From bd4576b3cef88bcb78ae0dd7619019be4fdfb2ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 28 Feb 2023 16:05:34 +0100 Subject: [PATCH] Remove TKEY Mode 2 (Diffie-Hellman) Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from BIND 9 (from named, named.conf and all the tools). The TKEY usage is fringe at best and in all known cases, GSSAPI is being used as it should. The draft-eastlake-dnsop-rfc2930bis-tkey specifies that: 4.2 Diffie-Hellman Exchanged Keying (Deprecated) The use of this mode (#2) is NOT RECOMMENDED for the following two reasons but the specification is still included in Appendix A in case an implementation is needed for compatibility with old TKEY implementations. See Section 4.6 on ECDH Exchanged Keying. The mixing function used does not meet current cryptographic standards because it uses MD5 [RFC6151]. RSA keys must be excessively long to achieve levels of security required by current standards. We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key exchange mode 6 if the draft ever reaches the RFC status. Meanwhile the insecure DH mode needs to be removed. --- bin/dnssec/dnssec-keyfromlabel.c | 10 - bin/dnssec/dnssec-keygen.c | 37 +- bin/dnssec/dnssec-keygen.rst | 4 +- bin/dnssec/dnssectool.c | 17 - bin/named/config.c | 1 - bin/named/main.c | 8 +- bin/named/tkeyconf.c | 16 - bin/tests/system/Makefile.am | 21 +- bin/tests/system/dnssec/ns3/sign.sh | 4 +- bin/tests/system/tkey/clean.sh | 26 - bin/tests/system/tkey/keycreate.c | 260 ---- bin/tests/system/tkey/keydelete.c | 202 --- bin/tests/system/tkey/ns1/example.db | 27 - bin/tests/system/tkey/ns1/named.conf.in | 49 - bin/tests/system/tkey/ns1/setup.sh | 20 - bin/tests/system/tkey/setup.sh | 20 - bin/tests/system/tkey/tests.sh | 163 -- configure.ac | 2 +- doc/arm/reference.rst | 10 - doc/misc/options | 1 - lib/dns/Makefile.am | 1 - lib/dns/dnssec.c | 1 - lib/dns/dst_api.c | 18 - lib/dns/dst_internal.h | 4 - lib/dns/dst_parse.c | 31 - lib/dns/dst_parse.h | 6 - lib/dns/include/dns/keyvalues.h | 40 +- lib/dns/include/dns/tkey.h | 51 - lib/dns/include/dst/dst.h | 19 +- lib/dns/nsec.c | 1 - lib/dns/openssl_shim.c | 74 - lib/dns/openssl_shim.h | 14 - lib/dns/openssldh_link.c | 1325 ----------------- lib/dns/rcode.c | 39 +- lib/dns/resolver.c | 3 - lib/dns/tkey.c | 491 +----- lib/dns/zone.c | 8 +- lib/isccfg/kaspconf.c | 4 +- lib/isccfg/namedconf.c | 14 +- tests/dns/Makefile.am | 1 - .../Kexample-private.+002+65316.key | 1 - .../Kexample-private.+002+65316.private | 9 - tests/dns/dh_test.c | 94 -- tests/dns/dst_test.c | 28 - 44 files changed, 63 insertions(+), 3112 deletions(-) delete mode 100644 bin/tests/system/tkey/clean.sh delete mode 100644 bin/tests/system/tkey/keycreate.c delete mode 100644 bin/tests/system/tkey/keydelete.c delete mode 100644 bin/tests/system/tkey/ns1/example.db delete mode 100644 bin/tests/system/tkey/ns1/named.conf.in delete mode 100644 bin/tests/system/tkey/ns1/setup.sh delete mode 100644 bin/tests/system/tkey/setup.sh delete mode 100644 bin/tests/system/tkey/tests.sh delete mode 100644 lib/dns/openssldh_link.c delete mode 100644 tests/dns/comparekeys/Kexample-private.+002+65316.key delete mode 100644 tests/dns/comparekeys/Kexample-private.+002+65316.private delete mode 100644 tests/dns/dh_test.c diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index c18da75b18..1415afadd1 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -387,9 +387,6 @@ main(int argc, char **argv) { if (ret != ISC_R_SUCCESS) { fatal("unknown algorithm %s", algname); } - if (alg == DST_ALG_DH) { - options |= DST_TYPE_KEY; - } if (use_nsec3) { switch (alg) { @@ -597,13 +594,6 @@ main(int argc, char **argv) { } } - if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - alg == DNS_KEYALG_DH) - { - fatal("a key with algorithm '%s' cannot be a zone key", - algname); - } - isc_buffer_init(&buf, filename, sizeof(filename) - 1); /* associate the key */ diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index f11b54b182..b1c5c46b5b 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -80,7 +80,6 @@ struct keygen_ctx { char *algname; char *nametype; char *type; - int generator; int protocol; int size; int signatory; @@ -143,14 +142,13 @@ usage(void) { fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n"); fprintf(stderr, " RSASHA256 | RSASHA512 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); - fprintf(stderr, " ED25519 | ED448 | DH\n"); + fprintf(stderr, " ED25519 | ED448\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA); - fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " ECDSAP256SHA256:\tignored\n"); fprintf(stderr, " ECDSAP384SHA384:\tignored\n"); fprintf(stderr, " ED25519:\tignored\n"); @@ -165,8 +163,6 @@ usage(void) { fprintf(stderr, " -E :\n"); fprintf(stderr, " name of an OpenSSL engine to use\n"); fprintf(stderr, " -f : KSK | REVOKE\n"); - fprintf(stderr, " -g : use specified generator " - "(DH only)\n"); fprintf(stderr, " -L : default key TTL\n"); fprintf(stderr, " -p : (default: 3 [dnssec])\n"); fprintf(stderr, " -s : strength value this key signs DNS " @@ -322,10 +318,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { fatal("unsupported algorithm: %s", algstr); } - if (ctx->alg == DST_ALG_DH) { - ctx->options |= DST_TYPE_KEY; - } - if (ctx->use_nsec3) { switch (ctx->alg) { case DST_ALG_RSASHA1: @@ -535,11 +527,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { fatal("RSA key size %d out of range", ctx->size); } break; - case DNS_KEYALG_DH: - if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) { - fatal("DH key size %d out of range", ctx->size); - } - break; case DST_ALG_ECDSA256: ctx->size = 256; break; @@ -554,10 +541,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { break; } - if (ctx->alg != DNS_KEYALG_DH && ctx->generator != 0) { - fatal("specified DH generator for a non-DH key"); - } - if (ctx->nametype == NULL) { if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */ fatal("no nametype specified"); @@ -607,12 +590,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } } - if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - ctx->alg == DNS_KEYALG_DH) - { - fatal("a key with algorithm %s cannot be a zone key", algstr); - } - switch (ctx->alg) { case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: @@ -621,10 +598,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { show_progress = true; break; - case DNS_KEYALG_DH: - param = ctx->generator; - break; - case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: @@ -950,11 +923,9 @@ main(int argc, char **argv) { } break; case 'g': - ctx.generator = strtol(isc_commandline_argument, &endp, - 10); - if (*endp != '\0' || ctx.generator <= 0) { - fatal("-g requires a positive number"); - } + fprintf(stderr, + "phased-out option -e " + "(was 'use specified generator (DH only)')\n"); break; case 'K': ctx.directory = isc_commandline_argument; diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index a06027ce58..6f69300a48 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -49,9 +49,7 @@ Options This option selects the cryptographic algorithm. For DNSSEC keys, the value of ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, - RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For - TKEY, the value must be DH (Diffie-Hellman); specifying this value - automatically sets the :option:`-T KEY <-T>` option as well. + RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. These values are case-insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index b24e88afea..d43e7d9fde 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -490,8 +490,6 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, uint16_t id, oldid; uint32_t rid, roldid; dns_secalg_t alg; - char filename[NAME_MAX]; - isc_buffer_t fileb; isc_stdtime_t now; if (exact != NULL) { @@ -502,21 +500,6 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, rid = dst_key_rid(dstkey); alg = dst_key_alg(dstkey); - /* - * For Diffie Hellman just check if there is a direct collision as - * they can't be revoked. Additionally dns_dnssec_findmatchingkeys - * only handles DNSKEY which is not used for HMAC. - */ - if (alg == DST_ALG_DH) { - isc_buffer_init(&fileb, filename, sizeof(filename)); - result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE, dir, - &fileb); - if (result != ISC_R_SUCCESS) { - return (true); - } - return (isc_file_exists(filename)); - } - ISC_LIST_INIT(matchkeys); isc_stdtime_get(&now); result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys); diff --git a/bin/named/config.c b/bin/named/config.c index 9c1469abc6..be9724ec71 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -119,7 +119,6 @@ options {\n\ tcp-listen-queue 10;\n\ tcp-receive-buffer 0;\n\ tcp-send-buffer 0;\n\ -# tkey-dhkey \n\ # tkey-domain \n\ # tkey-gssapi-credential \n\ transfer-message-size 20480;\n\ diff --git a/bin/named/main.c b/bin/named/main.c index 3c3a4e1cf7..752745d7fe 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -465,7 +465,7 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { static void list_dnssec_algorithms(isc_buffer_t *b) { for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) { - if (i == DST_ALG_DH || i == DST_ALG_GSSAPI || + if (i == DST_ALG_GSSAPI || (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST)) { continue; @@ -540,11 +540,7 @@ format_supported_algorithms(void (*emit)(isc_buffer_t *b)) { (*emit)(&b); isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", - (dst_algorithm_supported(DST_ALG_DH) && - dst_algorithm_supported(DST_ALG_HMACMD5)) - ? "yes" - : "non"); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", "no"); (*emit)(&b); isc_buffer_init(&b, buf, sizeof(buf)); diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index 5db786c64e..24acdcd0c2 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -48,32 +48,16 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, isc_result_t result; dns_tkeyctx_t *tctx = NULL; const char *s; - uint32_t n; dns_fixedname_t fname; dns_name_t *name; isc_buffer_t b; const cfg_obj_t *obj; - int type; result = dns_tkeyctx_create(mctx, &tctx); if (result != ISC_R_SUCCESS) { return (result); } - obj = NULL; - result = cfg_map_get(options, "tkey-dhkey", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(cfg_tuple_get(obj, "name")); - n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid")); - isc_buffer_constinit(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - name = dns_fixedname_initname(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); - type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; - RETERR(dst_key_fromfile(name, (dns_keytag_t)n, DNS_KEYALG_DH, - type, NULL, mctx, &tctx->dhkey)); - } - obj = NULL; result = cfg_map_get(options, "tkey-domain", &obj); if (result == ISC_R_SUCCESS) { diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 8f18733fd6..8ee01e1753 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -24,9 +24,7 @@ check_PROGRAMS = \ makejournal \ pipelined/pipequeries \ rndc/gencheck \ - rpz/dnsrps \ - tkey/keycreate \ - tkey/keydelete + rpz/dnsrps feature_test_CPPFLAGS = \ $(AM_CPPFLAGS) \ @@ -56,22 +54,6 @@ rpz_dnsrps_LDADD = \ $(LDADD) \ $(LIBDNS_LIBS) -tkey_keycreate_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) - -tkey_keycreate_LDADD = \ - $(LDADD) \ - $(LIBDNS_LIBS) - -tkey_keydelete_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) - -tkey_keydelete_LDADD = \ - $(LDADD) \ - $(LIBDNS_LIBS) - TESTS = if HAVE_PERLMOD_TIME_HIRES @@ -158,7 +140,6 @@ TESTS += \ staticstub \ stub \ synthfromdnssec \ - tkey \ tools \ transport-acl \ tsig \ diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index f56edb240c..baac0216ba 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -659,7 +659,7 @@ cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # -# A NSEC zone with occuded data at the delegation +# A NSEC zone with occluded data at the delegation # zone=occluded.example infile=occluded.example.db.in @@ -667,7 +667,7 @@ zonefile=occluded.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") -keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone") $DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" diff --git a/bin/tests/system/tkey/clean.sh b/bin/tests/system/tkey/clean.sh deleted file mode 100644 index f5df065aab..0000000000 --- a/bin/tests/system/tkey/clean.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -rm -f ./K* -rm -f ./dig.out.* -rm -f ./rndc.out.* -rm -f ns*/K* -rm -f ns*/_default.tsigkeys -rm -f ns*/managed-keys.bind* -rm -f ns*/named.conf -rm -f ns*/named.conf-e -rm -f ns*/named.lock -rm -f ns*/named.memstats -rm -f ns*/named.run diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c deleted file mode 100644 index d4c01d19c0..0000000000 --- a/bin/tests/system/tkey/keycreate.c +++ /dev/null @@ -1,260 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define CHECK(str, x) \ - { \ - if ((x) != ISC_R_SUCCESS) { \ - fprintf(stderr, "I:%s: %s\n", (str), \ - isc_result_totext(x)); \ - exit(-1); \ - } \ - } - -#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - -#define TIMEOUT 30 - -static char *ip_address = NULL; -static int port = 0; - -static dst_key_t *ourkey = NULL; -static isc_mem_t *mctx = NULL; -static isc_loopmgr_t *loopmgr = NULL; -static dns_tsigkey_t *tsigkey = NULL, *initialkey = NULL; -static dns_tsig_keyring_t *ring = NULL; -static unsigned char noncedata[16]; -static isc_buffer_t nonce; -static dns_requestmgr_t *requestmgr = NULL; -static const char *ownername_str = "."; - -static void -recvquery(void *arg) { - dns_request_t *request = (dns_request_t *)arg; - dns_message_t *query = dns_request_getarg(request); - dns_message_t *response = NULL; - isc_result_t result; - char keyname[256]; - isc_buffer_t keynamebuf; - int type; - - result = dns_request_getresult(request); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "I:request event result: %s\n", - isc_result_totext(result)); - exit(-1); - } - - dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); - - result = dns_request_getresponse(request, response, - DNS_MESSAGEPARSE_PRESERVEORDER); - CHECK("dns_request_getresponse", result); - - if (response->rcode != dns_rcode_noerror) { - result = dns_result_fromrcode(response->rcode); - fprintf(stderr, "I:response rcode: %s\n", - isc_result_totext(result)); - exit(-1); - } - - result = dns_tkey_processdhresponse(query, response, ourkey, &nonce, - &tsigkey, ring); - CHECK("dns_tkey_processdhresponse", result); - - /* - * Yes, this is a hack. - */ - isc_buffer_init(&keynamebuf, keyname, sizeof(keyname)); - result = dst_key_buildfilename(tsigkey->key, 0, "", &keynamebuf); - CHECK("dst_key_buildfilename", result); - printf("%.*s\n", (int)isc_buffer_usedlength(&keynamebuf), - (char *)isc_buffer_base(&keynamebuf)); - type = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_KEY; - result = dst_key_tofile(tsigkey->key, type, ""); - CHECK("dst_key_tofile", result); - - dns_message_detach(&query); - dns_message_detach(&response); - dns_request_destroy(&request); - isc_loopmgr_shutdown(loopmgr); -} - -static void -sendquery(void *arg) { - struct in_addr inaddr; - isc_sockaddr_t address; - isc_region_t r; - isc_result_t result; - dns_fixedname_t keyname; - dns_fixedname_t ownername; - isc_buffer_t namestr, keybuf; - unsigned char keydata[9]; - dns_message_t *query = NULL; - dns_request_t *request = NULL; - static char keystr[] = "0123456789ab"; - - UNUSED(arg); - - result = ISC_R_FAILURE; - if (inet_pton(AF_INET, ip_address, &inaddr) != 1) { - CHECK("inet_pton", result); - } - isc_sockaddr_fromin(&address, &inaddr, port); - - dns_fixedname_init(&keyname); - isc_buffer_constinit(&namestr, "tkeytest.", 9); - isc_buffer_add(&namestr, 9); - result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr, NULL, - 0, NULL); - CHECK("dns_name_fromtext", result); - - dns_fixedname_init(&ownername); - isc_buffer_constinit(&namestr, ownername_str, strlen(ownername_str)); - isc_buffer_add(&namestr, strlen(ownername_str)); - result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr, - NULL, 0, NULL); - CHECK("dns_name_fromtext", result); - - isc_buffer_init(&keybuf, keydata, 9); - result = isc_base64_decodestring(keystr, &keybuf); - CHECK("isc_base64_decodestring", result); - - isc_buffer_usedregion(&keybuf, &r); - - result = dns_tsigkey_create( - dns_fixedname_name(&keyname), DNS_TSIG_HMACMD5_NAME, - isc_buffer_base(&keybuf), isc_buffer_usedlength(&keybuf), false, - NULL, 0, 0, mctx, ring, &initialkey); - CHECK("dns_tsigkey_create", result); - - dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query); - - result = dns_tkey_builddhquery(query, ourkey, - dns_fixedname_name(&ownername), - DNS_TSIG_HMACMD5_NAME, &nonce, 3600); - CHECK("dns_tkey_builddhquery", result); - - result = dns_request_create(requestmgr, query, NULL, &address, NULL, - NULL, DNS_REQUESTOPT_TCP, initialkey, - TIMEOUT, 0, 0, isc_loop_main(loopmgr), - recvquery, query, &request); - CHECK("dns_request_create", result); -} - -int -main(int argc, char *argv[]) { - char *ourkeyname = NULL; - isc_nm_t *netmgr = NULL; - isc_sockaddr_t bind_any; - dns_dispatchmgr_t *dispatchmgr = NULL; - dns_dispatch_t *dispatchv4 = NULL; - dns_view_t *view = NULL; - dns_tkeyctx_t *tctx = NULL; - isc_log_t *log = NULL; - isc_logconfig_t *logconfig = NULL; - isc_result_t result; - int type; - - if (argc < 4) { - fprintf(stderr, "I:no DH key provided\n"); - exit(-1); - } - ip_address = argv[1]; - port = atoi(argv[2]); - ourkeyname = argv[3]; - - if (argc >= 5) { - ownername_str = argv[4]; - } - - isc_mem_debugging = ISC_MEM_DEBUGRECORD; - - isc_managers_create(&mctx, 1, &loopmgr, &netmgr); - - isc_log_create(mctx, &log, &logconfig); - - RUNCHECK(dst_lib_init(mctx, NULL)); - - RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr)); - - isc_sockaddr_any(&bind_any); - RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4)); - RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL, - &requestmgr)); - - RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); - RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); - - RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); - dns_view_setkeyring(view, ring); - dns_tsigkeyring_detach(&ring); - - type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; - result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey); - CHECK("dst_key_fromnamedfile", result); - - isc_buffer_init(&nonce, noncedata, sizeof(noncedata)); - isc_nonce_buf(noncedata, sizeof(noncedata)); - isc_buffer_add(&nonce, sizeof(noncedata)); - - isc_loopmgr_setup(loopmgr, sendquery, NULL); - isc_loopmgr_run(loopmgr); - - dns_requestmgr_shutdown(requestmgr); - dns_requestmgr_detach(&requestmgr); - dns_dispatch_detach(&dispatchv4); - dns_dispatchmgr_detach(&dispatchmgr); - - dst_key_free(&ourkey); - dns_tsigkey_detach(&initialkey); - dns_tsigkey_detach(&tsigkey); - - dns_tkeyctx_destroy(&tctx); - - dns_view_detach(&view); - - isc_log_destroy(&log); - - dst_lib_destroy(); - - isc_managers_destroy(&mctx, &loopmgr, &netmgr); - - return (0); -} diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c deleted file mode 100644 index eb1bef1af1..0000000000 --- a/bin/tests/system/tkey/keydelete.c +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define CHECK(str, x) \ - { \ - if ((x) != ISC_R_SUCCESS) { \ - fprintf(stderr, "I:%s: %s\n", (str), \ - isc_result_totext(x)); \ - exit(-1); \ - } \ - } - -#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - -#define TIMEOUT 30 - -static char *ip_address = NULL; -static int port; -static isc_mem_t *mctx = NULL; -static isc_loopmgr_t *loopmgr = NULL; -static dns_tsigkey_t *tsigkey = NULL; -static dns_tsig_keyring_t *ring = NULL; -static dns_requestmgr_t *requestmgr = NULL; - -static void -recvquery(void *arg) { - isc_result_t result; - dns_request_t *request = (dns_request_t *)arg; - dns_message_t *query = dns_request_getarg(request); - dns_message_t *response = NULL; - - result = dns_request_getresult(request); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "I:request event result: %s\n", - isc_result_totext(result)); - exit(-1); - } - - dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); - - result = dns_request_getresponse(request, response, - DNS_MESSAGEPARSE_PRESERVEORDER); - CHECK("dns_request_getresponse", result); - - if (response->rcode != dns_rcode_noerror) { - result = dns_result_fromrcode(response->rcode); - fprintf(stderr, "I:response rcode: %s\n", - isc_result_totext(result)); - exit(-1); - } - - result = dns_tkey_processdeleteresponse(query, response, ring); - CHECK("dns_tkey_processdhresponse", result); - - dns_message_detach(&query); - dns_message_detach(&response); - dns_request_destroy(&request); - isc_loopmgr_shutdown(loopmgr); -} - -static void -sendquery(void *arg) { - struct in_addr inaddr; - isc_sockaddr_t address; - isc_result_t result; - dns_message_t *query = NULL; - dns_request_t *request = NULL; - - UNUSED(arg); - - result = ISC_R_FAILURE; - if (inet_pton(AF_INET, ip_address, &inaddr) != 1) { - CHECK("inet_pton", result); - } - isc_sockaddr_fromin(&address, &inaddr, port); - - dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query); - - result = dns_tkey_builddeletequery(query, tsigkey); - CHECK("dns_tkey_builddeletequery", result); - - result = dns_request_create(requestmgr, query, NULL, &address, NULL, - NULL, DNS_REQUESTOPT_TCP, tsigkey, TIMEOUT, - 0, 0, isc_loop_main(loopmgr), recvquery, - query, &request); - CHECK("dns_request_create", result); -} - -int -main(int argc, char **argv) { - char *keyname = NULL; - isc_nm_t *netmgr = NULL; - isc_sockaddr_t bind_any; - dns_dispatchmgr_t *dispatchmgr = NULL; - dns_dispatch_t *dispatchv4 = NULL; - dns_view_t *view = NULL; - dns_tkeyctx_t *tctx = NULL; - dst_key_t *dstkey = NULL; - isc_log_t *log = NULL; - isc_logconfig_t *logconfig = NULL; - isc_result_t result; - int type; - - if (argc < 4) { - fprintf(stderr, "I:no key to delete\n"); - exit(-1); - } - if (strcmp(argv[1], "-r") == 0) { - fprintf(stderr, "I:The -r options has been deprecated\n"); - exit(-1); - } - ip_address = argv[1]; - port = atoi(argv[2]); - keyname = argv[3]; - - isc_managers_create(&mctx, 1, &loopmgr, &netmgr); - - isc_log_create(mctx, &log, &logconfig); - - RUNCHECK(dst_lib_init(mctx, NULL)); - - RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr)); - isc_sockaddr_any(&bind_any); - RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4)); - RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL, - &requestmgr)); - - RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); - RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); - - RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); - dns_view_setkeyring(view, ring); - - type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; - result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); - CHECK("dst_key_fromnamedfile", result); - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - DNS_TSIG_HMACMD5_NAME, dstkey, true, - NULL, 0, 0, mctx, ring, &tsigkey); - dst_key_free(&dstkey); - CHECK("dns_tsigkey_createfromkey", result); - - isc_loopmgr_setup(loopmgr, sendquery, NULL); - isc_loopmgr_run(loopmgr); - - dns_requestmgr_shutdown(requestmgr); - dns_requestmgr_detach(&requestmgr); - dns_dispatch_detach(&dispatchv4); - dns_dispatchmgr_detach(&dispatchmgr); - - dns_tsigkeyring_detach(&ring); - - dns_tsigkey_detach(&tsigkey); - - dns_tkeyctx_destroy(&tctx); - - dns_view_detach(&view); - - isc_log_destroy(&log); - - dst_lib_destroy(); - - isc_managers_destroy(&mctx, &loopmgr, &netmgr); - - return (0); -} diff --git a/bin/tests/system/tkey/ns1/example.db b/bin/tests/system/tkey/ns1/example.db deleted file mode 100644 index a84794662c..0000000000 --- a/bin/tests/system/tkey/ns1/example.db +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 1D - -@ IN SOA ns hostmaster ( - 1 - 3600 - 1800 - 1814400 - 3 - ) - NS ns -ns A 10.53.0.1 -mx MX 10 mail -a A 10.53.0.1 - A 10.53.0.2 -txt TXT "this is text" - diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in deleted file mode 100644 index 0fd784a666..0000000000 --- a/bin/tests/system/tkey/ns1/named.conf.in +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify no; - tkey-domain "server"; - tkey-dhkey "server" KEYID; - allow-query-cache { any; }; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -key "tkeytest." { - algorithm hmac-md5; - secret "0123456789ab"; -}; - -zone example { - type primary; - file "example.db"; - allow-query { key tkeytest.; none; }; -}; diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh deleted file mode 100644 index b283f7373b..0000000000 --- a/bin/tests/system/tkey/ns1/setup.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../../conf.sh - -keyname=$($KEYGEN -T KEY -a DH -b 768 -n host server) -keyid=$(keyfile_to_key_id "$keyname") -sed -i -e "s;KEYID;$keyid;" named.conf diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh deleted file mode 100644 index bc6aa5118a..0000000000 --- a/bin/tests/system/tkey/setup.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../conf.sh - -copy_setports ns1/named.conf.in ns1/named.conf - -cd ns1 && $SHELL setup.sh diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh deleted file mode 100644 index 864542f694..0000000000 --- a/bin/tests/system/tkey/tests.sh +++ /dev/null @@ -1,163 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../conf.sh - -dig_with_opts() { - "$DIG" @10.53.0.1 -p "$PORT" "$@" -} - -status=0 -n=1 - -echo_i "generating new DH key ($n)" -ret=0 -dhkeyname=$($KEYGEN -T KEY -a DH -b 768 -n host client) || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status -fi -status=$((status+ret)) -n=$((n+1)) - -for owner in . foo.example. -do - echo_i "creating new key using owner name \"$owner\" ($n)" - ret=0 - keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking the new key ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "deleting new key ($n)" - ret=0 - $KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking that new key has been deleted ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) -done - -echo_i "creating new key using owner name bar.example. ($n)" -ret=0 -keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "checking the key with 'rndc tsig-list' ($n)" -ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "using key in a request ($n)" -ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "deleting the key with 'rndc tsig-delete' ($n)" -ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server > /dev/null || ret=1 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null && ret=1 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "recreating the bar.example. key ($n)" -ret=0 -keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "checking the new key with 'rndc tsig-list' ($n)" -ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "using the new key in a request ($n)" -ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then - echo_i "failed" -fi -status=$((status+ret)) -n=$((n+1)) - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/configure.ac b/configure.ac index 52ae4ad4e7..b38a82663d 100644 --- a/configure.ac +++ b/configure.ac @@ -762,7 +762,7 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:], # # Check for OpenSSL 1.1.x/LibreSSL functions # -AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY]) +AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY]) AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA]) AC_CHECK_FUNCS([TLS_server_method TLS_client_method]) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index df9f042a44..4ae2389719 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1439,16 +1439,6 @@ default is used. this variable must be defined, unless a specific keytab is specified using :any:`tkey-gssapi-keytab`. -.. namedconf:statement:: tkey-dhkey - :tags: security - :short: Sets the Diffie-Hellman key used by the server to generate shared keys. - - This is the Diffie-Hellman key used by the server to generate shared keys - with clients using the Diffie-Hellman mode of ``TKEY``. The server - must be able to load the public and private keys from files in the - working directory. In most cases, the ``key_name`` should be the - server's host name. - .. namedconf:statement:: dump-file :tags: logging :short: Indicates the pathname of the file where the server dumps the database after :option:`rndc dumpdb`. diff --git a/doc/misc/options b/doc/misc/options index 38c4e5c825..8fd53159dd 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -283,7 +283,6 @@ options { tcp-listen-queue ; tcp-receive-buffer ; tcp-send-buffer ; - tkey-dhkey ; tkey-domain ; tkey-gssapi-credential ; tkey-gssapi-keytab ; diff --git a/lib/dns/Makefile.am b/lib/dns/Makefile.am index d5a64707f6..1db6d6585a 100644 --- a/lib/dns/Makefile.am +++ b/lib/dns/Makefile.am @@ -202,7 +202,6 @@ libdns_la_SOURCES = \ openssl_link.c \ openssl_shim.c \ openssl_shim.h \ - openssldh_link.c \ opensslecdsa_link.c \ openssleddsa_link.c \ opensslrsa_link.c \ diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index e038e220a1..a258642137 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1486,7 +1486,6 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, case DST_ALG_HMACSHA256: case DST_ALG_HMACSHA384: case DST_ALG_HMACSHA512: - case DST_ALG_DH: if (result == DST_R_BADKEYTYPE) { continue; } diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 7549cfd323..5ea70796f6 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -201,7 +201,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); RETERR(dst__openssl_init(engine)); - RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], @@ -1381,7 +1380,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { REQUIRE(VALID_KEY(key)); REQUIRE(n != NULL); - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: @@ -1422,26 +1420,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_GSSAPI: *n = 128; /*%< XXX */ break; - case DST_ALG_DH: default: return (DST_R_UNSUPPORTEDALG); } return (ISC_R_SUCCESS); } -isc_result_t -dst_key_secretsize(const dst_key_t *key, unsigned int *n) { - REQUIRE(dst_initialized); - REQUIRE(VALID_KEY(key)); - REQUIRE(n != NULL); - - if (key->key_alg == DST_ALG_DH) { - *n = (key->key_size + 7) / 8; - return (ISC_R_SUCCESS); - } - return (DST_R_UNSUPPORTEDALG); -} - /*% * Set the flags on a key, then recompute the key ID */ @@ -1897,13 +1881,11 @@ issymmetric(const dst_key_t *key) { REQUIRE(dst_initialized); REQUIRE(VALID_KEY(key)); - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: - case DST_ALG_DH: case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 13dd6dc75a..ca2b6376c9 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -32,7 +32,6 @@ #include #include -#include #include #include #include @@ -97,7 +96,6 @@ struct dst_key { union { void *generic; dns_gss_ctx_id_t gssctx; - DH *dh; dst_hmac_key_t *hmac_key; EVP_PKEY *pkey; struct { @@ -213,8 +211,6 @@ dst__hmacsha384_init(struct dst_func **funcp); isc_result_t dst__hmacsha512_init(struct dst_func **funcp); isc_result_t -dst__openssldh_init(struct dst_func **funcp); -isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index 0a1a0dcdf2..6f6d7b2871 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -82,11 +82,6 @@ static struct parse_map map[] = { { TAG_RSA_MODULUS, "Modulus:" }, { TAG_RSA_ENGINE, "Engine:" }, { TAG_RSA_LABEL, "Label:" }, - { TAG_DH_PRIME, "Prime(p):" }, - { TAG_DH_GENERATOR, "Generator(g):" }, - { TAG_DH_PRIVATE, "Private_value(x):" }, - { TAG_DH_PUBLIC, "Public_value(y):" }, - { TAG_ECDSA_PRIVATEKEY, "PrivateKey:" }, { TAG_ECDSA_ENGINE, "Engine:" }, { TAG_ECDSA_LABEL, "Label:" }, @@ -211,25 +206,6 @@ check_rsa(const dst_private_t *priv, bool external) { return (ok ? 0 : -1); } -static int -check_dh(const dst_private_t *priv) { - int i, j; - if (priv->nelements != DH_NTAGS) { - return (-1); - } - for (i = 0; i < DH_NTAGS; i++) { - for (j = 0; j < priv->nelements; j++) { - if (priv->elements[j].tag == TAG(DST_ALG_DH, i)) { - break; - } - } - if (j == priv->nelements) { - return (-1); - } - } - return (0); -} - static int check_ecdsa(const dst_private_t *priv, bool external) { int i, j; @@ -357,7 +333,6 @@ check_hmac_sha(const dst_private_t *priv, unsigned int ntags, static int check_data(const dst_private_t *priv, const unsigned int alg, bool old, bool external) { - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (alg) { case DST_ALG_RSA: case DST_ALG_RSASHA1: @@ -365,8 +340,6 @@ check_data(const dst_private_t *priv, const unsigned int alg, bool old, case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: return (check_rsa(priv, external)); - case DST_ALG_DH: - return (check_dh(priv)); case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: return (check_ecdsa(priv, external)); @@ -679,11 +652,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, fprintf(fp, "%s %u ", ALGORITHM_STR, dst_key_alg(key)); - /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (dst_key_alg(key)) { - case DST_ALG_DH: - fprintf(fp, "(DH)\n"); - break; case DST_ALG_RSASHA1: fprintf(fp, "(RSASHA1)\n"); break; diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h index cc12e9bc6f..8703810ff7 100644 --- a/lib/dns/dst_parse.h +++ b/lib/dns/dst_parse.h @@ -59,12 +59,6 @@ #define TAG_RSA_ENGINE ((DST_ALG_RSA << TAG_SHIFT) + 8) #define TAG_RSA_LABEL ((DST_ALG_RSA << TAG_SHIFT) + 9) -#define DH_NTAGS 4 -#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0) -#define TAG_DH_GENERATOR ((DST_ALG_DH << TAG_SHIFT) + 1) -#define TAG_DH_PRIVATE ((DST_ALG_DH << TAG_SHIFT) + 2) -#define TAG_DH_PUBLIC ((DST_ALG_DH << TAG_SHIFT) + 3) - #define ECDSA_NTAGS 4 #define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0) #define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1) diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h index 21552661bc..38505a3b29 100644 --- a/lib/dns/include/dns/keyvalues.h +++ b/lib/dns/include/dns/keyvalues.h @@ -52,26 +52,26 @@ #define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF /*%< no bits defined here */ /* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */ -#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */ -#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */ -#define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */ -#define DNS_KEYALG_DSA 3 /*%< DSA KEY */ -#define DNS_KEYALG_NSEC3DSA 6 -#define DNS_KEYALG_DSS DNS_ALG_DSA -#define DNS_KEYALG_ECC 4 -#define DNS_KEYALG_RSASHA1 5 -#define DNS_KEYALG_NSEC3RSASHA1 7 -#define DNS_KEYALG_RSASHA256 8 -#define DNS_KEYALG_RSASHA512 10 -#define DNS_KEYALG_ECCGOST 12 -#define DNS_KEYALG_ECDSA256 13 -#define DNS_KEYALG_ECDSA384 14 -#define DNS_KEYALG_ED25519 15 -#define DNS_KEYALG_ED448 16 -#define DNS_KEYALG_INDIRECT 252 -#define DNS_KEYALG_PRIVATEDNS 253 -#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */ -#define DNS_KEYALG_MAX 255 +#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */ +#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */ +#define DNS_KEYALG_DH_DEPRECATED 2 /*%< deprecated */ +#define DNS_KEYALG_DSA 3 /*%< DSA KEY */ +#define DNS_KEYALG_NSEC3DSA 6 +#define DNS_KEYALG_DSS DNS_ALG_DSA +#define DNS_KEYALG_ECC 4 +#define DNS_KEYALG_RSASHA1 5 +#define DNS_KEYALG_NSEC3RSASHA1 7 +#define DNS_KEYALG_RSASHA256 8 +#define DNS_KEYALG_RSASHA512 10 +#define DNS_KEYALG_ECCGOST 12 +#define DNS_KEYALG_ECDSA256 13 +#define DNS_KEYALG_ECDSA384 14 +#define DNS_KEYALG_ED25519 15 +#define DNS_KEYALG_ED448 16 +#define DNS_KEYALG_INDIRECT 252 +#define DNS_KEYALG_PRIVATEDNS 253 +#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */ +#define DNS_KEYALG_MAX 255 /* Protocol values */ #define DNS_KEYPROTO_RESERVED 0 diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index 08c76b71bc..9aca98804e 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -35,7 +35,6 @@ ISC_LANG_BEGINDECLS #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dst_key_t *dhkey; dns_name_t *domain; dns_gss_cred_id_t gsscred; isc_mem_t *mctx; @@ -88,33 +87,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, *\li other An error occurred while processing the message */ -isc_result_t -dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, - const dns_name_t *name, const dns_name_t *algorithm, - isc_buffer_t *nonce, uint32_t lifetime); -/*%< - * Builds a query containing a TKEY that will generate a shared - * secret using a Diffie-Hellman key exchange. The shared key - * will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME - * is supported), and will be named either 'name', - * 'name' + server chosen domain, or random data + server chosen domain - * if 'name' == dns_rootname. If nonce is not NULL, it supplies - * random data used in the shared secret computation. The key is - * requested to have the specified lifetime (in seconds) - * - * - * Requires: - *\li 'msg' is a valid message - *\li 'key' is a valid Diffie Hellman dst key - *\li 'name' is a valid name - *\li 'algorithm' is a valid name - * - * Returns: - *\li #ISC_R_SUCCESS msg was successfully updated to include the - * query to be sent - *\li other an error occurred while building the message - */ - isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, @@ -156,29 +128,6 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key); *\li other an error occurred while building the message */ -isc_result_t -dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, - dst_key_t *key, isc_buffer_t *nonce, - dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring); -/*%< - * Processes a response to a query containing a TKEY that was - * designed to generate a shared secret using a Diffie-Hellman key - * exchange. If the query was successful, a new shared key - * is created and added to the list of shared keys. - * - * Requires: - *\li 'qmsg' is a valid message (the query) - *\li 'rmsg' is a valid message (the response) - *\li 'key' is a valid Diffie Hellman dst key - *\li 'outkey' is either NULL or a pointer to NULL - *\li 'ring' is a valid keyring or NULL - * - * Returns: - *\li #ISC_R_SUCCESS the shared key was successfully added - *\li #ISC_R_NOTFOUND an error occurred while looking for a - * component of the query or response - */ - isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, const dns_name_t *gname, dns_gss_ctx_id_t *context, diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 62192a9be7..19bcbc5ce2 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -82,7 +82,7 @@ typedef enum dst_algorithm { DST_ALG_UNKNOWN = 0, DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ DST_ALG_RSAMD5 = 1, - DST_ALG_DH = 2, + DST_ALG_DH = 2, /* Deprecated */ DST_ALG_DSA = 3, DST_ALG_ECC = 4, DST_ALG_RSASHA1 = 5, @@ -804,23 +804,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n); *\li "n" stores the size of a generated signature */ -isc_result_t -dst_key_secretsize(const dst_key_t *key, unsigned int *n); -/*%< - * Computes the size of a shared secret generated by the given key. - * - * Requires: - *\li "key" is a valid key. - *\li "n" is not NULL - * - * Returns: - *\li #ISC_R_SUCCESS - *\li DST_R_UNSUPPORTEDALG - * - * Ensures: - *\li "n" stores the size of a generated shared secret - */ - uint16_t dst_region_computeid(const isc_region_t *source); uint16_t diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index 35ee4db006..01f4840345 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -284,7 +284,6 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff, RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dnskey.algorithm == DST_ALG_RSAMD5 || - dnskey.algorithm == DST_ALG_DH || dnskey.algorithm == DST_ALG_DSA || dnskey.algorithm == DST_ALG_RSASHA1) { diff --git a/lib/dns/openssl_shim.c b/lib/dns/openssl_shim.c index 816813adfb..9d0e397e2d 100644 --- a/lib/dns/openssl_shim.c +++ b/lib/dns/openssl_shim.c @@ -164,80 +164,6 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { } #endif /* !HAVE_ECDSA_SIG_GET0 */ -#if !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L -/* - * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg - * are from OpenSSL 1.1.0. - */ -void -DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) { - if (pub_key != NULL) { - *pub_key = dh->pub_key; - } - if (priv_key != NULL) { - *priv_key = dh->priv_key; - } -} - -int -DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { - if (pub_key != NULL) { - BN_free(dh->pub_key); - dh->pub_key = pub_key; - } - - if (priv_key != NULL) { - BN_free(dh->priv_key); - dh->priv_key = priv_key; - } - - return (1); -} - -void -DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, - const BIGNUM **g) { - if (p != NULL) { - *p = dh->p; - } - if (q != NULL) { - *q = dh->q; - } - if (g != NULL) { - *g = dh->g; - } -} - -int -DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { - /* If the fields p and g in d are NULL, the corresponding input - * parameters MUST be non-NULL. q may remain NULL. - */ - if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) { - return (0); - } - - if (p != NULL) { - BN_free(dh->p); - dh->p = p; - } - if (q != NULL) { - BN_free(dh->q); - dh->q = q; - } - if (g != NULL) { - BN_free(dh->g); - dh->g = g; - } - - if (q != NULL) { - dh->length = BN_num_bits(q); - } - - return (1); -} -#endif /* !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */ - #if !HAVE_ERR_GET_ERROR_ALL static const char err_empty_string = '\0'; diff --git a/lib/dns/openssl_shim.h b/lib/dns/openssl_shim.h index 87a4136388..a0b87626db 100644 --- a/lib/dns/openssl_shim.h +++ b/lib/dns/openssl_shim.h @@ -96,20 +96,6 @@ int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); #endif /* !HAVE_ECDSA_SIG_GET0 */ -#if !HAVE_DH_GET0_KEY -void -DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); - -int -DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); - -void -DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); - -int -DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); -#endif /* !HAVE_DH_GET0_KEY */ - #if !HAVE_ERR_GET_ERROR_ALL unsigned long ERR_get_error_all(const char **file, int *line, const char **func, diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c deleted file mode 100644 index c4729b675f..0000000000 --- a/lib/dns/openssldh_link.c +++ /dev/null @@ -1,1325 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 AND ISC - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Copyright (C) Network Associates, Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/*! \file */ - -#include -#include -#include - -#include -#include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L -#include -#endif -#include -#include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L -#include -#endif -#include - -#include -#include -#include -#include -#include - -#include "dst_internal.h" -#include "dst_openssl.h" -#include "dst_parse.h" -#include "openssl_shim.h" - -#define PRIME2 "02" - -#define PRIME768 \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \ - "A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \ - "F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFF" \ - "F" - -#define PRIME1024 \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \ - "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \ - "5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \ - "B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF" - -#define PRIME1536 \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" - -#define DST_RET(a) \ - { \ - ret = a; \ - goto err; \ - } - -static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; - -static isc_result_t -openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - isc_buffer_t *secret) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dhpub, *dhpriv; - const BIGNUM *pub_key = NULL; - int secret_len = 0; -#else - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *dhpub, *dhpriv; - size_t secret_len = 0; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - isc_region_t r; - unsigned int len; - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - REQUIRE(pub->keydata.dh != NULL); - REQUIRE(priv->keydata.dh != NULL); - - dhpub = pub->keydata.dh; - dhpriv = priv->keydata.dh; - - len = DH_size(dhpriv); -#else - REQUIRE(pub->keydata.pkey != NULL); - REQUIRE(priv->keydata.pkey != NULL); - - dhpub = pub->keydata.pkey; - dhpriv = priv->keydata.pkey; - - len = EVP_PKEY_get_size(dhpriv); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_availableregion(secret, &r); - if (r.length < len) { - return (ISC_R_NOSPACE); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH_get0_key(dhpub, &pub_key, NULL); - secret_len = DH_compute_key(r.base, pub_key, dhpriv); - if (secret_len <= 0) { - return (dst__openssl_toresult2("DH_compute_key", - DST_R_COMPUTESECRETFAILURE)); - } -#else - ctx = EVP_PKEY_CTX_new_from_pkey(NULL, dhpriv, NULL); - if (ctx == NULL) { - return (dst__openssl_toresult2("EVP_PKEY_CTX_new_from_pkey", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_derive_init(ctx) != 1) { - EVP_PKEY_CTX_free(ctx); - return (dst__openssl_toresult2("EVP_PKEY_derive_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_derive_set_peer(ctx, dhpub) != 1) { - EVP_PKEY_CTX_free(ctx); - return (dst__openssl_toresult2("EVP_PKEY_derive_set_peer", - DST_R_OPENSSLFAILURE)); - } - secret_len = r.length; - if (EVP_PKEY_derive(ctx, r.base, &secret_len) != 1 || secret_len == 0) { - EVP_PKEY_CTX_free(ctx); - return (dst__openssl_toresult2("EVP_PKEY_derive", - DST_R_COMPUTESECRETFAILURE)); - } - EVP_PKEY_CTX_free(ctx); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_add(secret, (unsigned int)secret_len); - - return (ISC_R_SUCCESS); -} - -static bool -openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh1, *dh2; - const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#else - EVP_PKEY *pkey1, *pkey2; - BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; - BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - - if (dh1 == NULL && dh2 == NULL) { - return (true); - } else if (dh1 == NULL || dh2 == NULL) { - return (false); - } - - DH_get0_key(dh1, &pub_key1, &priv_key1); - DH_get0_key(dh2, &pub_key2, &priv_key2); - DH_get0_pqg(dh1, &p1, NULL, &g1); - DH_get0_pqg(dh2, &p2, NULL, &g2); -#else - pkey1 = key1->keydata.pkey; - pkey2 = key2->keydata.pkey; - - if (pkey1 == NULL && pkey2 == NULL) { - return (true); - } else if (pkey1 == NULL || pkey2 == NULL) { - return (false); - } - - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_P, &p1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PUB_KEY, &pub_key1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/ - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || - BN_cmp(pub_key1, pub_key2) != 0) - { - DST_RET(false); - } - - if (priv_key1 != NULL || priv_key2 != NULL) { - if (priv_key1 == NULL || priv_key2 == NULL || - BN_cmp(priv_key1, priv_key2) != 0) - { - DST_RET(false); - } - } - -err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p1 != NULL) { - BN_free(p1); - } - if (p2 != NULL) { - BN_free(p2); - } - if (g1 != NULL) { - BN_free(g1); - } - if (g2 != NULL) { - BN_free(g2); - } - if (pub_key1 != NULL) { - BN_free(pub_key1); - } - if (pub_key2 != NULL) { - BN_free(pub_key2); - } - if (priv_key1 != NULL) { - BN_clear_free(priv_key1); - } - if (priv_key2 != NULL) { - BN_clear_free(priv_key2); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (ret); -} - -static bool -openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh1, *dh2; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#else - EVP_PKEY *pkey1, *pkey2; - BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - - if (dh1 == NULL && dh2 == NULL) { - return (true); - } else if (dh1 == NULL || dh2 == NULL) { - return (false); - } - - DH_get0_pqg(dh1, &p1, NULL, &g1); - DH_get0_pqg(dh2, &p2, NULL, &g2); -#else - pkey1 = key1->keydata.pkey; - pkey2 = key2->keydata.pkey; - - if (pkey1 == NULL && pkey2 == NULL) { - return (true); - } else if (pkey1 == NULL || pkey2 == NULL) { - return (false); - } - - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_P, &p1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { - DST_RET(false); - } - -err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p1 != NULL) { - BN_free(p1); - } - if (p2 != NULL) { - BN_free(p2); - } - if (g1 != NULL) { - BN_free(g1); - } - if (g2 != NULL) { - BN_free(g2); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (ret); -} - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 -static int -progress_cb(int p, int n, BN_GENCB *cb) { - union { - void *dptr; - void (*fptr)(int); - } u; - - UNUSED(n); - - u.dptr = BN_GENCB_get_arg(cb); - if (u.fptr != NULL) { - u.fptr(p); - } - return (1); -} -#else -static int -progress_cb(EVP_PKEY_CTX *ctx) { - union { - void *dptr; - void (*fptr)(int); - } u; - - u.dptr = EVP_PKEY_CTX_get_app_data(ctx); - if (u.fptr != NULL) { - int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); - u.fptr(p); - } - return (1); -} -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -static isc_result_t -openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - isc_result_t ret; - union { - void *dptr; - void (*fptr)(int); - } u; - BIGNUM *p = NULL, *g = NULL; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = NULL; - BN_GENCB *cb = NULL; -#else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *param_ctx = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *param_pkey = NULL; - EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } -#else - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - param_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); - if (param_ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (generator == 0) { - /* - * When `generator` is 0, we have three pre-computed `p` and `g` - * static parameters which we can use. - */ - if (key->key_size == 768 || key->key_size == 1024 || - key->key_size == 1536) - { - if (key->key_size == 768) { - p = BN_dup(bn768); - } else if (key->key_size == 1024) { - p = BN_dup(bn1024); - } else { - p = BN_dup(bn1536); - } - g = BN_dup(bn2); - if (p == NULL || g == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2( - "DH_set0_pqg", DST_R_OPENSSLFAILURE)); - } -#else - if (OSSL_PARAM_BLD_push_uint(bld, - OSSL_PKEY_PARAM_FFC_PBITS, - key->key_size) != 1) - { - DST_RET(dst__openssl_toresult2( - "OSSL_PARAM_BLD_push_uint", - DST_R_OPENSSLFAILURE)); - } - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, - p) != 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, - g) != 1) - { - DST_RET(dst__openssl_toresult2( - "OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - } else { - /* - * If the requested size is not present in our - * pre-computed set, we will use `generator` 2 to - * generate new parameters. - */ - generator = 2; - } - } - - if (generator != 0) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (callback != NULL) { - cb = BN_GENCB_new(); - if (cb == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } - u.fptr = callback; - BN_GENCB_set(cb, progress_cb, u.dptr); - } - - if (!DH_generate_parameters_ex(dh, key->key_size, generator, - cb)) - { - DST_RET(dst__openssl_toresult2("DH_generate_parameters_" - "ex", - DST_R_OPENSSLFAILURE)); - } -#else - if (OSSL_PARAM_BLD_push_int(bld, OSSL_PKEY_PARAM_DH_GENERATOR, - generator) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_" - "int", - DST_R_OPENSSLFAILURE)); - } - if (OSSL_PARAM_BLD_push_utf8_string( - bld, OSSL_PKEY_PARAM_FFC_TYPE, "generator", 0) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_" - "utf8_string", - DST_R_OPENSSLFAILURE)); - } - if (OSSL_PARAM_BLD_push_uint(bld, OSSL_PKEY_PARAM_FFC_PBITS, - key->key_size) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_" - "uint", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_generate_key(dh) == 0) { - DST_RET(dst__openssl_toresult2("DH_generate_key", - DST_R_OPENSSLFAILURE)); - } - key->keydata.dh = dh; - dh = NULL; -#else - if (params == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - - if (generator == 0) { - if (EVP_PKEY_fromdata_init(param_ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata(param_ctx, ¶m_pkey, - OSSL_KEYMGMT_SELECT_ALL, params) != 1 || - param_pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", - DST_R_OPENSSLFAILURE)); - } - } else { - if (EVP_PKEY_paramgen_init(param_ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_paramgen_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_CTX_set_params(param_ctx, params) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_set_" - "params", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_paramgen(param_ctx, ¶m_pkey) != 1 || - param_pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_paramgen", - DST_R_OPENSSLFAILURE)); - } - } - - /* - * Now `param_pkey` holds the DH parameters (either pre-coumputed or - * newly generated) so we will generate a new public/private key-pair - * using those parameters and put it into `pkey`. - */ - ctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_pkey, NULL); - if (ctx == NULL) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_from_pkey", - DST_R_OPENSSLFAILURE)); - } - if (callback != NULL) { - u.fptr = callback; - EVP_PKEY_CTX_set_app_data(ctx, u.dptr); - EVP_PKEY_CTX_set_cb(ctx, progress_cb); - } - if (EVP_PKEY_keygen_init(ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_keygen(ctx, &pkey) != 1 || pkey == NULL) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", - DST_R_OPENSSLFAILURE)); - } - - key->keydata.pkey = pkey; - pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - ret = ISC_R_SUCCESS; - -err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } - if (cb != NULL) { - BN_GENCB_free(cb); - } -#else - if (param_pkey != NULL) { - EVP_PKEY_free(param_pkey); - } - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } - if (param_ctx != NULL) { - EVP_PKEY_CTX_free(param_ctx); - } - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } - if (params != NULL) { - OSSL_PARAM_free(params); - } - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); -} - -static bool -openssldh_isprivate(const dst_key_t *key) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = key->keydata.dh; - const BIGNUM *priv_key = NULL; - - DH_get0_key(dh, NULL, &priv_key); - - return (dh != NULL && priv_key != NULL); -#else - bool ret; - EVP_PKEY *pkey; - BIGNUM *priv_key = NULL; - - pkey = key->keydata.pkey; - if (pkey == NULL) { - return (false); - } - - ret = (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, - &priv_key) == 1 && - priv_key != NULL); - if (priv_key != NULL) { - BN_clear_free(priv_key); - } - - return (ret); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -} - -static void -openssldh_destroy(dst_key_t *key) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = key->keydata.dh; - - if (dh == NULL) { - return; - } - - DH_free(dh); - key->keydata.dh = NULL; -#else - EVP_PKEY *pkey = key->keydata.pkey; - - if (pkey == NULL) { - return; - } - - EVP_PKEY_free(pkey); - key->keydata.pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -} - -static void -uint16_toregion(uint16_t val, isc_region_t *region) { - *region->base = (val & 0xff00) >> 8; - isc_region_consume(region, 1); - *region->base = (val & 0x00ff); - isc_region_consume(region, 1); -} - -static uint16_t -uint16_fromregion(isc_region_t *region) { - uint16_t val; - unsigned char *cp = region->base; - - val = ((unsigned int)(cp[0])) << 8; - val |= ((unsigned int)(cp[1])); - - isc_region_consume(region, 2); - - return (val); -} - -static isc_result_t -openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret = ISC_R_SUCCESS; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; - const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; -#else - EVP_PKEY *pkey; - BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - isc_region_t r; - uint16_t dnslen, plen, glen, publen; - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - REQUIRE(key->keydata.dh != NULL); - - dh = key->keydata.dh; - DH_get0_pqg(dh, &p, NULL, &g); - DH_get0_key(dh, &pub_key, NULL); -#else - REQUIRE(key->keydata.pkey != NULL); - - pkey = key->keydata.pkey; - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_availableregion(data, &r); - - if (BN_cmp(g, bn2) == 0 && - (BN_cmp(p, bn768) == 0 || BN_cmp(p, bn1024) == 0 || - BN_cmp(p, bn1536) == 0)) - { - plen = 1; - glen = 0; - } else { - plen = BN_num_bytes(p); - glen = BN_num_bytes(g); - } - - publen = BN_num_bytes(pub_key); - dnslen = plen + glen + publen + 6; - if (r.length < (unsigned int)dnslen) { - DST_RET(ISC_R_NOSPACE); - } - - uint16_toregion(plen, &r); - if (plen == 1) { - if (BN_cmp(p, bn768) == 0) { - *r.base = 1; - } else if (BN_cmp(p, bn1024) == 0) { - *r.base = 2; - } else { - *r.base = 3; - } - } else { - BN_bn2bin(p, r.base); - } - isc_region_consume(&r, plen); - - uint16_toregion(glen, &r); - if (glen > 0) { - BN_bn2bin(g, r.base); - } - isc_region_consume(&r, glen); - - uint16_toregion(publen, &r); - BN_bn2bin(pub_key, r.base); - isc_region_consume(&r, publen); - - isc_buffer_add(data, dnslen); - -err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (ret); -} - -static isc_result_t -openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; -#else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - int key_size; - isc_region_t r; - uint16_t plen, glen, publen; - int special = 0; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) { - return (ISC_R_SUCCESS); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } -#else - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); - if (ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - /* - * Read the prime length. 1 & 2 are table entries, > 16 means a - * prime follows, otherwise an error. - */ - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - plen = uint16_fromregion(&r); - if (plen < 16 && plen != 1 && plen != 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (r.length < plen) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (plen == 1 || plen == 2) { - if (plen == 1) { - special = *r.base; - isc_region_consume(&r, 1); - } else { - special = uint16_fromregion(&r); - } - switch (special) { - case 1: - p = BN_dup(bn768); - break; - case 2: - p = BN_dup(bn1024); - break; - case 3: - p = BN_dup(bn1536); - break; - default: - DST_RET(DST_R_INVALIDPUBLICKEY); - } - } else { - p = BN_bin2bn(r.base, plen, NULL); - isc_region_consume(&r, plen); - } - - /* - * Read the generator length. This should be 0 if the prime was - * special, but it might not be. If it's 0 and the prime is not - * special, we have a problem. - */ - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - glen = uint16_fromregion(&r); - if (r.length < glen) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (special != 0) { - if (glen == 0) { - g = BN_dup(bn2); - } else { - g = BN_bin2bn(r.base, glen, NULL); - if (g != NULL && BN_cmp(g, bn2) != 0) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - } - } else { - if (glen == 0) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - g = BN_bin2bn(r.base, glen, NULL); - } - isc_region_consume(&r, glen); - - if (p == NULL || g == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } - - key_size = BN_num_bits(p); - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_pqg", - DST_R_OPENSSLFAILURE)); - } - - /* These are now managed by OpenSSL */ - p = NULL; - g = NULL; -#else - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - publen = uint16_fromregion(&r); - if (r.length < publen) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - pub_key = BN_bin2bn(r.base, publen, NULL); - if (pub_key == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } - - isc_region_consume(&r, publen); - - isc_buffer_forward(data, plen + glen + publen + 6); - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 -#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \ - (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) - /* - * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when - * DH structure is empty, hence we cannot use DH_get0_key(). - */ - dh->pub_key = pub_key; -#else /* LIBRESSL_VERSION_NUMBER */ - if (DH_set0_key(dh, pub_key, NULL) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_key", - DST_R_OPENSSLFAILURE)); - } -#endif /* LIBRESSL_VERSION_NUMBER */ - - /* This is now managed by OpenSSL */ - pub_key = NULL; - - key->keydata.dh = dh; - dh = NULL; -#else - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); - if (params == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata_init(ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata(ctx, &pkey, OSSL_KEYMGMT_SELECT_ALL, params) != - 1 || - pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", - DST_R_OPENSSLFAILURE)); - } - - key->keydata.pkey = pkey; - pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->key_size = (unsigned int)key_size; - - ret = ISC_R_SUCCESS; - -err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } -#else - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } - if (params != NULL) { - OSSL_PARAM_free(params); - } - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } - - return (ret); -} - -static isc_result_t -openssldh_tofile(const dst_key_t *key, const char *directory) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; - const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; -#else - EVP_PKEY *pkey; - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - dst_private_t priv; - unsigned char *bufs[4] = { NULL }; - unsigned short i = 0; - isc_result_t result; - - if (key->external) { - return (DST_R_EXTERNALKEY); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (key->keydata.dh == NULL) { - return (DST_R_NULLKEY); - } - - dh = key->keydata.dh; - DH_get0_key(dh, &pub_key, &priv_key); - DH_get0_pqg(dh, &p, NULL, &g); -#else - if (key->keydata.pkey == NULL) { - return (DST_R_NULLKEY); - } - - pkey = key->keydata.pkey; - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - priv.elements[i].tag = TAG_DH_PRIME; - priv.elements[i].length = BN_num_bytes(p); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(p, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_GENERATOR; - priv.elements[i].length = BN_num_bytes(g); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(g, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PRIVATE; - priv.elements[i].length = BN_num_bytes(priv_key); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(priv_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PUBLIC; - priv.elements[i].length = BN_num_bytes(pub_key); - bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length); - BN_bn2bin(pub_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.nelements = i; - result = dst__privstruct_writefile(key, &priv, directory); - - while (i--) { - if (bufs[i] != NULL) { - isc_mem_put(key->mctx, bufs[i], - priv.elements[i].length); - } - } - -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } - if (priv_key != NULL) { - BN_clear_free(priv_key); - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ - */ - - return (result); -} - -static isc_result_t -openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = NULL; -#else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - int key_size = 0; - isc_mem_t *mctx; - - UNUSED(pub); - mctx = key->mctx; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) { - return (ret); - } - - if (key->external) { - DST_RET(DST_R_EXTERNALKEY); - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(ISC_R_NOMEMORY); - } -#else - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); - if (ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - for (i = 0; i < priv.nelements; i++) { - BIGNUM *bn; - bn = BN_bin2bn(priv.elements[i].data, priv.elements[i].length, - NULL); - if (bn == NULL) { - DST_RET(ISC_R_NOMEMORY); - } - - switch (priv.elements[i].tag) { - case TAG_DH_PRIME: - p = bn; - key_size = BN_num_bits(p); - break; - case TAG_DH_GENERATOR: - g = bn; - break; - case TAG_DH_PRIVATE: - priv_key = bn; - break; - case TAG_DH_PUBLIC: - pub_key = bn; - break; - } - } - -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_key(dh, pub_key, priv_key) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_key", - DST_R_OPENSSLFAILURE)); - } - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_pqg", - DST_R_OPENSSLFAILURE)); - } - - /* These are now managed by OpenSSL */ - pub_key = NULL; - priv_key = NULL; - p = NULL; - g = NULL; - - key->keydata.dh = dh; - dh = NULL; -#else - if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key) != - 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key) != - 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 || - OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) - { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); - if (params == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata_init(ctx) != 1) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata_init", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_fromdata(ctx, &pkey, OSSL_KEYMGMT_SELECT_ALL, params) != - 1 || - pkey == NULL) - { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", - DST_R_OPENSSLFAILURE)); - } - - key->keydata.pkey = pkey; - pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->key_size = (unsigned int)key_size; - ret = ISC_R_SUCCESS; - -err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } -#else - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } - if (params != NULL) { - OSSL_PARAM_free(params); - } - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (p != NULL) { - BN_free(p); - } - if (g != NULL) { - BN_free(g); - } - if (pub_key != NULL) { - BN_free(pub_key); - } - if (priv_key != NULL) { - BN_clear_free(priv_key); - } - if (ret != ISC_R_SUCCESS) { - openssldh_destroy(key); - } - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ret); -} - -static void -openssldh_cleanup(void) { - BN_free(bn2); - bn2 = NULL; - - BN_free(bn768); - bn768 = NULL; - - BN_free(bn1024); - bn1024 = NULL; - - BN_free(bn1536); - bn1536 = NULL; -} - -static dst_func_t openssldh_functions = { - NULL, /*%< createctx */ - NULL, /*%< createctx2 */ - NULL, /*%< destroyctx */ - NULL, /*%< adddata */ - NULL, /*%< openssldh_sign */ - NULL, /*%< openssldh_verify */ - NULL, /*%< openssldh_verify2 */ - openssldh_computesecret, - openssldh_compare, - openssldh_paramcompare, - openssldh_generate, - openssldh_isprivate, - openssldh_destroy, - openssldh_todns, - openssldh_fromdns, - openssldh_tofile, - openssldh_parse, - openssldh_cleanup, - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__openssldh_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) { - if (BN_hex2bn(&bn2, PRIME2) == 0 || bn2 == NULL) { - goto cleanup; - } - if (BN_hex2bn(&bn768, PRIME768) == 0 || bn768 == NULL) { - goto cleanup; - } - if (BN_hex2bn(&bn1024, PRIME1024) == 0 || bn1024 == NULL) { - goto cleanup; - } - if (BN_hex2bn(&bn1536, PRIME1536) == 0 || bn1536 == NULL) { - goto cleanup; - } - *funcp = &openssldh_functions; - } - return (ISC_R_SUCCESS); - -cleanup: - if (bn2 != NULL) { - BN_free(bn2); - } - if (bn768 != NULL) { - BN_free(bn768); - } - if (bn1024 != NULL) { - BN_free(bn1024); - } - if (bn1536 != NULL) { - BN_free(bn1536); - } - return (ISC_R_NOMEMORY); -} diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index 9aa89deeef..c0141621ef 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -97,25 +97,26 @@ /* RFC2535 section 7, RFC3110 */ -#define SECALGNAMES \ - { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, { DNS_KEYALG_DH, "DH", 0 }, \ - { DNS_KEYALG_DSA, "DSA", 0 }, \ - { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ - { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \ - { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ - { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \ - { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ - { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ - { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ - { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ - { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ - { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ - { DNS_KEYALG_ED25519, "ED25519", 0 }, \ - { DNS_KEYALG_ED448, "ED448", 0 }, \ - { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ - { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ - { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \ - 0, NULL, 0 \ +#define SECALGNAMES \ + { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ + { DNS_KEYALG_DH_DEPRECATED, "DH", 0 }, \ + { DNS_KEYALG_DSA, "DSA", 0 }, \ + { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ + { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \ + { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ + { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \ + { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ + { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ + { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ + { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ + { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ + { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ + { DNS_KEYALG_ED25519, "ED25519", 0 }, \ + { DNS_KEYALG_ED448, "ED448", 0 }, \ + { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ + { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ + { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \ + 0, NULL, 0 \ } /* RFC2535 section 7.1 */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index fc68a5405f..6912037c46 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -11016,9 +11016,6 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, REQUIRE(VALID_RESOLVER(resolver)); - /* - * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. - */ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) { return (false); } diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 9218e070fc..1897b26e14 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -109,18 +109,14 @@ dumpmessage(dns_message_t *msg) { isc_result_t dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) { - dns_tkeyctx_t *tctx; - REQUIRE(mctx != NULL); REQUIRE(tctxp != NULL && *tctxp == NULL); - tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t)); - tctx->mctx = NULL; + dns_tkeyctx_t *tctx = isc_mem_get(mctx, sizeof(*tctx)); + *tctx = (dns_tkeyctx_t){ + .mctx = NULL, + }; isc_mem_attach(mctx, &tctx->mctx); - tctx->dhkey = NULL; - tctx->domain = NULL; - tctx->gsscred = NULL; - tctx->gssapi_keytab = NULL; *tctxp = tctx; return (ISC_R_SUCCESS); @@ -137,9 +133,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) { *tctxp = NULL; mctx = tctx->mctx; - if (tctx->dhkey != NULL) { - dst_key_free(&tctx->dhkey); - } if (tctx->domain != NULL) { if (dns_name_dynamic(tctx->domain)) { dns_name_free(tctx->domain, mctx); @@ -212,270 +205,6 @@ free_namelist(dns_message_t *msg, dns_namelist_t *namelist) { } } -static isc_result_t -compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, - isc_region_t *serverrandomness, isc_buffer_t *secret) { - isc_md_t *md; - isc_region_t r, r2; - unsigned char digests[ISC_MAX_MD_SIZE * 2]; - unsigned char *digest1, *digest2; - unsigned int digestslen, digestlen1 = 0, digestlen2 = 0; - unsigned int i; - isc_result_t result; - - isc_buffer_usedregion(shared, &r); - - md = isc_md_new(); - if (md == NULL) { - return (ISC_R_NOSPACE); - } - - /* - * MD5 ( query data | DH value ). - */ - digest1 = digests; - - result = isc_md_init(md, ISC_MD_MD5); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, queryrandomness->base, - queryrandomness->length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, r.base, r.length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_final(md, digest1, &digestlen1); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_reset(md); - if (result != ISC_R_SUCCESS) { - goto end; - } - - /* - * MD5 ( server data | DH value ). - */ - digest2 = digests + digestlen1; - - result = isc_md_init(md, ISC_MD_MD5); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, serverrandomness->base, - serverrandomness->length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_update(md, r.base, r.length); - if (result != ISC_R_SUCCESS) { - goto end; - } - - result = isc_md_final(md, digest2, &digestlen2); - if (result != ISC_R_SUCCESS) { - goto end; - } - - isc_md_free(md); - md = NULL; - - digestslen = digestlen1 + digestlen2; - - /* - * XOR ( DH value, MD5-1 | MD5-2). - */ - isc_buffer_availableregion(secret, &r); - isc_buffer_usedregion(shared, &r2); - if (r.length < digestslen || r.length < r2.length) { - return (ISC_R_NOSPACE); - } - if (r2.length > digestslen) { - memmove(r.base, r2.base, r2.length); - for (i = 0; i < digestslen; i++) { - r.base[i] ^= digests[i]; - } - isc_buffer_add(secret, r2.length); - } else { - memmove(r.base, digests, digestslen); - for (i = 0; i < r2.length; i++) { - r.base[i] ^= r2.base[i]; - } - isc_buffer_add(secret, digestslen); - } - result = ISC_R_SUCCESS; -end: - if (md != NULL) { - isc_md_free(md); - } - return (result); -} - -static isc_result_t -process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, - dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx, - dns_rdata_tkey_t *tkeyout, dns_tsig_keyring_t *ring, - dns_namelist_t *namelist) { - isc_result_t result = ISC_R_SUCCESS; - dns_name_t *keyname, ourname; - dns_rdataset_t *keyset = NULL; - dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT; - bool found_key = false, found_incompatible = false; - dst_key_t *pubkey = NULL; - isc_buffer_t ourkeybuf, *shared = NULL; - isc_region_t r, r2, ourkeyr; - unsigned char keydata[DST_KEY_MAXSIZE]; - unsigned int sharedsize; - isc_buffer_t secret; - unsigned char *randomdata = NULL, secretdata[256]; - dns_ttl_t ttl = 0; - - if (tctx->dhkey == NULL) { - tkey_log("process_dhtkey: tkey-dhkey not defined"); - tkeyout->error = dns_tsigerror_badalg; - return (DNS_R_REFUSED); - } - - if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { - tkey_log("process_dhtkey: algorithms other than " - "hmac-md5 are not supported"); - tkeyout->error = dns_tsigerror_badalg; - return (ISC_R_SUCCESS); - } - - /* - * Look for a DH KEY record that will work with ours. - */ - for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL); - result == ISC_R_SUCCESS && !found_key; - result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) - { - keyname = NULL; - dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname); - keyset = NULL; - result = dns_message_findtype(keyname, dns_rdatatype_key, 0, - &keyset); - if (result != ISC_R_SUCCESS) { - continue; - } - - for (result = dns_rdataset_first(keyset); - result == ISC_R_SUCCESS && !found_key; - result = dns_rdataset_next(keyset)) - { - dns_rdataset_current(keyset, &keyrdata); - pubkey = NULL; - result = dns_dnssec_keyfromrdata(keyname, &keyrdata, - msg->mctx, &pubkey); - if (result != ISC_R_SUCCESS) { - dns_rdata_reset(&keyrdata); - continue; - } - if (dst_key_alg(pubkey) == DNS_KEYALG_DH) { - if (dst_key_paramcompare(pubkey, tctx->dhkey)) { - found_key = true; - ttl = keyset->ttl; - break; - } else { - found_incompatible = true; - } - } - dst_key_free(&pubkey); - dns_rdata_reset(&keyrdata); - } - } - - if (!found_key) { - if (found_incompatible) { - tkey_log("process_dhtkey: found an incompatible key"); - tkeyout->error = dns_tsigerror_badkey; - return (ISC_R_SUCCESS); - } else { - tkey_log("process_dhtkey: failed to find a key"); - return (DNS_R_FORMERR); - } - } - - add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist); - - isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata)); - RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf)); - isc_buffer_usedregion(&ourkeybuf, &ourkeyr); - dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any, - dns_rdatatype_key, &ourkeyr); - - dns_name_init(&ourname, NULL); - dns_name_clone(dst_key_name(tctx->dhkey), &ourname); - - /* - * XXXBEW The TTL should be obtained from the database, if it exists. - */ - add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist); - - RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize)); - isc_buffer_allocate(msg->mctx, &shared, sharedsize); - - result = dst_key_computesecret(pubkey, tctx->dhkey, shared); - if (result != ISC_R_SUCCESS) { - tkey_log("process_dhtkey: failed to compute shared secret: %s", - isc_result_totext(result)); - goto failure; - } - dst_key_free(&pubkey); - - isc_buffer_init(&secret, secretdata, sizeof(secretdata)); - - randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT); - - isc_nonce_buf(randomdata, TKEY_RANDOM_AMOUNT); - - r.base = randomdata; - r.length = TKEY_RANDOM_AMOUNT; - r2.base = tkeyin->key; - r2.length = tkeyin->keylen; - RETERR(compute_secret(shared, &r2, &r, &secret)); - isc_buffer_free(&shared); - - RETERR(dns_tsigkey_create( - name, &tkeyin->algorithm, isc_buffer_base(&secret), - isc_buffer_usedlength(&secret), true, signer, tkeyin->inception, - tkeyin->expire, ring->mctx, ring, NULL)); - - /* This key is good for a long time */ - tkeyout->inception = tkeyin->inception; - tkeyout->expire = tkeyin->expire; - - tkeyout->key = randomdata; - tkeyout->keylen = TKEY_RANDOM_AMOUNT; - - return (ISC_R_SUCCESS); - -failure: - if (!ISC_LIST_EMPTY(*namelist)) { - free_namelist(msg, namelist); - } - if (shared != NULL) { - isc_buffer_free(&shared); - } - if (pubkey != NULL) { - dst_key_free(&pubkey); - } - if (randomdata != NULL) { - isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT); - } - return (result); -} - static isc_result_t process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout, @@ -854,11 +583,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, } switch (tkeyin.mode) { - case DNS_TKEYMODE_DIFFIEHELLMAN: - tkeyout.error = dns_rcode_noerror; - RETERR(process_dhtkey(msg, signer, keyname, &tkeyin, tctx, - &tkeyout, ring, &namelist)); - break; case DNS_TKEYMODE_GSSAPI: tkeyout.error = dns_rcode_noerror; RETERR(process_gsstkey(msg, keyname, &tkeyin, tctx, &tkeyout, @@ -988,81 +712,6 @@ buildquery(dns_message_t *msg, const dns_name_t *name, dns_rdata_tkey_t *tkey, return (ISC_R_SUCCESS); } -isc_result_t -dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, - const dns_name_t *name, const dns_name_t *algorithm, - isc_buffer_t *nonce, uint32_t lifetime) { - dns_rdata_tkey_t tkey; - dns_rdata_t *rdata = NULL; - isc_buffer_t *dynbuf = NULL; - isc_region_t r; - dns_name_t keyname; - dns_namelist_t namelist; - isc_result_t result; - isc_stdtime_t now; - dns_name_t *item; - - REQUIRE(msg != NULL); - REQUIRE(key != NULL); - REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH); - REQUIRE(dst_key_isprivate(key)); - REQUIRE(name != NULL); - REQUIRE(algorithm != NULL); - - tkey.common.rdclass = dns_rdataclass_any; - tkey.common.rdtype = dns_rdatatype_tkey; - ISC_LINK_INIT(&tkey.common, link); - tkey.mctx = msg->mctx; - dns_name_init(&tkey.algorithm, NULL); - dns_name_clone(algorithm, &tkey.algorithm); - isc_stdtime_get(&now); - tkey.inception = now; - tkey.expire = now + lifetime; - tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN; - if (nonce != NULL) { - isc_buffer_usedregion(nonce, &r); - } else { - r.base = NULL; - r.length = 0; - } - tkey.error = 0; - tkey.key = r.base; - tkey.keylen = r.length; - tkey.other = NULL; - tkey.otherlen = 0; - - RETERR(buildquery(msg, name, &tkey, false)); - - dns_message_gettemprdata(msg, &rdata); - isc_buffer_allocate(msg->mctx, &dynbuf, 1024); - RETERR(dst_key_todns(key, dynbuf)); - isc_buffer_usedregion(dynbuf, &r); - dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_key, &r); - dns_message_takebuffer(msg, &dynbuf); - - dns_name_init(&keyname, NULL); - dns_name_clone(dst_key_name(key), &keyname); - - ISC_LIST_INIT(namelist); - add_rdata_to_list(msg, &keyname, rdata, 0, &namelist); - item = ISC_LIST_HEAD(namelist); - while (item != NULL) { - dns_name_t *next = ISC_LIST_NEXT(item, link); - ISC_LIST_UNLINK(namelist, item, link); - dns_message_addname(msg, item, DNS_SECTION_ADDITIONAL); - item = next; - } - - return (ISC_R_SUCCESS); - -failure: - - if (dynbuf != NULL) { - isc_buffer_free(&dynbuf); - } - return (result); -} - isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, @@ -1165,138 +814,6 @@ find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata, return (result); } -isc_result_t -dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, - dst_key_t *key, isc_buffer_t *nonce, - dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring) { - dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT; - dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname; - dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL; - dns_rdata_t theirkeyrdata = DNS_RDATA_INIT; - dst_key_t *theirkey = NULL; - dns_rdata_tkey_t qtkey, rtkey; - unsigned char secretdata[256]; - unsigned int sharedsize; - isc_buffer_t *shared = NULL, secret; - isc_region_t r, r2; - isc_result_t result; - bool freertkey = false; - - REQUIRE(qmsg != NULL); - REQUIRE(rmsg != NULL); - REQUIRE(key != NULL); - REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH); - REQUIRE(dst_key_isprivate(key)); - if (outkey != NULL) { - REQUIRE(*outkey == NULL); - } - - if (rmsg->rcode != dns_rcode_noerror) { - return (dns_result_fromrcode(rmsg->rcode)); - } - RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER)); - RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL)); - freertkey = true; - - RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata, DNS_SECTION_ADDITIONAL)); - RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL)); - - if (rtkey.error != dns_rcode_noerror || - rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN || - rtkey.mode != qtkey.mode || - !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) || - rmsg->rcode != dns_rcode_noerror) - { - tkey_log("dns_tkey_processdhresponse: tkey mode invalid " - "or error set(1)"); - result = DNS_R_INVALIDTKEY; - dns_rdata_freestruct(&qtkey); - goto failure; - } - - dns_rdata_freestruct(&qtkey); - - dns_name_init(&keyname, NULL); - dns_name_clone(dst_key_name(key), &keyname); - - ourkeyname = NULL; - ourkeyset = NULL; - RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname, - dns_rdatatype_key, 0, &ourkeyname, - &ourkeyset)); - - result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER); - while (result == ISC_R_SUCCESS) { - theirkeyname = NULL; - dns_message_currentname(rmsg, DNS_SECTION_ANSWER, - &theirkeyname); - if (dns_name_equal(theirkeyname, ourkeyname)) { - goto next; - } - theirkeyset = NULL; - result = dns_message_findtype(theirkeyname, dns_rdatatype_key, - 0, &theirkeyset); - if (result == ISC_R_SUCCESS) { - RETERR(dns_rdataset_first(theirkeyset)); - break; - } - next: - result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER); - } - - if (theirkeyset == NULL) { - tkey_log("dns_tkey_processdhresponse: failed to find server " - "key"); - result = ISC_R_NOTFOUND; - goto failure; - } - - dns_rdataset_current(theirkeyset, &theirkeyrdata); - RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata, rmsg->mctx, - &theirkey)); - - RETERR(dst_key_secretsize(key, &sharedsize)); - isc_buffer_allocate(rmsg->mctx, &shared, sharedsize); - - RETERR(dst_key_computesecret(theirkey, key, shared)); - - isc_buffer_init(&secret, secretdata, sizeof(secretdata)); - - r.base = rtkey.key; - r.length = rtkey.keylen; - if (nonce != NULL) { - isc_buffer_usedregion(nonce, &r2); - } else { - r2.base = NULL; - r2.length = 0; - } - RETERR(compute_secret(shared, &r2, &r, &secret)); - - isc_buffer_usedregion(&secret, &r); - result = dns_tsigkey_create(tkeyname, &rtkey.algorithm, r.base, - r.length, true, NULL, rtkey.inception, - rtkey.expire, rmsg->mctx, ring, outkey); - isc_buffer_free(&shared); - dns_rdata_freestruct(&rtkey); - dst_key_free(&theirkey); - return (result); - -failure: - if (shared != NULL) { - isc_buffer_free(&shared); - } - - if (theirkey != NULL) { - dst_key_free(&theirkey); - } - - if (freertkey) { - dns_rdata_freestruct(&rtkey); - } - - return (result); -} - isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, const dns_name_t *gname, dns_gss_ctx_id_t *context, diff --git a/lib/dns/zone.c b/lib/dns/zone.c index bb3bcaa79b..1c10265aa2 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9006,8 +9006,8 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db, } alg = tuple->rdata.data[3]; - if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH || - alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1) + if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA || + alg == DNS_KEYALG_RSASHA1) { nseconly = true; } @@ -9017,8 +9017,8 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db, if (keys != NULL && !nseconly) { for (unsigned int i = 0; i < numkeys; i++) { alg = dst_key_alg(keys[i]); - if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH || - alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1) + if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA || + alg == DNS_KEYALG_RSASHA1) { nseconly = true; break; diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index abb18008d3..18af596704 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -246,8 +246,8 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, } /* NSEC3 cannot be used with certain key algorithms. */ - if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DH || - keyalg == DNS_KEYALG_DSA || keyalg == DNS_KEYALG_RSASHA1) + if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DSA || + keyalg == DNS_KEYALG_RSASHA1) { badalg = keyalg; } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index ff938f1fac..13eeed8580 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -145,18 +145,6 @@ static cfg_type_t cfg_type_view; static cfg_type_t cfg_type_viewopts; static cfg_type_t cfg_type_zone; -/*% tkey-dhkey */ - -static cfg_tuplefielddef_t tkey_dhkey_fields[] = { - { "name", &cfg_type_qstring, 0 }, - { "keyid", &cfg_type_uint32, 0 }, - { NULL, NULL, 0 } -}; - -static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey", cfg_parse_tuple, - cfg_print_tuple, cfg_doc_tuple, - &cfg_rep_tuple, tkey_dhkey_fields }; - /*% listen-on */ static cfg_tuplefielddef_t listenon_tuple_fields[] = { @@ -1327,7 +1315,7 @@ static cfg_clausedef_t options_clauses[] = { { "tcp-listen-queue", &cfg_type_uint32, 0 }, { "tcp-receive-buffer", &cfg_type_uint32, 0 }, { "tcp-send-buffer", &cfg_type_uint32, 0 }, - { "tkey-dhkey", &cfg_type_tkey_dhkey, 0 }, + { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "tkey-domain", &cfg_type_qstring, 0 }, { "tkey-gssapi-credential", &cfg_type_qstring, 0 }, { "tkey-gssapi-keytab", &cfg_type_qstring, 0 }, diff --git a/tests/dns/Makefile.am b/tests/dns/Makefile.am index 15f1e519bd..137a159221 100644 --- a/tests/dns/Makefile.am +++ b/tests/dns/Makefile.am @@ -21,7 +21,6 @@ check_PROGRAMS = \ dbdiff_test \ dbiterator_test \ dbversion_test \ - dh_test \ dispatch_test \ dns64_test \ dst_test \ diff --git a/tests/dns/comparekeys/Kexample-private.+002+65316.key b/tests/dns/comparekeys/Kexample-private.+002+65316.key deleted file mode 100644 index 7cc002d23e..0000000000 --- a/tests/dns/comparekeys/Kexample-private.+002+65316.key +++ /dev/null @@ -1 +0,0 @@ -example-private. IN KEY 512 3 2 AAECAAAAgKVXnUOFKMvLvwO/VdY9bq+eOPBxrRWsDpcL9FJ9+hklVvii pcLOIhiKLeHI/u9vM2nhd8+opIW92+j2pB185MRgSrINQcC+XpI/xiDG HwE78bQ+2Ykb/memG+ctkVyrFGHtaJLCUGWrUHy1jbtvYeaKeS92jR/2 4oryt3N851u5 diff --git a/tests/dns/comparekeys/Kexample-private.+002+65316.private b/tests/dns/comparekeys/Kexample-private.+002+65316.private deleted file mode 100644 index 1f00fa9ac8..0000000000 --- a/tests/dns/comparekeys/Kexample-private.+002+65316.private +++ /dev/null @@ -1,9 +0,0 @@ -Private-key-format: v1.3 -Algorithm: 2 (DH) -Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5lOB//////////8= -Generator(g): Ag== -Private_value(x): dLr0sfk/P1V0DfQ7Ke3IIaSM8nHjtrBRlMcQXRMVrLhbbKeCodvpSRtI0Nwtt38Df8dbGGtP676my2Ht2UHyL7rO0+ASv98NCysL0Xp6q2a7fn67iGFUBTg3jzXC89FYv4sYNeVLDGrKC3EjtGkalzgDVuzEC8CqRkWKeys3ufc= -Public_value(y): pVedQ4Uoy8u/A79V1j1ur5448HGtFawOlwv0Un36GSVW+KKlws4iGIot4cj+728zaeF3z6ikhb3b6PakHXzkxGBKsg1BwL5ekj/GIMYfATvxtD7ZiRv+Z6Yb5y2RXKsUYe1oksJQZatQfLWNu29h5op5L3aNH/biivK3c3znW7k= -Created: 20000101000000 -Publish: 20000101000000 -Activate: 20000101000000 diff --git a/tests/dns/dh_test.c b/tests/dns/dh_test.c deleted file mode 100644 index 246de2197a..0000000000 --- a/tests/dns/dh_test.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include /* IWYU pragma: keep */ -#include -#include -#include -#include -#include -#include - -#define UNIT_TESTING -#include - -#include -#include -#include - -#include - -#include "dst_internal.h" - -#include - -static int -setup_test(void **state) { - isc_result_t result; - - UNUSED(state); - - result = dst_lib_init(mctx, NULL); - - if (result != ISC_R_SUCCESS) { - return (1); - } - - return (0); -} - -static int -teardown_test(void **state) { - UNUSED(state); - - dst_lib_destroy(); - - return (0); -} - -/* OpenSSL DH_compute_key() failure */ -ISC_RUN_TEST_IMPL(dh_computesecret) { - dst_key_t *key = NULL; - isc_buffer_t buf; - unsigned char array[1024]; - isc_result_t result; - dns_fixedname_t fname; - dns_name_t *name; - - UNUSED(state); - - name = dns_fixedname_initname(&fname); - isc_buffer_constinit(&buf, "dh.", 3); - isc_buffer_add(&buf, 3); - result = dns_name_fromtext(name, &buf, NULL, 0, NULL); - assert_int_equal(result, ISC_R_SUCCESS); - - result = dst_key_fromfile(name, 18602, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, TESTS_DIR, - mctx, &key); - assert_int_equal(result, ISC_R_SUCCESS); - - isc_buffer_init(&buf, array, sizeof(array)); - result = dst_key_computesecret(key, key, &buf); - assert_int_equal(result, DST_R_NOTPRIVATEKEY); - result = key->func->computesecret(key, key, &buf); - assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); - - dst_key_free(&key); -} - -ISC_TEST_LIST_START -ISC_TEST_ENTRY_CUSTOM(dh_computesecret, setup_test, teardown_test) -ISC_TEST_LIST_END - -ISC_TEST_MAIN diff --git a/tests/dns/dst_test.c b/tests/dns/dst_test.c index e60a916519..570c19c876 100644 --- a/tests/dns/dst_test.c +++ b/tests/dns/dst_test.c @@ -416,34 +416,6 @@ ISC_RUN_TEST_IMPL(cmp_test) { /* EdDSA Public Key: different key */ { "example.", 63663, "example2.", 37529, DST_ALG_ED25519, DST_TYPE_PUBLIC, false }, - - /* DH Keypair: self */ - { "example.", 65316, "example.", 65316, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, true }, - - /* DH Keypair: different key */ - { "example.", 65316, "example2.", 19823, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false }, - - /* DH Keypair: different key (with generator=5) */ - { "example.", 65316, "example3.", 17187, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false }, - - /* DH Keypair: different private key */ - { "example.", 65316, "example-private.", 65316, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false }, - - /* DH Public Key: self */ - { "example.", 65316, "example.", 65316, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, true }, - - /* DH Public Key: different key */ - { "example.", 65316, "example2.", 19823, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, false }, - - /* DH Public Key: different key (with generator=5) */ - { "example.", 65316, "example3.", 17187, DST_ALG_DH, - DST_TYPE_PUBLIC | DST_TYPE_KEY, false }, }; unsigned int i;