3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
and ECDSAP384SHA384. [RT #37183]
This commit is contained in:
Mark Andrews
3
CHANGES
3
CHANGES
@@ -1,3 +1,6 @@
|
||||
3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
|
||||
and ECDSAP384SHA384. [RT #37183]
|
||||
|
||||
3956. [func] Notify messages are now rate limited by notify-rate and
|
||||
startup-notify-rate instead of serial-query-rate.
|
||||
[RT #24454]
|
||||
|
||||
@@ -552,6 +552,9 @@ main(int argc, char **argv) {
|
||||
options |= DST_TYPE_KEY;
|
||||
}
|
||||
|
||||
if (!dst_algorithm_supported(alg))
|
||||
fatal("unsupported algorithm: %d", alg);
|
||||
|
||||
if (use_nsec3 &&
|
||||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
||||
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
|
||||
@@ -719,8 +722,13 @@ main(int argc, char **argv) {
|
||||
fatal("invalid DSS key size: %d", size);
|
||||
break;
|
||||
case DST_ALG_ECCGOST:
|
||||
size = 256;
|
||||
break;
|
||||
case DST_ALG_ECDSA256:
|
||||
size = 256;
|
||||
break;
|
||||
case DST_ALG_ECDSA384:
|
||||
size = 384;
|
||||
break;
|
||||
case DST_ALG_HMACMD5:
|
||||
options |= DST_TYPE_KEY;
|
||||
|
||||
@@ -74,3 +74,5 @@ rm -f ns4/named_dump.db
|
||||
rm -f ns3/badds.example.db
|
||||
rm -f delve.out*
|
||||
rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
|
||||
rm -f Kexample.*
|
||||
rm -f keygen.err
|
||||
|
||||
@@ -2640,5 +2640,52 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
|
||||
ret=0
|
||||
alg=1
|
||||
until test $alg = 256
|
||||
do
|
||||
size=
|
||||
case $alg in
|
||||
1) size="-b 512";;
|
||||
2) # Diffie Helman
|
||||
alg=`expr $alg + 1`
|
||||
continue;;
|
||||
3) size="-b 512";;
|
||||
5) size="-b 512";;
|
||||
6) size="-b 512";;
|
||||
7) size="-b 512";;
|
||||
8) size="-b 512";;
|
||||
10) size="-b 1024";;
|
||||
157|160|161|162|163|164|165) # private - non standard
|
||||
alg=`expr $alg + 1`
|
||||
continue;;
|
||||
esac
|
||||
key1=`$KEYGEN -a $alg $size -n zone -r /dev/urandom example 2> keygen.err`
|
||||
if grep "unsupported algorithm" keygen.err > /dev/null
|
||||
then
|
||||
alg=`expr $alg + 1`
|
||||
continue
|
||||
fi
|
||||
if test -z "$key1"
|
||||
then
|
||||
echo "I: '$KEYGEN -a $alg': failed"
|
||||
cat keygen.err
|
||||
ret=1
|
||||
alg=`expr $alg + 1`
|
||||
continue
|
||||
fi
|
||||
$SETTIME -I now+4d $key1.private > /dev/null
|
||||
key2=`$KEYGEN -v 10 -r /dev/urandom -i 3d -S $key1.private 2> /dev/null`
|
||||
test -f $key2.key -a -f $key2.private || {
|
||||
ret=1
|
||||
echo "I: 'dnssec-keygen -S' failed for algorithm: $alg"
|
||||
}
|
||||
alg=`expr $alg + 1`
|
||||
done
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
||||
@@ -295,10 +295,13 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
UNUSED(unused);
|
||||
UNUSED(callback);
|
||||
|
||||
if (key->key_alg == DST_ALG_ECDSA256)
|
||||
if (key->key_alg == DST_ALG_ECDSA256) {
|
||||
group_nid = NID_X9_62_prime256v1;
|
||||
else
|
||||
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
|
||||
} else {
|
||||
group_nid = NID_secp384r1;
|
||||
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
|
||||
}
|
||||
|
||||
eckey = EC_KEY_new_by_curve_name(group_nid);
|
||||
if (eckey == NULL)
|
||||
@@ -433,6 +436,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
isc_buffer_forward(data, len);
|
||||
key->keydata.pkey = pkey;
|
||||
key->key_size = len * 4;
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
@@ -571,6 +575,10 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
key->keydata.pkey = pkey;
|
||||
if (key->key_alg == DST_ALG_ECDSA256)
|
||||
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
|
||||
else
|
||||
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
|
||||
@@ -251,6 +251,7 @@ opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
key->keydata.pkey = pkey;
|
||||
key->key_size = EVP_PKEY_bits(pkey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -336,6 +337,7 @@ opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
return (dst__openssl_toresult2("d2i_PUBKEY",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
key->keydata.pkey = pkey;
|
||||
key->key_size = EVP_PKEY_bits(pkey);
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
@@ -562,6 +562,11 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
|
||||
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
|
||||
|
||||
if (key->key_alg == DST_ALG_ECDSA256)
|
||||
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
|
||||
else
|
||||
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
err:
|
||||
@@ -716,6 +721,7 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
isc_buffer_forward(data, len);
|
||||
key->keydata.pkey = ec;
|
||||
key->key_size = len * 4;
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
nomemory:
|
||||
@@ -1005,6 +1011,10 @@ pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
dst__privstruct_free(&priv, mctx);
|
||||
memset(&priv, 0, sizeof(priv));
|
||||
if (key->key_alg == DST_ALG_ECDSA256)
|
||||
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
|
||||
else
|
||||
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -1127,6 +1137,10 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
if (key->label == NULL)
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
if (key->key_alg == DST_ALG_ECDSA256)
|
||||
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
|
||||
else
|
||||
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
|
||||
|
||||
pk11_return_session(pk11_ctx);
|
||||
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
|
||||
|
||||
@@ -73,6 +73,7 @@
|
||||
|
||||
#define ISC_GOST_SIGNATURELENGTH 64
|
||||
#define ISC_GOST_PUBKEYLENGTH 64
|
||||
#define ISC_GOST_KEYSIZE 256
|
||||
|
||||
/* HASH methods */
|
||||
|
||||
@@ -523,6 +524,7 @@ pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
memset(gost, 0, sizeof(*gost));
|
||||
key->keydata.pkey = gost;
|
||||
key->key_size = ISC_GOST_KEYSIZE;
|
||||
gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
|
||||
sizeof(*attr) * 2);
|
||||
if (gost->repr == NULL)
|
||||
@@ -680,6 +682,7 @@ pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH);
|
||||
key->keydata.pkey = gost;
|
||||
key->key_size = ISC_GOST_KEYSIZE;
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
nomemory:
|
||||
@@ -867,6 +870,7 @@ pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
memset(gost, 0, sizeof(*gost));
|
||||
key->keydata.pkey = gost;
|
||||
key->key_size = ISC_GOST_KEYSIZE;
|
||||
|
||||
gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
|
||||
sizeof(*attr) * 2);
|
||||
|
||||
Reference in New Issue
Block a user