_detach(&tsigkey); - - dns_tkeyctx_destroy(&tctx); - - dns_view_detach(&view); - - isc_log_destroy(&log); - - dst_lib_destroy(); - - isc_managers_destroy(&mctx, &loopmgr, &netmgr); - - return (0); -} diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c deleted file mode 100644 index eb1bef1af1..0000000000 --- a/bin/tests/system/tkey/keydelete.c +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define CHECK(str, x) \ - { \ - if ((x) != ISC_R_SUCCESS) { \ - fprintf(stderr, "I:%s: %s\n", (str), \ - isc_result_totext(x)); \ - exit(-1); \ - } \ - } - -#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - -#define TIMEOUT 30 - -static char *ip_address = NULL; -static int port; -static isc_mem_t *mctx = NULL; -static isc_loopmgr_t *loopmgr = NULL; -static dns_tsigkey_t *tsigkey = NULL; -static dns_tsig_keyring_t *ring = NULL; -static dns_requestmgr_t *requestmgr = NULL; - -static void -recvquery(void *arg) { - isc_result_t result; - dns_request_t *request = (dns_request_t *)arg; - dns_message_t *query = dns_request_getarg(request); - dns_message_t *response = NULL; - - result = dns_request_getresult(request); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "I:request event result: %s\n", - isc_result_totext(result)); - exit(-1); - } - - dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); - - result = dns_request_getresponse(request, response, - DNS_MESSAGEPARSE_PRESERVEORDER); - CHECK("dns_request_getresponse", result); - - if (response->rcode != dns_rcode_noerror) { - result = dns_result_fromrcode(response->rcode); - fprintf(stderr, "I:response rcode: %s\n", - isc_result_totext(result)); - exit(-1); - } - - result = dns_tkey_processdeleteresponse(query, response, ring); - CHECK("dns_tkey_processdhresponse", result); - - dns_message_detach(&query); - dns_message_detach(&response); - dns_request_destroy(&request); - isc_loopmgr_shutdown(loopmgr); -} - -static void -sendquery(void *arg) { - struct in_addr inaddr; - isc_sockaddr_t address; - isc_result_t result; - dns_message_t *query = NULL; - dns_request_t *request = NULL; - - UNUSED(arg); - - result = ISC_R_FAILURE; - if (inet_pton(AF_INET, ip_address, &inaddr) != 1) { - CHECK("inet_pton", result); - } - isc_sockaddr_fromin(&address, &inaddr, port); - - dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query); - - result = dns_tkey_builddeletequery(query, tsigkey); - CHECK("dns_tkey_builddeletequery", result); - - result = dns_request_create(requestmgr, query, NULL, &address, NULL, - NULL, DNS_REQUESTOPT_TCP, tsigkey, TIMEOUT, - 0, 0, isc_loop_main(loopmgr), recvquery, - query, &request); - CHECK("dns_request_create", result); -} - -int -main(int argc, char **argv) { - char *keyname = NULL; - isc_nm_t *netmgr = NULL; - isc_sockaddr_t bind_any; - dns_dispatchmgr_t *dispatchmgr = NULL; - dns_dispatch_t *dispatchv4 = NULL; - dns_view_t *view = NULL; - dns_tkeyctx_t *tctx = NULL; - dst_key_t *dstkey = NULL; - isc_log_t *log = NULL; - isc_logconfig_t *logconfig = NULL; - isc_result_t result; - int type; - - if (argc < 4) { - fprintf(stderr, "I:no key to delete\n"); - exit(-1); - } - if (strcmp(argv[1], "-r") == 0) { - fprintf(stderr, "I:The -r options has been deprecated\n"); - exit(-1); - } - ip_address = argv[1]; - port = atoi(argv[2]); - keyname = argv[3]; - - isc_managers_create(&mctx, 1, &loopmgr, &netmgr); - - isc_log_create(mctx, &log, &logconfig); - - RUNCHECK(dst_lib_init(mctx, NULL)); - - RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr)); - isc_sockaddr_any(&bind_any); - RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4)); - RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL, - &requestmgr)); - - RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); - RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); - - RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); - dns_view_setkeyring(view, ring); - - type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; - result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); - CHECK("dst_key_fromnamedfile", result); - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - DNS_TSIG_HMACMD5_NAME, dstkey, true, - NULL, 0, 0, mctx, ring, &tsigkey); - dst_key_free(&dstkey); - CHECK("dns_tsigkey_createfromkey", result); - - isc_loopmgr_setup(loopmgr, sendquery, NULL); - isc_loopmgr_run(loopmgr); - - dns_requestmgr_shutdown(requestmgr); - dns_requestmgr_detach(&requestmgr); - dns_dispatch_detach(&dispatchv4); - dns_dispatchmgr_detach(&dispatchmgr); - - dns_tsigkeyring_detach(&ring); - - dns_tsigkey_detach(&tsigkey); - - dns_tkeyctx_destroy(&tctx); - - dns_view_detach(&view); - - isc_log_destroy(&log); - - dst_lib_destroy(); - - isc_managers_destroy(&mctx, &loopmgr, &netmgr); - - return (0); -} diff --git a/bin/tests/system/tkey/ns1/example.db b/bin/tests/system/tkey/ns1/example.db deleted file mode 100644 index a84794662c..0000000000 --- a/bin/tests/system/tkey/ns1/example.db +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 1D - -@ IN SOA ns hostmaster ( - 1 - 3600 - 1800 - 1814400 - 3 - ) - NS ns -ns A 10.53.0.1 -mx MX 10 mail -a A 10.53.0.1 - A 10.53.0.2 -txt TXT "this is text" - diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in deleted file mode 100644 index 0fd784a666..0000000000 --- a/bin/tests/system/tkey/ns1/named.conf.in +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify no; - tkey-domain "server"; - tkey-dhkey "server" KEYID; - allow-query-cache { any; }; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -key "tkeytest." { - algorithm hmac-md5; - secret "0123456789ab"; -}; - -zone example { - type primary; - file "example.db"; - allow-query { key tkeytest.; none; }; -}; diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh deleted file mode 100644 index b283f7373b..0000000000 --- a/bin/tests/system/tkey/ns1/setup.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../../conf.sh - -keyname=$($KEYGEN -T KEY -a DH -b 768 -n host server) -keyid=$(keyfile_to_key_id "$keyname") -sed -i -e "s;KEYID;$keyid;" named.conf diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh deleted file mode 100644 index bc6aa5118a..0000000000 --- a/bin/tests/system/tkey/setup.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../conf.sh - -copy_setports ns1/named.conf.in ns1/named.conf - -cd ns1 && $SHELL setup.sh diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh deleted file mode 100644 index 864542f694..0000000000 --- a/bin/tests/system/tkey/tests.sh +++ /dev/null @@ -1,163 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../conf.sh - -dig_with_opts() { - "$DIG" @10.53.0.1 -p "$PORT" "$@" -} - -status=0 -n=1 - -echo_i "generating new DH key ($n)" -ret=0 -dhkeyname=$($KEYGEN -T KEY -a DH -b 768 -n host client) || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status -fi -status=$((status+ret)) -n=$((n+1)) - -for owner in . foo.example. -do - echo_i "creating new key using owner name \"$owner\" ($n)" - ret=0 - keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking the new key ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "deleting new key ($n)" - ret=0 - $KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking that new key has been deleted ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) -done - -echo_i "creating new key using owner name bar.example. ($n)" -ret=0 -keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "checking the key with 'rndc tsig-list' ($n)" -ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "using key in a request ($n)" -ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "deleting the key with 'rndc tsig-delete' ($n)" -ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server > /dev/null || ret=1 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null && ret=1 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "recreating the bar.example. key ($n)" -ret=0 -keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "checking the new key with 'rndc tsig-list' ($n)" -ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "using the new key in a request ($n)" -ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/configure.ac b/configure.ac index 52ae4ad4e7..b38a82663d 100644 --- a/configure.ac +++ b/configure.ac @@ -762,7 +762,7 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:], # # Check for OpenSSL 1.1.x/LibreSSL functions # -AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY]) +AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY]) AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA]) AC_CHECK_FUNCS([TLS_server_method TLS_client_method]) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index df9f042a44..4ae2389719 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1439,16 +1439,6 @@ default is used. this variable must be defined, unless a specific keytab is specified using :any:`tkey-gssapi-keytab`. -.. namedconf:statement:: tkey-dhkey - :tags: security - :short: Sets the Diffie-Hellman key used by the server to generate shared keys. - - This is the Diffie-Hellman key used by the server to generate shared keys - with clients using the Diffie-Hellman mode of ``TKEY``. The server - must be able to load the public and private keys from files in the - working directory. In most cases, the ``key_name`` should be the - server's host name. - .. namedconf:statement:: dump-file :tags: logging :short: Indicates the pathname of the file where the server dumps the database after :option:`rndc dumpdb`. diff --git a/doc/misc/options b/doc/misc/options index 38c4e5c825..8fd53159dd 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -283,7 +283,6 @@ options { tcp-listen-queue ; tcp-receive-buffer ; tcp-send-buffer ; - tkey-dhkey ; tkey-domain ; tkey-gssapi-credential ; tkey-gssapi-keytab ; diff --git a/lib/dns/Makefile.am b/lib/dns/Makefile.am index d5a64707f6..1db6d6585a 100644 --- a/lib/dns/Makefile.am +++ b/lib/dns/Makefile.am @@ -202,7 +202,6 @@ libdns_la_SOURCES = \ openssl_link.c \ openssl_shim.c \ openssl_shim.h \ - openssldh_link.c \ opensslecdsa_link.c \ openssleddsa_link.c \ opensslrsa_link.c \ diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index e038e220a1..a258642137 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1486,7 +1486,6 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, case DST_ALG_HMACSHA256: case DST_ALG_HMACSHA384: case DST_ALG_HMACSHA512: - case DST_ALG_DH: if (result == DST_R_BADKEYTYPE) { continue; } diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 7549cfd323..5ea70796f6 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -201,7 +201,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); RETERR(dst__openssl_init(engine)); - RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], @@ -1381,7 +1380,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { REQUIRE(VALID_KEY(key)); REQUIRE(n != NULL); - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: @@ -1422,26 +1420,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_GSSAPI: *n = 128; /*%< XXX */ break; - case DST_ALG_DH: default: return (DST_R_UNSUPPORTEDALG); } return (ISC_R_SUCCESS); } -isc_result_t -dst_key_secretsize(const dst_key_t *key, unsigned int *n) { - REQUIRE(dst_initialized); - REQUIRE(VALID_KEY(key)); - REQUIRE(n != NULL); - - if (key->key_alg == DST_ALG_DH) { - *n = (key->key_size + 7) / 8; - return (ISC_R_SUCCESS); - } - return (DST_R_UNSUPPORTEDALG); -} - /*% * Set the flags on a key, then recompute the key ID */ @@ -1897,13 +1881,11 @@ issymmetric(const dst_key_t *key) { REQUIRE(dst_initialized); REQUIRE(VALID_KEY(key)); - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: - case DST_ALG_DH: case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 13dd6dc75a..ca2b6376c9 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -32,7 +32,6 @@ #include #include -#include #include #include #include @@ -97,7 +96,6 @@ struct dst_key { union { void *generic; dns_gss_ctx_id_t gssctx; - DH *dh; dst_hmac_key_t *hmac_key; EVP_PKEY *pkey; struct { @@ -213,8 +211,6 @@ dst__hmacsha384_init(struct dst_func **funcp); isc_result_t dst__hmacsha512_init(struct dst_func **funcp); isc_result_t -dst__openssldh_init(struct dst_func **funcp); -isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index 0a1a0dcdf2..6f6d7b2871 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -82,11 +82,6 @@ static struct parse_map map[] = { { TAG_RSA_MODULUS, "Modulus:" }, { TAG_RSA_ENGINE, "Engine:" }, { TAG_RSA_LABEL, "Label:" }, - { TAG_DH_PRIME, "Prime(p):" }, - { TAG_DH_GENERATOR, "Generator(g):" }, - { TAG_DH_PRIVATE, "Private_value(x):" }, - { TAG_DH_PUBLIC, "Public_value(y):" }, - { TAG_ECDSA_PRIVATEKEY, "PrivateKey:" }, { TAG_ECDSA_ENGINE, "Engine:" }, { TAG_ECDSA_LABEL, "Label:" }, @@ -211,25 +206,6 @@ check_rsa(const dst_private_t *priv, bool external) { return (ok ? 0 : -1); } -static int -check_dh(const dst_private_t *priv) { - int i, j; - if (priv->nelements != DH_NTAGS) { - return (-1); - } - for (i = 0; i < DH_NTAGS; i++) { - for (j = 0; j < priv->nelements; j++) { - if (priv->elements[j].tag == TAG(DST_ALG_DH, i)) { - break; - } - } - if (j == priv->nelements) { - return (-1); - } - } - return (0); -} - static int check_ecdsa(const dst_private_t *priv, bool external) { int i, j; @@ -357,7 +333,6 @@ check_hmac_sha(const dst_private_t *priv, unsigned int ntags, static int check_data(const dst_private_t *priv, const unsigned int alg, bool old, bool external) { - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (alg) { case DST_ALG_RSA: case DST_ALG_RSASHA1: @@ -365,8 +340,6 @@ check_data(const dst_private_t *priv, const unsigned int alg, bool old, case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: return (check_rsa(priv, external)); - case DST_ALG_DH: - return (check_dh(priv)); case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: return (check_ecdsa(priv, external)); @@ -679,11 +652,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, fprintf(fp, "%s %u ", ALGORITHM_STR, dst_key_alg(key)); - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (dst_key_alg(key)) { - case DST_ALG_DH: - fprintf(fp, "(DH)\n"); - break; case DST_ALG_RSASHA1: fprintf(fp, "(RSASHA1)\n"); break; diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h index cc12e9bc6f..8703810ff7 100644 --- a/lib/dns/dst_parse.h +++ b/lib/dns/dst_parse.h @@ -59,12 +59,6 @@ #define TAG_RSA_ENGINE ((DST_ALG_RSA << TAG_SHIFT) + 8) #define TAG_RSA_LABEL ((DST_ALG_RSA << TAG_SHIFT) + 9) -#define DH_NTAGS 4 -#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0) -#define TAG_DH_GENERATOR ((DST_ALG_DH << TAG_SHIFT) + 1) -#define TAG_DH_PRIVATE ((DST_ALG_DH << TAG_SHIFT) + 2) -#define TAG_DH_PUBLIC ((DST_ALG_DH << TAG_SHIFT) + 3) - #define ECDSA_NTAGS 4 #define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0) #define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1) diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h index 21552661bc..38505a3b29 100644 --- a/lib/dns/include/dns/keyvalues.h +++ b/lib/dns/include/dns/keyvalues.h @@ -52,26 +52,26 @@ #define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF /*%< no bits defined here */ /* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */ -#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */ -#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */ -#define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */ -#define DNS_KEYALG_DSA 3 /*%< DSA KEY */ -#define DNS_KEYALG_NSEC3DSA 6 -#define DNS_KEYALG_DSS DNS_ALG_DSA -#define DNS_KEYALG_ECC 4 -#define DNS_KEYALG_RSASHA1 5 -#define DNS_KEYALG_NSEC3RSASHA1 7 -#define DNS_KEYALG_RSASHA256 8 -#define DNS_KEYALG_RSASHA512 10 -#define DNS_KEYALG_ECCGOST 12 -#define DNS_KEYALG_ECDSA256 13 -#define DNS_KEYALG_ECDSA384 14 -#define DNS_KEYALG_ED25519 15 -#define DNS_KEYALG_ED448 16 -#define DNS_KEYALG_INDIRECT 252 -#define DNS_KEYALG_PRIVATEDNS 253 -#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */ -#define DNS_KEYALG_MAX 255 +#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */ +#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */ +#define DNS_KEYALG_DH_DEPRECATED 2 /*%< deprecated */ +#define DNS_KEYALG_DSA 3 /*%< DSA KEY */ +#define DNS_KEYALG_NSEC3DSA 6 +#define DNS_KEYALG_DSS DNS_ALG_DSA +#define DNS_KEYALG_ECC 4 +#define DNS_KEYALG_RSASHA1 5 +#define DNS_KEYALG_NSEC3RSASHA1 7 +#define DNS_KEYALG_RSASHA256 8 +#define DNS_KEYALG_RSASHA512 10 +#define DNS_KEYALG_ECCGOST 12 +#define DNS_KEYALG_ECDSA256 13 +#define DNS_KEYALG_ECDSA384 14 +#define DNS_KEYALG_ED25519 15 +#define DNS_KEYALG_ED448 16 +#define DNS_KEYALG_INDIRECT 252 +#define DNS_KEYALG_PRIVATEDNS 253 +#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */ +#define DNS_KEYALG_MAX 255 /* Protocol values */ #define DNS_KEYPROTO_RESERVED 0 diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index 08c76b71bc..9aca98804e 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -35,7 +35,6 @@ ISC_LANG_BEGINDECLS #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dst_key_t *dhkey; dns_name_t *domain; dns_gss_cred_id_t gsscred; isc_mem_t *mctx; @@ -88,33 +87,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, *\li other An error occurred while processing the message */ -isc_result_t -dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, - const dns_name_t *name, const dns_name_t *algorithm, - isc_buffer_t *nonce, uint32_t lifetime); -/*%< - * Builds a query containing a TKEY that will generate a shared - * secret using a Diffie-Hellman key exchange. The shared key - * will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME - * is supported), and will be named either 'name', - * 'name' + server chosen domain, or random data + server chosen domain - * if 'name' == dns_rootname. If nonce is not NULL, it supplies - * random data used in the shared secret computation. The key is - * requested to have the specified lifetime (in seconds) - * - * - * Requires: - *\li 'msg' is a valid message - *\li 'key' is a valid Diffie Hellman dst key - *\li 'name' is a valid name - *\li 'algorithm' is a valid name - * - * Returns: - *\li #ISC_R_SUCCESS msg was successfully updated to include the - * query to be sent - *\li other an error occurred while building the message - */ - isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, @@ -156,29 +128,6 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key); *\li other an error occurred while building the message */ -isc_result_t -dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, - dst_key_t *key, isc_buffer_t *nonce, - dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring); -/*%< - * Processes a response to a query containing a TKEY that was - * designed to generate a shared secret using a Diffie-Hellman key - * exchange. If the query was successful, a new shared key - * is created and added to the list of shared keys. - * - * Requires: - *\li 'qmsg' is a valid message (the query) - *\li 'rmsg' is a valid message (the response) - *\li 'key' is a valid Diffie Hellman dst key - *\li 'outkey' is either NULL or a pointer to NULL - *\li 'ring' is a valid keyring or NULL - * - * Returns: - *\li #ISC_R_SUCCESS the shared key was successfully added - *\li #ISC_R_NOTFOUND an error occurred while looking for a - * component of the query or response - */ - isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, const dns_name_t *gname, dns_gss_ctx_id_t *context, diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 62192a9be7..19bcbc5ce2 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -82,7 +82,7 @@ typedef enum dst_algorithm { DST_ALG_UNKNOWN = 0, DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ DST_ALG_RSAMD5 = 1, - DST_ALG_DH = 2, + DST_ALG_DH = 2, /* Deprecated */ DST_ALG_DSA = 3, DST_ALG_ECC = 4, DST_ALG_RSASHA1 = 5, @@ -804,23 +804,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n); *\li "n" stores the size of a generated signature */ -isc_result_t -dst_key_secretsize(const dst_key_t *key, unsigned int *n); -/*%< - * Computes the size of a shared secret generated by the given key. - * - * Requires: - *\li "key" is a valid key. - *\li "n" is not NULL - * - * Returns: - *\li #ISC_R_SUCCESS - *\li DST_R_UNSUPPORTEDALG - * - * Ensures: - *\li "n" stores the size of a generated shared secret - */ - uint16_t dst_region_computeid(const isc_region_t *source); uint16_t diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index 35ee4db006..01f4840345 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -284,7 +284,6 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff, RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dnskey.algorithm == DST_ALG_RSAMD5 || - dnskey.algorithm == DST_ALG_DH || dnskey.algorithm == DST_ALG_DSA || dnskey.algorithm == DST_ALG_RSASHA1) { diff --git a/lib/dns/openssl_shim.c b/lib/dns/openssl_shim.c index 816813adfb..9d0e397e2d 100644 --- a/lib/dns/openssl_shim.c +++ b/lib/dns/openssl_shim.c @@ -164,80 +164,6 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { } #endif /* !HAVE_ECDSA_SIG_GET0 */ -#if !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L -/* - * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg - * are from OpenSSL 1.1.0. - */ -void -DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) { - if (pub_key != NULL) { - *pub_key = dh->pub_key; - } - if (priv_key != NULL) { - *priv_key = dh->priv_key; - } -} - -int -DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { - if (pub_key != NULL) { - BN_free(dh->pub_key); - dh->pub_key = pub_key; - } - - if (priv_key != NULL) { - BN_free(dh->priv_key); - dh->priv_key = priv_key; - } - - return (1); -} - -void -DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, - const BIGNUM **g) { - if (p != NULL) { - *p = dh->p; - } - if (q != NULL) { - *q = dh->q; - } - if (g != NULL) { - *g = dh->g; - } -} - -int -DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { - /* If the fields p and g in d are NULL, the corresponding input - * parameters MUST be non-NULL. q may remain NULL. - */ - if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) { - return (0); - } - - if (p != NULL) { - BN_free(dh->p); - dh->p = p; - } - if (q != NULL) { - BN_free(dh->q); - dh->q = q; - } - if (g != NULL) { - BN_free(dh->g); - dh->g = g; - } - - if (q != NULL) { - dh->length = BN_num_bits(q); - } - - return (1); -} -#endif /* !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */ - #if !HAVE_ERR_GET_ERROR_ALL static const char err_empty_string = '\0'; diff --git a/lib/dns/openssl_shim.h b/lib/dns/openssl_shim.h index 87a4136388..a0b87626db 100644 --- a/lib/dns/openssl_shim.h +++ b/lib/dns/openssl_shim.h @@ -96,20 +96,6 @@ int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); #endif /* !HAVE_ECDSA_SIG_GET0 */ -#if !HAVE_DH_GET0_KEY -void -DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); - -int -DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); - -void -DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); - -int -DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); -#endif /* !HAVE_DH_GET0_KEY */ - #if !HAVE_ERR_GET_ERROR_ALL unsigned long ERR_get_error_all(const char **file, int *line, const char **func, diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c deleted file mode 100644 index c4729b675f..0000000000 --- a/lib/dns/openssldh_link.c +++ /dev/null @@ -1,1325 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 AND ISC - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Copyright (C) Network Associates, Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/*! \file */ - -#include -#include -#include - -#include -#include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L -#include -#endif -#include -#include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L -#include -#endif -#include - -#include -#include -#include -#include -#include - -#include "dst_internal.h" -#include "dst_openssl.h" -#include "dst_parse.h" -#include "openssl_shim.h" - -#define PRIME2 "02" - -#define PRIME768 \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \ - "A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \ - "F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFF" \ - "F" - -#define PRIME1024 \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \ - "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \ - "5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \ - "B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF" - -#define PRIME1536 \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" - -#define DST_RET(a) \ - { \ - ret = a; \ - goto err; \ - } - -static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; - -static isc_result_t -openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - isc_buffer_t *secret) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dhpub, *dhpriv; - const BIGNUM *pub_key = NULL; - int secret_len = 0; -#else - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *dhpub, *dhpriv; - size_t secret_len = 0; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - isc_region_t r; - unsigned int len; - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - REQUIRE(pub->keydata.dh != NULL); - REQUIRE(priv->keydata.dh != NULL); - - dhpub = pub->keydata.dh; - dhpriv = priv->keydata.dh; - - len = DH_size(dhpriv); -#else - REQUIRE(pub->keydata.pkey != NULL); - REQUIRE(priv->keydata.pkey != NULL); - - dhpub = pub->keydata.pkey; - dhpriv = priv->keydata.pkey; - - len = EVP_PKEY_get_size(dhpriv); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_availableregion(secret, &r); - if (r.length < len) { - return (ISC_R_NOSPACE); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH_get0_key(dhpub, &pub_key, NULL); - secret_len = DH_compute_key(r.base, pub_key, dhpriv); - if (secret_len <= 0) { - return (dst__openssl_toresult2("DH_compute_key", - DST_R_COMPUTESECRETFAILURE)); - } -#else - ctx = EVP_PKEY_CTX_new_from_pkey(NULL, dhpriv, NULL); - if (ctx == NULL) { - return (dst__openssl_toresult2("EVP_PKEY_CTX_new_from_pkey", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_derive_init(ctx) != 1) { - EVP_PKEY_CTX_free(ctx); - return (dst__openssl_toresult2("EVP_PKEY_derive_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_derive_set_peer(ctx, dhpub) != 1) { - EVP_PKEY_CTX_free(ctx); - return (dst__openssl_toresult2("EVP_PKEY_derive_set_peer", - DST_R_OPENSSLFAILURE)); - } - secret_len = r.length; - if (EVP_PKEY_derive(ctx, r.base, &secret_len) != 1 || secret_len == 0) { - EVP_PKEY_CTX_free(ctx); - return (dst__openssl_toresult2("EVP_PKEY_derive", - DST_R_COMPUTESECRETFAILURE)); - } - EVP_PKEY_CTX_free(ctx); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_add(secret, (unsigned int)secret_len); - - return (ISC_R_SUCCESS); -} - -static bool -openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh1, *dh2; - const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#else - EVP_PKEY *pkey1, *pkey2; - BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; - BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - - if (dh1 == NULL && dh2 == NULL) { - return (true); - } else if (dh1 == NULL || dh2 == NULL) { - return (false); - } - - DH_get0_key(dh1, &pub_key1, &priv_key1); - DH_get0_key(dh2, &pub_key2, &priv_key2); - DH_get0_pqg(dh1, &p1, NULL, &g1); - DH_get0_pqg(dh2, &p2, NULL, &g2); -#else - pkey1 = key1->keydata.pkey; - pkey2 = key2->keydata.pkey; - - if (pkey1 == NULL && pkey2 == NULL) { - return (true); - } else if (pkey1 == NULL || pkey2 == NULL) { - return (false); - } - - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_P, &p1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PUB_KEY, &pub_key1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/ - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || - BN_cmp(pub_key1, pub_key2) != 0) - { - DST_RET(false); - } - - if (priv_key1 != NULL || priv_key2 != NULL) { - if (priv_key1 == NULL || priv_key2 == NULL || - BN_cmp(priv_key1, priv_key2) != 0) - { - DST_RET(false); - } - } - -err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p1 != NULL) { - BN_free(p1); - } - if (p2 != NULL) { - BN_free(p2); - } - if (g1 != NULL) { - BN_free(g1); - } - if (g2 != NULL) { - BN_free(g2); - } - if (pub_key1 != NULL) { - BN_free(pub_key1); - } - if (pub_key2 != NULL) { - BN_free(pub_key2); - } - if (priv_key1 != NULL) { - BN_clear_free(priv_key1); - } - if (priv_key2 != NULL) { - BN_clear_free(priv_key2); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (ret); -} - -static bool -openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh1, *dh2; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#else - EVP_PKEY *pkey1, *pkey2; - BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - - if (dh1 == NULL && dh2 == NULL) { - return (true); - } else if (dh1 == NULL || dh2 == NULL) { - return (false); - } - - DH_get0_pqg(dh1, &p1, NULL, &g1); - DH_get0_pqg(dh2, &p2, NULL, &g2); -#else - pkey1 = key1->keydata.pkey; - pkey2 = key2->keydata.pkey; - - if (pkey1 == NULL && pkey2 == NULL) { - return (true); - } else if (pkey1 == NULL || pkey2 == NULL) { - return (false); - } - - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_P, &p1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { - DST_RET(false); - } - -err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p1 != NULL) { - BN_free(p1); - } - if (p2 != NULL) { - BN_free(p2); - } - if (g1 != NULL) { - BN_free(g1); - } - if (g2 != NULL) { - BN_free(g2); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (ret); -} - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 -static int -progress_cb(int p, int n, BN_GENCB *cb) { - union { - void *dptr; - void (*fptr)(int); - } u; - - UNUSED(n); - - u.dptr = BN_GENCB_get_arg(cb); - if (u.fptr != NULL) { - u.fptr(p); - } - return (1); -} -#else -static int -progress_cb(EVP_PKEY_CTX *ctx) { - union { - void *dptr; - void (*fptr)(int); - } u; - - u.dptr = EVP_PKEY_CTX_get_app_data(ctx); - if (u.fptr != NULL) { - int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); - u.fptr(p); - } - return (1); -} -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -static isc_result_t -openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - isc_result_t ret; - union { - void *dptr; - void (*fptr)(int); - } u; - BIGNUM *p = NULL, *g = NULL; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = NULL; - BN_GENCB *cb = NULL; -#else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *param_ctx = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *param_pkey = NULL; - EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } -#else - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - param_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); - if (param_ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (generator == 0) { - /* - * When `generator` is 0, we have three pre-computed `p` and `g` - * static parameters which we can use. - */ - if (key->key_size == 768 || key->key_size == 1024 || - key->key_size == 1536) - { - if (key->key_size == 768) { - p = BN_dup(bn768); - } else if (key->key_size == 1024) { - p = BN_dup(bn1024); - } else { - p = BN_dup(bn1536); - } - g = BN_dup(bn2); - if (p == NULL || g == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2( - "DH_set0_pqg", DST_R_OPENSSLFAILURE)); - } -#else - if (OSSL_PARAM_BLD_push_uint(bld, - OSSL_PKEY_PARAM_FFC_PBITS, - key->key_size) != 1) - { - DST_RET(dst__openssl_toresult2( - "OSSL_PARAM_BLD_push_uint", - DST_R_OPENSSLFAILURE)); - } - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, - p) != 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, - g) != 1) - { - DST_RET(dst__openssl_toresult2( - "OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - } else { - /* - * If the requested size is not present in our - * pre-computed set, we will use `generator` 2 to - * generate new parameters. - */ - generator = 2; - } - } - - if (generator != 0) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (callback != NULL) { - cb = BN_GENCB_new(); - if (cb == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } - u.fptr = callback; - BN_GENCB_set(cb, progress_cb, u.dptr); - } - - if (!DH_generate_parameters_ex(dh, key->key_size, generator, - cb)) - { - DST_RET(dst__openssl_toresult2("DH_generate_parameters_" - "ex", - DST_R_OPENSSLFAILURE)); - } -#else - if (OSSL_PARAM_BLD_push_int(bld, OSSL_PKEY_PARAM_DH_GENERATOR, - generator) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_" - "int", - DST_R_OPENSSLFAILURE)); - } - if (OSSL_PARAM_BLD_push_utf8_string( - bld, OSSL_PKEY_PARAM_FFC_TYPE, "generator", 0) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_" - "utf8_string", - DST_R_OPENSSLFAILURE)); - } - if (OSSL_PARAM_BLD_push_uint(bld, OSSL_PKEY_PARAM_FFC_PBITS, - key->key_size) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_" - "uint", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_generate_key(dh) == 0) { - DST_RET(dst__openssl_toresult2("DH_generate_key", - DST_R_OPENSSLFAILURE)); - } - key->keydata.dh = dh; - dh = NULL; -#else - if (params == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - - if (generator == 0) { - if (EVP_PKEY_fromdata_init(param_ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata(param_ctx, ¶m_pkey, - OSSL_KEYMGMT_SELECT_ALL, params) != 1 || - param_pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", - DST_R_OPENSSLFAILURE)); - } - } else { - if (EVP_PKEY_paramgen_init(param_ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_paramgen_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_CTX_set_params(param_ctx, params) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_set_" - "params", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_paramgen(param_ctx, ¶m_pkey) != 1 || - param_pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_paramgen", - DST_R_OPENSSLFAILURE)); - } - } - - /* - * Now `param_pkey` holds the DH parameters (either pre-coumputed or - * newly generated) so we will generate a new public/private key-pair - * using those parameters and put it into `pkey`. - */ - ctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_pkey, NULL); - if (ctx == NULL) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_from_pkey", - DST_R_OPENSSLFAILURE)); - } - if (callback != NULL) { - u.fptr = callback; - EVP_PKEY_CTX_set_app_data(ctx, u.dptr); - EVP_PKEY_CTX_set_cb(ctx, progress_cb); - } - if (EVP_PKEY_keygen_init(ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_keygen(ctx, &pkey) != 1 || pkey == NULL) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", - DST_R_OPENSSLFAILURE)); - } - - key->keydata.pkey = pkey; - pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - ret = ISC_R_SUCCESS; - -err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } - if (cb != NULL) { - BN_GENCB_free(cb); - } -#else - if (param_pkey != NULL) { - EVP_PKEY_free(param_pkey); - } - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } - if (param_ctx != NULL) { - EVP_PKEY_CTX_free(param_ctx); - } - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } - if (params != NULL) { - OSSL_PARAM_free(params); - } - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); -} - -static bool -openssldh_isprivate(const dst_key_t *key) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = key->keydata.dh; - const BIGNUM *priv_key = NULL; - - DH_get0_key(dh, NULL, &priv_key); - - return (dh != NULL && priv_key != NULL); -#else - bool ret; - EVP_PKEY *pkey; - BIGNUM *priv_key = NULL; - - pkey = key->keydata.pkey; - if (pkey == NULL) { - return (false); - } - - ret = (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, - &priv_key) == 1 && - priv_key != NULL); - if (priv_key != NULL) { - BN_clear_free(priv_key); - } - - return (ret); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -} - -static void -openssldh_destroy(dst_key_t *key) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = key->keydata.dh; - - if (dh == NULL) { - return; - } - - DH_free(dh); - key->keydata.dh = NULL; -#else - EVP_PKEY *pkey = key->keydata.pkey; - - if (pkey == NULL) { - return; - } - - EVP_PKEY_free(pkey); - key->keydata.pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -} - -static void -uint16_toregion(uint16_t val, isc_region_t *region) { - *region->base = (val & 0xff00) >> 8; - isc_region_consume(region, 1); - *region->base = (val & 0x00ff); - isc_region_consume(region, 1); -} - -static uint16_t -uint16_fromregion(isc_region_t *region) { - uint16_t val; - unsigned char *cp = region->base; - - val = ((unsigned int)(cp[0])) << 8; - val |= ((unsigned int)(cp[1])); - - isc_region_consume(region, 2); - - return (val); -} - -static isc_result_t -openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret = ISC_R_SUCCESS; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; - const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; -#else - EVP_PKEY *pkey; - BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - isc_region_t r; - uint16_t dnslen, plen, glen, publen; - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - REQUIRE(key->keydata.dh != NULL); - - dh = key->keydata.dh; - DH_get0_pqg(dh, &p, NULL, &g); - DH_get0_key(dh, &pub_key, NULL); -#else - REQUIRE(key->keydata.pkey != NULL); - - pkey = key->keydata.pkey; - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_availableregion(data, &r); - - if (BN_cmp(g, bn2) == 0 && - (BN_cmp(p, bn768) == 0 || BN_cmp(p, bn1024) == 0 || - BN_cmp(p, bn1536) == 0)) - { - plen = 1; - glen = 0; - } else { - plen = BN_num_bytes(p); - glen = BN_num_bytes(g); - } - - publen = BN_num_bytes(pub_key); - dnslen = plen + glen + publen + 6; - if (r.length < (unsigned int)dnslen) { - DST_RET(ISC_R_NOSPACE); - } - - uint16_toregion(plen, &r); - if (plen == 1) { - if (BN_cmp(p, bn768) == 0) { - *r.base = 1; - } else if (BN_cmp(p, bn1024) == 0) { - *r.base = 2; - } else { - *r.base = 3; - } - } else { - BN_bn2bin(p, r.base); - } - isc_region_consume(&r, plen); - - uint16_toregion(glen, &r); - if (glen > 0) { - BN_bn2bin(g, r.base); - } - isc_region_consume(&r, glen); - - uint16_toregion(publen, &r); - BN_bn2bin(pub_key, r.base); - isc_region_consume(&r, publen); - - isc_buffer_add(data, dnslen); - -err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (ret); -} - -static isc_result_t -openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; -#else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - int key_size; - isc_region_t r; - uint16_t plen, glen, publen; - int special = 0; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) { - return (ISC_R_SUCCESS); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } -#else - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); - if (ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - /* - * Read the prime length. 1 & 2 are table entries, > 16 means a - * prime follows, otherwise an error. - */ - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - plen = uint16_fromregion(&r); - if (plen < 16 && plen != 1 && plen != 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (r.length < plen) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (plen == 1 || plen == 2) { - if (plen == 1) { - special = *r.base; - isc_region_consume(&r, 1); - } else { - special = uint16_fromregion(&r); - } - switch (special) { - case 1: - p = BN_dup(bn768); - break; - case 2: - p = BN_dup(bn1024); - break; - case 3: - p = BN_dup(bn1536); - break; - default: - DST_RET(DST_R_INVALIDPUBLICKEY); - } - } else { - p = BN_bin2bn(r.base, plen, NULL); - isc_region_consume(&r, plen); - } - - /* - * Read the generator length. This should be 0 if the prime was - * special, but it might not be. If it's 0 and the prime is not - * special, we have a problem. - */ - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - glen = uint16_fromregion(&r); - if (r.length < glen) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (special != 0) { - if (glen == 0) { - g = BN_dup(bn2); - } else { - g = BN_bin2bn(r.base, glen, NULL); - if (g != NULL && BN_cmp(g, bn2) != 0) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - } - } else { - if (glen == 0) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - g = BN_bin2bn(r.base, glen, NULL); - } - isc_region_consume(&r, glen); - - if (p == NULL || g == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } - - key_size = BN_num_bits(p); - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_pqg", - DST_R_OPENSSLFAILURE)); - } - - /* These are now managed by OpenSSL */ - p = NULL; - g = NULL; -#else - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - publen = uint16_fromregion(&r); - if (r.length < publen) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - pub_key = BN_bin2bn(r.base, publen, NULL); - if (pub_key == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } - - isc_region_consume(&r, publen); - - isc_buffer_forward(data, plen + glen + publen + 6); - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 -#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \ - (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) - /* - * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when - * DH structure is empty, hence we cannot use DH_get0_key(). - */ - dh->pub_key = pub_key; -#else /* LIBRESSL_VERSION_NUMBER */ - if (DH_set0_key(dh, pub_key, NULL) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_key", - DST_R_OPENSSLFAILURE)); - } -#endif /* LIBRESSL_VERSION_NUMBER */ - - /* This is now managed by OpenSSL */ - pub_key = NULL; - - key->keydata.dh = dh; - dh = NULL; -#else - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); - if (params == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata_init(ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata(ctx, &pkey, OSSL_KEYMGMT_SELECT_ALL, params) != - 1 || - pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", - DST_R_OPENSSLFAILURE)); - } - - key->keydata.pkey = pkey; - pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->key_size = (unsigned int)key_size; - - ret = ISC_R_SUCCESS; - -err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } -#else - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } - if (params != NULL) { - OSSL_PARAM_free(params); - } - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } - - return (ret); -} - -static isc_result_t -openssldh_tofile(const dst_key_t *key, const char *directory) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; - const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; -#else - EVP_PKEY *pkey; - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - dst_private_t priv; - unsigned char *bufs[4] = { NULL }; - unsigned short i = 0; - isc_result_t result; - - if (key->external) { - return (DST_R_EXTERNALKEY); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (key->keydata.dh == NULL) { - return (DST_R_NULLKEY); - } - - dh = key->keydata.dh; - DH_get0_key(dh, &pub_key, &priv_key); - DH_get0_pqg(dh, &p, NULL, &g); -#else - if (key->keydata.pkey == NULL) { - return (DST_R_NULLKEY); - } - - pkey = key->keydata.pkey; - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - priv.elements[i].tag = TAG_DH_PRIME; - priv.elements[i].length = BN_num_bytes(p); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(p, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_GENERATOR; - priv.elements[i].length = BN_num_bytes(g); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(g, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PRIVATE; - priv.elements[i].length = BN_num_bytes(priv_key); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(priv_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PUBLIC; - priv.elements[i].length = BN_num_bytes(pub_key); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(pub_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.nelements = i; - result = dst__privstruct_writefile(key, &priv, directory); - - while (i--) { - if (bufs[i] != NULL) { - isc_mem_put(key->mctx, bufs[i], - priv.elements[i].length); - } - } - -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } - if (priv_key != NULL) { - BN_clear_free(priv_key); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (result); -} - -static isc_result_t -openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = NULL; -#else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - int key_size = 0; - isc_mem_t *mctx; - - UNUSED(pub); - mctx = key->mctx; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) { - return (ret); - } - - if (key->external) { - DST_RET(DST_R_EXTERNALKEY); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(ISC_R_NOMEMORY); - } -#else - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); - if (ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - for (i = 0; i < priv.nelements; i++) { - BIGNUM *bn; - bn = BN_bin2bn(priv.elements[i].data, priv.elements[i].length, - NULL); - if (bn == NULL) { - DST_RET(ISC_R_NOMEMORY); - } - - switch (priv.elements[i].tag) { - case TAG_DH_PRIME: - p = bn; - key_size = BN_num_bits(p); - break; - case TAG_DH_GENERATOR: - g = bn; - break; - case TAG_DH_PRIVATE: - priv_key = bn; - break; - case TAG_DH_PUBLIC: - pub_key = bn; - break; - } - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_key(dh, pub_key, priv_key) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_key", - DST_R_OPENSSLFAILURE)); - } - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_pqg", - DST_R_OPENSSLFAILURE)); - } - - /* These are now managed by OpenSSL */ - pub_key = NULL; - priv_key = NULL; - p = NULL; - g = NULL; - - key->keydata.dh = dh; - dh = NULL; -#else - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key) != - 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key) != - 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); - if (params == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata_init(ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata(ctx, &pkey, OSSL_KEYMGMT_SELECT_ALL, params) != - 1 || - pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", - DST_R_OPENSSLFAILURE)); - } - - key->keydata.pkey = pkey; - pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->key_size = (unsigned int)key_size; - ret = ISC_R_SUCCESS; - -err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } -#else - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } - if (params != NULL) { - OSSL_PARAM_free(params); - } - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } - if (priv_key != NULL) { - BN_clear_free(priv_key); - } - if (ret != ISC_R_SUCCESS) { - openssldh_destroy(key); - } - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ret); -} - -static void -openssldh_cleanup(void) { - BN_free(bn2); - bn2 = NULL; - - BN_free(bn768); - bn768 = NULL; - - BN_free(bn1024); - bn1024 = NULL; - - BN_free(bn1536); - bn1536 = NULL; -} - -static dst_func_t openssldh_functions = { - NULL, /*%< createctx */ - NULL, /*%< createctx2 */ - NULL, /*%< destroyctx */ - NULL, /*%< adddata */ - NULL, /*%< openssldh_sign */ - NULL, /*%< openssldh_verify */ - NULL, /*%< openssldh_verify2 */ - openssldh_computesecret, - openssldh_compare, - openssldh_paramcompare, - openssldh_generate, - openssldh_isprivate, - openssldh_destroy, - openssldh_todns, - openssldh_fromdns, - openssldh_tofile, - openssldh_parse, - openssldh_cleanup, - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__openssldh_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) { - if (BN_hex2bn(&bn2, PRIME2) == 0 || bn2 == NULL) { - goto cleanup; - } - if (BN_hex2bn(&bn768, PRIME768) == 0 || bn768 == NULL) { - goto cleanup; - } - if (BN_hex2bn(&bn1024, PRIME1024) == 0 || bn1024 == NULL) { - goto cleanup; - } - if (BN_hex2bn(&bn1536, PRIME1536) == 0 || bn1536 == NULL) { - goto cleanup; - } - *funcp = &openssldh_functions; - } - return (ISC_R_SUCCESS); - -cleanup: - if (bn2 != NULL) { - BN_free(bn2); - } - if (bn768 != NULL) { - BN_free(bn768); - } - if (bn1024 != NULL) { - BN_free(bn1024); - } - if (bn1536 != NULL) { - BN_free(bn1536); - } - return (ISC_R_NOMEMORY); -} diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index 9aa89deeef..c0141621ef 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -97,25 +97,26 @@ /* RFC2535 section 7, RFC3110 */ -#define SECALGNAMES \ - { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, { DNS_KEYALG_DH, "DH", 0 }, \ - { DNS_KEYALG_DSA, "DSA", 0 }, \ - { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ - { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \ - { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ - { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \ - { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ - { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ - { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ - { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ - { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ - { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ - { DNS_KEYALG_ED25519, "ED25519", 0 }, \ - { DNS_KEYALG_ED448, "ED448", 0 }, \ - { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ - { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ - { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \ - 0, NULL, 0 \ +#define SECALGNAMES \ + { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ + { DNS_KEYALG_DH_DEPRECATED, "DH", 0 }, \ + { DNS_KEYALG_DSA, "DSA", 0 }, \ + { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ + { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \ + { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ + { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \ + { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ + { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ + { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ + { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ + { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ + { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ + { DNS_KEYALG_ED25519, "ED25519", 0 }, \ + { DNS_KEYALG_ED448, "ED448", 0 }, \ + { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ + { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ + { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \ + 0, NULL, 0 \ } /* RFC2535 section 7.1 */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index fc68a5405f..6912037c46 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -11016,9 +11016,6 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, REQUIRE(VALID_RESOLVER(resolver)); - /* - * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. - */ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) { return (false); } diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 9218e070fc..1897b26e14 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -109,18 +109,14 @@ dumpmessage(dns_message_t *msg) { isc_result_t dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) { - dns_tkeyctx_t *tctx; - REQUIRE(mctx != NULL); REQUIRE(tctxp != NULL && *tctxp == NULL); - tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t)); - tctx->mctx = NULL; + dns_tkeyctx_t *tctx = isc_mem_get(mctx, sizeof(*tctx)); + *tctx = (dns_tkeyctx_t){ + .mctx = NULL, + }; isc_mem_attach(mctx, &tctx->mctx); - tctx->dhkey = NULL; - tctx->domain = NULL; - tctx->gsscred = NULL; - tctx->gssapi_keytab = NULL; *tctxp = tctx; return (ISC_R_SUCCESS); @@ -137,9 +133,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) { *tctxp = NULL; mctx = tctx->mctx; - if (tctx->dhkey != NULL) { - dst_key_free(&tctx->dhkey); - } if (tctx->domain != NULL) { if (dns_name_dynamic(tctx->domain)) { dns_name_free(tctx->domain, mctx); @@ -212,270 +205,6 @@ free_namelist(dns_message_t *msg, dns_namelist_t *namelist) { } } -static isc_result_t -compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, - isc_region_t *serverrandomness, isc_buffer_t *secret) { - isc_md_t *md; - isc_region_t r, r2; - unsigned char digests[ISC_MAX_MD_SIZE * 2]; - unsigned char *digest1, *digest2; - unsigned int digestslen, digestlen1 = 0, digestlen2 = 0; - unsigned int i; - isc_result_t result; - - isc_buffer_usedregion(shared, &r); - - md = isc_md_new(); - if (md == NULL) { - return (ISC_R_NOSPACE); - } - - /* - * MD5 ( query data | DH value ). - */ - digest1 = digests; - - result = isc_md_init(md, ISC_MD_MD5); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, queryrandomness->base, - queryrandomness->length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, r.base, r.length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_final(md, digest1, &digestlen1); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_reset(md); - if (result != ISC_R_SUCCESS) { - goto end; - } - - /* - * MD5 ( server data | DH value ). - */ - digest2 = digests + digestlen1; - - result = isc_md_init(md, ISC_MD_MD5); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, serverrandomness->base, - serverrandomness->length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, r.base, r.length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_final(md, digest2, &digestlen2); - if (result != ISC_R_SUCCESS) { - goto end; - } - - isc_md_free(md); - md = NULL; - - digestslen = digestlen1 + digestlen2; - - /* - * XOR ( DH value, MD5-1 | MD5-2). - */ - isc_buffer_availableregion(secret, &r); - isc_buffer_usedregion(shared, &r2); - if (r.length < digestslen || r.length < r2.length) { - return (ISC_R_NOSPACE); - } - if (r2.length > digestslen) { - memmove(r.base, r2.base, r2.length); - for (i = 0; i < digestslen; i++) { - r.base[i] ^= digests[i]; - } - isc_buffer_add(secret, r2.length); - } else { - memmove(r.base, digests, digestslen); - for (i = 0; i < r2.length; i++) { - r.base[i] ^= r2.base[i]; - } - isc_buffer_add(secret, digestslen); - } - result = ISC_R_SUCCESS; -end: - if (md != NULL) { - isc_md_free(md); - } - return (result); -} - -static isc_result_t -process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, - dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx, - dns_rdata_tkey_t *tkeyout, dns_tsig_keyring_t *ring, - dns_namelist_t *namelist) { - isc_result_t result = ISC_R_SUCCESS; - dns_name_t *keyname, ourname; - dns_rdataset_t *keyset = NULL; - dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT; - bool found_key = false, found_incompatible = false; - dst_key_t *pubkey = NULL; - isc_buffer_t ourkeybuf, *shared = NULL; - isc_region_t r, r2, ourkeyr; - unsigned char keydata[DST_KEY_MAXSIZE]; - unsigned int sharedsize; - isc_buffer_t secret; - unsigned char *randomdata = NULL, secretdata[256]; - dns_ttl_t ttl = 0; - - if (tctx->dhkey == NULL) { - tkey_log("process_dhtkey: tkey-dhkey not defined"); - tkeyout->error = dns_tsigerror_badalg; - return (DNS_R_REFUSED); - } - - if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { - tkey_log("process_dhtkey: algorithms other than " - "hmac-md5 are not supported"); - tkeyout->error = dns_tsigerror_badalg; - return (ISC_R_SUCCESS); - } - - /* - * Look for a DH KEY record that will work with ours. - */ - for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL); - result == ISC_R_SUCCESS && !found_key; - result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) - { - keyname = NULL; - dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname); - keyset = NULL; - result = dns_message_findtype(keyname, dns_rdatatype_key, 0, - &keyset); - if (result != ISC_R_SUCCESS) { - continue; - } - - for (result = dns_rdataset_first(keyset); - result == ISC_R_SUCCESS && !found_key; - result = dns_rdataset_next(keyset)) - { - dns_rdataset_current(keyset, &keyrdata); - pubkey = NULL; - result = dns_dnssec_keyfromrdata(keyname, &keyrdata, - msg->mctx, &pubkey); - if (result != ISC_R_SUCCESS) { - dns_rdata_reset(&keyrdata); - continue; - } - if (dst_key_alg(pubkey) == DNS_KEYALG_DH) { - if (dst_key_paramcompare(pubkey, tctx->dhkey)) { - found_key = true; - ttl = keyset->ttl; - break; - } else { - found_incompatible = true; - } - } - dst_key_free(&pubkey); - dns_rdata_reset(&keyrdata); - } - } - - if (!found_key) { - if (found_incompatible) { - tkey_log("process_dhtkey: found an incompatible key"); - tkeyout->error = dns_tsigerror_badkey; - return (ISC_R_SUCCESS); - } else { - tkey_log("process_dhtkey: failed to find a key"); - return (DNS_R_FORMERR); - } - } - - add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist); - - isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata)); - RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf)); - isc_buffer_usedregion(&ourkeybuf, &ourkeyr); - dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any, - dns_rdatatype_key, &ourkeyr); - - dns_name_init(&ourname, NULL); - dns_name_clone(dst_key_name(tctx->dhkey), &ourname); - - /* - * XXXBEW The TTL should be obtained from the database, if it exists. - */ - add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist); - - RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize)); - isc_buffer_allocate(msg->mctx, &shared, sharedsize); - - result = dst_key_computesecret(pubkey, tctx->dhkey, shared); - if (result != ISC_R_SUCCESS) { - tkey_log("process_dhtkey: failed to compute shared secret: %s", - isc_result_totext(result)); - goto failure; - } - dst_key_free(&pubkey); - - isc_buffer_init(&secret, secretdata, sizeof(secretdata)); - - randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT); - - isc_nonce_buf(randomdata, TKEY_RANDOM_AMOUNT); - - r.base = randomdata; - r.length = TKEY_RANDOM_AMOUNT; - r2.base = tkeyin->key; - r2.length = tkeyin->keylen; - RETERR(compute_secret(shared, &r2, &r, &secret)); - isc_buffer_free(&shared); - - RETERR(dns_tsigkey_create( - name, &tkeyin->algorithm, isc_buffer_base(&secret), - isc_buffer_usedlength(&secret), true, signer, tkeyin->inception, - tkeyin->expire, ring->mctx, ring, NULL)); - - /* This key is good for a long time */ - tkeyout->inception = tkeyin->inception; - tkeyout->expire = tkeyin->expire; - - tkeyout->key = randomdata; - tkeyout->keylen = TKEY_RANDOM_AMOUNT; - - return (ISC_R_SUCCESS); - -failure: - if (!ISC_LIST_EMPTY(*namelist)) { - free_namelist(msg, namelist); - } - if (shared != NULL) { - isc_buffer_free(&shared); - } - if (pubkey != NULL) { - dst_key_free(&pubkey); - } - if (randomdata != NULL) { - isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT); - } - return (result); -} - static isc_result_t process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout, @@ -854,11 +583,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, } switch (tkeyin.mode) { - case DNS_TKEYMODE_DIFFIEHELLMAN: - tkeyout.error = dns_rcode_noerror; - RETERR(process_dhtkey(msg, signer, keyname, &tkeyin, tctx, - &tkeyout, ring, &namelist)); - break; case DNS_TKEYMODE_GSSAPI: tkeyout.error = dns_rcode_noerror; RETERR(process_gsstkey(msg, keyname, &tkeyin, tctx, &tkeyout, @@ -988,81 +712,6 @@ buildquery(dns_message_t *msg, const dns_name_t *name, dns_rdata_tkey_t *tkey, return (ISC_R_SUCCESS); } -isc_result_t -dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, - const dns_name_t *name, const dns_name_t *algorithm, - isc_buffer_t *nonce, uint32_t lifetime) { - dns_rdata_tkey_t tkey; - dns_rdata_t *rdata = NULL; - isc_buffer_t *dynbuf = NULL; - isc_region_t r; - dns_name_t keyname; - dns_namelist_t namelist; - isc_result_t result; - isc_stdtime_t now; - dns_name_t *item; - - REQUIRE(msg != NULL); - REQUIRE(key != NULL); - REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH); - REQUIRE(dst_key_isprivate(key)); - REQUIRE(name != NULL); - REQUIRE(algorithm != NULL); - - tkey.common.rdclass = dns_rdataclass_any; - tkey.common.rdtype = dns_rdatatype_tkey; - ISC_LINK_INIT(&tkey.common, link); - tkey.mctx = msg->mctx; - dns_name_init(&tkey.algorithm, NULL); - dns_name_clone(algorithm, &tkey.algorithm); - isc_stdtime_get(&now); - tkey.inception = now; - tkey.expire = now + lifetime; - tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN; - if (nonce != NULL) { - isc_buffer_usedregion(nonce, &r); - } else { - r.base = NULL; - r.length = 0; - } - tkey.error = 0; - tkey.key = r.base; - tkey.keylen = r.length; - tkey.other = NULL; - tkey.otherlen = 0; - - RETERR(buildquery(msg, name, &tkey, false)); - - dns_message_gettemprdata(msg, &rdata); - isc_buffer_allocate(msg->mctx, &dynbuf, 1024); - RETERR(dst_key_todns(key, dynbuf)); - isc_buffer_usedregion(dynbuf, &r); - dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_key, &r); - dns_message_takebuffer(msg, &dynbuf); - - dns_name_init(&keyname, NULL); - dns_name_clone(dst_key_name(key), &keyname); - - ISC_LIST_INIT(namelist); - add_rdata_to_list(msg, &keyname, rdata, 0, &namelist); - item = ISC_LIST_HEAD(namelist); - while (item != NULL) { - dns_name_t *next = ISC_LIST_NEXT(item, link); - ISC_LIST_UNLINK(namelist, item, link); - dns_message_addname(msg, item, DNS_SECTION_ADDITIONAL); - item = next; - } - - return (ISC_R_SUCCESS); - -failure: - - if (dynbuf != NULL) { - isc_buffer_free(&dynbuf); - } - return (result); -} - isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, @@ -1165,138 +814,6 @@ find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata, return (result); } -isc_result_t -dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, - dst_key_t *key, isc_buffer_t *nonce, - dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring) { - dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT; - dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname; - dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL; - dns_rdata_t theirkeyrdata = DNS_RDATA_INIT; - dst_key_t *theirkey = NULL; - dns_rdata_tkey_t qtkey, rtkey; - unsigned char secretdata[256]; - unsigned int sharedsize; - isc_buffer_t *shared = NULL, secret; - isc_region_t r, r2; - isc_result_t result; - bool freertkey = false; - - REQUIRE(qmsg != NULL); - REQUIRE(rmsg != NULL); - REQUIRE(key != NULL); - REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH); - REQUIRE(dst_key_isprivate(key)); - if (outkey != NULL) { - REQUIRE(*outkey == NULL); - } - - if (rmsg->rcode != dns_rcode_noerror) { - return (dns_result_fromrcode(rmsg->rcode)); - } - RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER)); - RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL)); - freertkey = true; - - RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata, DNS_SECTION_ADDITIONAL)); - RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL)); - - if (rtkey.error != dns_rcode_noerror || - rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN || - rtkey.mode != qtkey.mode || - !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) || - rmsg->rcode != dns_rcode_noerror) - { - tkey_log("dns_tkey_processdhresponse: tkey mode invalid " - "or error set(1)"); - result = DNS_R_INVALIDTKEY; - dns_rdata_freestruct(&qtkey); - goto failure; - } - - dns_rdata_freestruct(&qtkey); - - dns_name_init(&keyname, NULL); - dns_name_clone(dst_key_name(key), &keyname); - - ourkeyname = NULL; - ourkeyset = NULL; - RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname, - dns_rdatatype_key, 0, &ourkeyname, - &ourkeyset)); - - result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER); - while (result == ISC_R_SUCCESS) { - theirkeyname = NULL; - dns_message_currentname(rmsg, DNS_SECTION_ANSWER, - &theirkeyname); - if (dns_name_equal(theirkeyname, ourkeyname)) { - goto next; - } - theirkeyset = NULL; - result = dns_message_findtype(theirkeyname, dns_rdatatype_key, - 0, &theirkeyset); - if (result == ISC_R_SUCCESS) { - RETERR(dns_rdataset_first(theirkeyset)); - break; - } - next: - result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER); - } - - if (theirkeyset == NULL) { - tkey_log("dns_tkey_processdhresponse: failed to find server " - "key"); - result = ISC_R_NOTFOUND; - goto failure; - } - - dns_rdataset_current(theirkeyset, &theirkeyrdata); - RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata, rmsg->mctx, - &theirkey)); - - RETERR(dst_key_secretsize(key, &sharedsize)); - isc_buffer_allocate(rmsg->mctx, &shared, sharedsize); - - RETERR(dst_key_computesecret(theirkey, key, shared)); - - isc_buffer_init(&secret, secretdata, sizeof(secretdata)); - - r.base = rtkey.key; - r.length = rtkey.keylen; - if (nonce != NULL) { - isc_buffer_usedregion(nonce, &r2); - } else { - r2.base = NULL; - r2.length = 0; - } - RETERR(compute_secret(shared, &r2, &r, &secret)); - - isc_buffer_usedregion(&secret, &r); - result = dns_tsigkey_create(tkeyname, &rtkey.algorithm, r.base, - r.length, true, NULL, rtkey.inception, - rtkey.expire, rmsg->mctx, ring, outkey); - isc_buffer_free(&shared); - dns_rdata_freestruct(&rtkey); - dst_key_free(&theirkey); - return (result); - -failure: - if (shared != NULL) { - isc_buffer_free(&shared); - } - - if (theirkey != NULL) { - dst_key_free(&theirkey); - } - - if (freertkey) { - dns_rdata_freestruct(&rtkey); - } - - return (result); -} - isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, const dns_name_t *gname, dns_gss_ctx_id_t *context, diff --git a/lib/dns/zone.c b/lib/dns/zone.c index bb3bcaa79b..1c10265aa2 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9006,8 +9006,8 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db, } alg = tuple->rdata.data[3]; - if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH || - alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1) + if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA || + alg == DNS_KEYALG_RSASHA1) { nseconly = true; } @@ -9017,8 +9017,8 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db, if (keys != NULL && !nseconly) { for (unsigned int i = 0; i < numkeys; i++) { alg = dst_key_alg(keys[i]); - if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH || - alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1) + if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA || + alg == DNS_KEYALG_RSASHA1) { nseconly = true; break; diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index abb18008d3..18af596704 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -246,8 +246,8 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, } /* NSEC3 cannot be used with certain key algorithms. */ - if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DH || - keyalg == DNS_KEYALG_DSA || keyalg == DNS_KEYALG_RSASHA1) + if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DSA || + keyalg == DNS_KEYALG_RSASHA1) { badalg = keyalg; } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index ff938f1fac..13eeed8580 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -145,18 +145,6 @@ static cfg_type_t cfg_type_view; static cfg_type_t cfg_type_viewopts; static cfg_type_t cfg_type_zone; -/*% tkey-dhkey */ - -static cfg_tuplefielddef_t tkey_dhkey_fields[] = { - { "name", &cfg_type_qstring, 0 }, - { "keyid", &cfg_type_uint32, 0 }, - { NULL, NULL, 0 } -}; - -static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey", cfg_parse_tuple, - cfg_print_tuple, cfg_doc_tuple, - &cfg_rep_tuple, tkey_dhkey_fields }; - /*% listen-on */ static cfg_tuplefielddef_t listenon_tuple_fields[] = { @@ -1327,7 +1315,7 @@ static cfg_clausedef_t options_clauses[] = { { "tcp-listen-queue", &cfg_type_uint32, 0 }, { "tcp-receive-buffer", &cfg_type_uint32, 0 }, { "tcp-send-buffer", &cfg_type_uint32, 0 }, - { "tkey-dhkey", &cfg_type_tkey_dhkey, 0 }, + { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "tkey-domain", &cfg_type_qstring, 0 }, { "tkey-gssapi-credential", &cfg_type_qstring, 0 }, { "tkey-gssapi-keytab", &cfg_type_qstring, 0 }, diff --git a/tests/dns/Makefile.am b/tests/dns/Makefile.am index 15f1e519bd..137a159221 100644 --- a/tests/dns/Makefile.am +++ b/tests/dns/Makefile.am @@ -21,7 +21,6 @@ check_PROGRAMS = \ dbdiff_test \ dbiterator_test \ dbversion_test \ - dh_test \ dispatch_test \ dns64_test \ dst_test \ diff --git a/tests/dns/comparekeys/Kexample-private.+002+65316.key b/tests/dns/comparekeys/Kexample-private.+002+65316.key deleted file mode 100644 index 7cc002d23e..0000000000 --- a/tests/dns/comparekeys/Kexample-private.+002+65316.key +++ /dev/null @@ -1 +0,0 @@ -example-private. IN KEY 512 3 2 AAECAAAAgKVXnUOFKMvLvwO/VdY9bq+eOPBxrRWsDpcL9FJ9+hklVvii pcLOIhiKLeHI/u9vM2nhd8+opIW92+j2pB185MRgSrINQcC+XpI/xiDG HwE78bQ+2Ykb/memG+ctkVyrFGHtaJLCUGWrUHy1jbtvYeaKeS92jR/2 4oryt3N851u5 diff --git a/tests/dns/comparekeys/Kexample-private.+002+65316.private b/tests/dns/comparekeys/Kexample-private.+002+65316.private deleted file mode 100644 index 1f00fa9ac8..0000000000 --- a/tests/dns/comparekeys/Kexample-private.+002+65316.private +++ /dev/null @@ -1,9 +0,0 @@ -Private-key-format: v1.3 -Algorithm: 2 (DH) -Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5lOB//////////8= -Generator(g): Ag== -Private_value(x): dLr0sfk/P1V0DfQ7Ke3IIaSM8nHjtrBRlMcQXRMVrLhbbKeCodvpSRtI0Nwtt38Df8dbGGtP676my2Ht2UHyL7rO0+ASv98NCysL0Xp6q2a7fn67iGFUBTg3jzXC89FYv4sYNeVLDGrKC3EjtGkalzgDVuzEC8CqRkWKeys3ufc= -Public_value(y): pVedQ4Uoy8u/A79V1j1ur5448HGtFawOlwv0Un36GSVW+KKlws4iGIot4cj+728zaeF3z6ikhb3b6PakHXzkxGBKsg1BwL5ekj/GIMYfATvxtD7ZiRv+Z6Yb5y2RXKsUYe1oksJQZatQfLWNu29h5op5L3aNH/biivK3c3znW7k= -Created: 20000101000000 -Publish: 20000101000000 -Activate: 20000101000000 diff --git a/tests/dns/dh_test.c b/tests/dns/dh_test.c deleted file mode 100644 index 246de2197a..0000000000 --- a/tests/dns/dh_test.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include /* IWYU pragma: keep */ -#include -#include -#include -#include -#include -#include - -#define UNIT_TESTING -#include - -#include -#include -#include - -#include - -#include "dst_internal.h" - -#include - -static int -setup_test(void **state) { - isc_result_t result; - - UNUSED(state); - - result = dst_lib_init(mctx, NULL); - - if (result != ISC_R_SUCCESS) { - return (1); - } - - return (0); -} - -static int -teardown_test(void **state) { - UNUSED(state); - - dst_lib_destroy(); - - return (0); -} - -/* OpenSSL DH_compute_key() failure */ -ISC_RUN_TEST_IMPL(dh_computesecret) { - dst_key_t *key = NULL; - isc_buffer_t buf; - unsigned char array[1024]; - isc_result_t result; - dns_fixedname_t fname; - dns_name_t *name; - - UNUSED(state); - - name = dns_fixedname_initname(&fname); - isc_buffer_constinit(&buf, "dh.", 3); - isc_buffer_add(&buf, 3); - result = dns_name_fromtext(name, &buf, NULL, 0, NULL); - assert_int_equal(result, ISC_R_SUCCESS); - - result = dst_key_fromfile(name, 18602, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, TESTS_DIR, - mctx, &key); - assert_int_equal(result, ISC_R_SUCCESS); - - isc_buffer_init(&buf, array, sizeof(array)); - result = dst_key_computesecret(key, key, &buf); - assert_int_equal(result, DST_R_NOTPRIVATEKEY); - result = key->func->computesecret(key, key, &buf); - assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); - - dst_key_free(&key); -} - -ISC_TEST_LIST_START -ISC_TEST_ENTRY_CUSTOM(dh_computesecret, setup_test, teardown_test) -ISC_TEST_LIST_END - -ISC_TEST_MAIN diff --git a/tests/dns/dst_test.c b/tests/dns/dst_test.c index e60a916519..570c19c876 100644 --- a/tests/dns/dst_test.c +++ b/tests/dns/dst_test.c @@ -416,34 +416,6 @@ ISC_RUN_TEST_IMPL(cmp_test) { /* EdDSA Public Key: different key */ { "example.", 63663, "example2.", 37529, DST_ALG_ED25519, DST_TYPE_PUBLIC, false }, - - /* DH Keypair: self */ - { "example.", 65316, "example.", 65316, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, true }, - - /* DH Keypair: different key */ - { "example.", 65316, "example2.", 19823, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false }, - - /* DH Keypair: different key (with generator=5) */ - { "example.", 65316, "example3.", 17187, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false }, - - /* DH Keypair: different private key */ - { "example.", 65316, "example-private.", 65316, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false }, - - /* DH Public Key: self */ - { "example.", 65316, "example.", 65316, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, true }, - - /* DH Public Key: different key */ - { "example.", 65316, "example2.", 19823, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, false }, - - /* DH Public Key: different key (with generator=5) */ - { "example.", 65316, "example3.", 17187, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, false }, }; unsigned int i;