mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 16:15:27 +00:00
Code Issues Releases Wiki Activity

Reject incorrect RSA key lengths during key generation and and sign/verify context creation (#45043)

Browse Source
This commit is contained in:
Mukund Sivaraman
2017-04-21 17:30:15 +05:30
parent f23c10f925
commit 239e9dc81c
3 changed files with 193 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,3 +1,7 @@
4601. [bug] Reject incorrect RSA key lengths during key
generation and and sign/verify context
creation. [RT #45043]
4600. [bug] Adjust RPZ trigger counts only when the entry 4600. [bug] Adjust RPZ trigger counts only when the entry
being deleted exists. [RT #43386] being deleted exists. [RT #43386]

54
lib/dns/opensslrsa_link.c
View File

@@ -261,6 +261,33 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
dctx->key->key_alg == DST_ALG_RSASHA512); dctx->key->key_alg == DST_ALG_RSASHA512);
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
#if USE_EVP #if USE_EVP
evp_md_ctx = EVP_MD_CTX_create(); evp_md_ctx = EVP_MD_CTX_create();
if (evp_md_ctx == NULL) if (evp_md_ctx == NULL)
@@ -958,6 +985,33 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY *pkey = EVP_PKEY_new();
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (key->key_size > 4096)
goto err;
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((key->key_size < 512) ||
(key->key_size > 4096))
goto err;
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((key->key_size < 1024) ||
(key->key_size > 4096))
goto err;
break;
default:
INSIST(0);
}
if (rsa == NULL || e == NULL || cb == NULL) if (rsa == NULL || e == NULL || cb == NULL)
goto err; goto err;
#if USE_EVP #if USE_EVP

135
lib/dns/pkcs11rsa_link.c
View File

@@ -92,6 +92,33 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
key->key_alg == DST_ALG_RSASHA512); key->key_alg == DST_ALG_RSASHA512);
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
rsa = key->keydata.pkey; rsa = key->keydata.pkey;
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
@@ -301,6 +328,33 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
key->key_alg == DST_ALG_RSASHA512); key->key_alg == DST_ALG_RSASHA512);
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
rsa = key->keydata.pkey; rsa = key->keydata.pkey;
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
@@ -549,6 +603,33 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
#endif #endif
REQUIRE(rsa != NULL); REQUIRE(rsa != NULL);
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
switch (key->key_alg) { switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE #ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5: case DST_ALG_RSAMD5:
@@ -678,6 +759,33 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
#endif #endif
REQUIRE(rsa != NULL); REQUIRE(rsa != NULL);
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
switch (key->key_alg) { switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE #ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5: case DST_ALG_RSAMD5:
@@ -1094,6 +1202,33 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
UNUSED(callback); UNUSED(callback);
/*
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((key->key_size < 512) ||
(key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((key->key_size < 1024) ||
(key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
sizeof(*pk11_ctx)); sizeof(*pk11_ctx));
if (pk11_ctx == NULL) if (pk11_ctx == NULL)