mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-25 16:18:03 -04:00
bd4576b3ce
Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from
BIND 9 (from named, named.conf and all the tools). The TKEY usage is
fringe at best and in all known cases, GSSAPI is being used as it should.
The draft-eastlake-dnsop-rfc2930bis-tkey specifies that:
4.2 Diffie-Hellman Exchanged Keying (Deprecated)
The use of this mode (#2) is NOT RECOMMENDED for the following two
reasons but the specification is still included in Appendix A in case
an implementation is needed for compatibility with old TKEY
implementations. See Section 4.6 on ECDH Exchanged Keying.
The mixing function used does not meet current cryptographic
standards because it uses MD5 [RFC6151].
RSA keys must be excessively long to achieve levels of security
required by current standards.
We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key
exchange mode 6 if the draft ever reaches the RFC status. Meanwhile the
insecure DH mode needs to be removed.
178 lines
3.4 KiB
C
178 lines
3.4 KiB
C
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
#include "openssl_shim.h"
|
|
|
|
#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
/* From OpenSSL 1.1.0 */
|
|
int
|
|
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
|
|
/*
|
|
* If the fields n and e in r are NULL, the corresponding input
|
|
* parameters MUST be non-NULL for n and e. d may be
|
|
* left NULL (in case only the public key is used).
|
|
*/
|
|
if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
|
|
return (0);
|
|
}
|
|
|
|
if (n != NULL) {
|
|
BN_free(r->n);
|
|
r->n = n;
|
|
}
|
|
if (e != NULL) {
|
|
BN_free(r->e);
|
|
r->e = e;
|
|
}
|
|
if (d != NULL) {
|
|
BN_clear_free(r->d);
|
|
r->d = d;
|
|
}
|
|
|
|
return (1);
|
|
}
|
|
|
|
int
|
|
RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
|
|
/*
|
|
* If the fields p and q in r are NULL, the corresponding input
|
|
* parameters MUST be non-NULL.
|
|
*/
|
|
if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
|
|
return (0);
|
|
}
|
|
|
|
if (p != NULL) {
|
|
BN_clear_free(r->p);
|
|
r->p = p;
|
|
}
|
|
if (q != NULL) {
|
|
BN_clear_free(r->q);
|
|
r->q = q;
|
|
}
|
|
|
|
return (1);
|
|
}
|
|
|
|
int
|
|
RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
|
|
/*
|
|
* If the fields dmp1, dmq1 and iqmp in r are NULL, the
|
|
* corresponding input parameters MUST be non-NULL.
|
|
*/
|
|
if ((r->dmp1 == NULL && dmp1 == NULL) ||
|
|
(r->dmq1 == NULL && dmq1 == NULL) ||
|
|
(r->iqmp == NULL && iqmp == NULL))
|
|
{
|
|
return (0);
|
|
}
|
|
|
|
if (dmp1 != NULL) {
|
|
BN_clear_free(r->dmp1);
|
|
r->dmp1 = dmp1;
|
|
}
|
|
if (dmq1 != NULL) {
|
|
BN_clear_free(r->dmq1);
|
|
r->dmq1 = dmq1;
|
|
}
|
|
if (iqmp != NULL) {
|
|
BN_clear_free(r->iqmp);
|
|
r->iqmp = iqmp;
|
|
}
|
|
|
|
return (1);
|
|
}
|
|
|
|
void
|
|
RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
|
|
const BIGNUM **d) {
|
|
if (n != NULL) {
|
|
*n = r->n;
|
|
}
|
|
if (e != NULL) {
|
|
*e = r->e;
|
|
}
|
|
if (d != NULL) {
|
|
*d = r->d;
|
|
}
|
|
}
|
|
|
|
void
|
|
RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
|
|
if (p != NULL) {
|
|
*p = r->p;
|
|
}
|
|
if (q != NULL) {
|
|
*q = r->q;
|
|
}
|
|
}
|
|
|
|
void
|
|
RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
|
|
const BIGNUM **iqmp) {
|
|
if (dmp1 != NULL) {
|
|
*dmp1 = r->dmp1;
|
|
}
|
|
if (dmq1 != NULL) {
|
|
*dmq1 = r->dmq1;
|
|
}
|
|
if (iqmp != NULL) {
|
|
*iqmp = r->iqmp;
|
|
}
|
|
}
|
|
|
|
int
|
|
RSA_test_flags(const RSA *r, int flags) {
|
|
return (r->flags & flags);
|
|
}
|
|
#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
|
#if !HAVE_ECDSA_SIG_GET0
|
|
/* From OpenSSL 1.1 */
|
|
void
|
|
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
|
|
if (pr != NULL) {
|
|
*pr = sig->r;
|
|
}
|
|
if (ps != NULL) {
|
|
*ps = sig->s;
|
|
}
|
|
}
|
|
|
|
int
|
|
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
|
|
if (r == NULL || s == NULL) {
|
|
return (0);
|
|
}
|
|
|
|
BN_clear_free(sig->r);
|
|
BN_clear_free(sig->s);
|
|
sig->r = r;
|
|
sig->s = s;
|
|
|
|
return (1);
|
|
}
|
|
#endif /* !HAVE_ECDSA_SIG_GET0 */
|
|
|
|
#if !HAVE_ERR_GET_ERROR_ALL
|
|
static const char err_empty_string = '\0';
|
|
|
|
unsigned long
|
|
ERR_get_error_all(const char **file, int *line, const char **func,
|
|
const char **data, int *flags) {
|
|
if (func != NULL) {
|
|
*func = &err_empty_string;
|
|
}
|
|
return (ERR_get_error_line_data(file, line, data, flags));
|
|
}
|
|
#endif /* if !HAVE_ERR_GET_ERROR_ALL */
|