mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00
Code Issues Releases Wiki Activity

Remove support for obsoleted ECC-GOST (GOST R 34.11-94) algorithm

Browse Source
This commit is contained in:
Ondřej Surý 2018-05-25 16:17:13 +02:00
parent 57f0949e2b
commit 27593e65dc
60 changed files with 39 additions and 2875 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bin/dnssec/dnssec-cds.c
View File

@ -1115,7 +1115,7 @@ usage(void) {
program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n"
" -a <algorithm> digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n"
" -a <algorithm> digest algorithm (SHA-1 / SHA-256 / SHA-384)\n"
" -c <class> of domain (default IN)\n"
" -D prefer CDNSKEY records instead of CDS\n"
" -d <file|dir> where to find parent dsset- file\n"

2
bin/dnssec/dnssec-cds.docbook
View File

@ -144,7 +144,7 @@
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
(SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</para>

2
bin/dnssec/dnssec-dsfromkey.docbook
View File

@ -117,7 +117,7 @@
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
SHA-256 (SHA256) or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>

2
bin/dnssec/dnssec-dsfromkey.html
View File

@ -97,7 +97,7 @@
<p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
SHA-256 (SHA256) or SHA-384 (SHA384).
These values are case insensitive.
</p>
</dd>

3
bin/dnssec/dnssec-keyfromlabel.c
View File

@ -64,7 +64,7 @@ usage(void) {
fprintf(stderr, " -a algorithm: \n"
" RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
" NSEC3DSA | NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 | ECCGOST |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
@ -427,7 +427,6 @@ main(int argc, char **argv) {
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:

2
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@ -106,7 +106,7 @@
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para>
<para>

2
bin/dnssec/dnssec-keygen.c
View File

@ -79,7 +79,7 @@ usage(void) {
fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");

2
bin/dnssec/dnssec-keygen.docbook
View File

@ -123,7 +123,7 @@
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <option>-T KEY</option>

4
bin/dnssec/dnssectool.c
View File

@ -360,10 +360,6 @@ strtodsdigest(const char *algname) {
strcasecmp(algname, "SHA-256") == 0)
{
return (DNS_DSDIGEST_SHA256);
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
} else if (strcasecmp(algname, "GOST") == 0) {
return (DNS_DSDIGEST_GOST);
#endif
} else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
{

2
bin/python/isc/dnskey.py.in
View File

@ -32,7 +32,7 @@ class dnskey:
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
'RSASHA512', None, None, 'ECDSAP256SHA256',
'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None):

10
bin/python/isc/policy.py.in
View File

@ -71,7 +71,7 @@ class PolicyLex:
return t
def t_ALGNAME(self, t):
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper()
return t
@ -139,7 +139,6 @@ class Policy:
'NSEC3RSASHA1': [512, 4096],
'RSASHA256': [1024, 4096],
'RSASHA512': [1024, 4096],
'ECCGOST': None,
'ECDSAP256SHA256': None,
'ECDSAP384SHA384': None,
'ED25519': None,
@ -278,8 +277,7 @@ class Policy:
('ZSK key size %d not divisible by 64 ' +
'as required for DSA') % self.zsk_keysize
if self.algorithm in ['ECCGOST', \
'ECDSAP256SHA256', \
if self.algorithm in ['ECDSAP256SHA256', \
'ECDSAP384SHA384', \
'ED25519', \
'ED448']:
@ -369,10 +367,6 @@ class dnssec_policy:
self.alg_policy['RSASHA512'].algorithm = "RSASHA512"
self.alg_policy['RSASHA512'].name = "RSASHA512"
self.alg_policy['ECCGOST'] = copy(p)
self.alg_policy['ECCGOST'].algorithm = "ECCGOST"
self.alg_policy['ECCGOST'].name = "ECCGOST"
self.alg_policy['ECDSAP256SHA256'] = copy(p)
self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256"
self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256"

2
bin/tests/system/conf.sh.in
View File

@ -76,7 +76,7 @@ KRB5_CONFIG=/dev/null
#
# List of tests hard-coded to use ports 5300 and 9953. For this
# reason, these must be run sequentially.
SEQUENTIALDIRS="ecdsa eddsa gost @PKCS11_TEST@ tkey"
SEQUENTIALDIRS="ecdsa eddsa @PKCS11_TEST@ tkey"
# List of tests that use ports assigned by caller (other than 5300
# and 9953). Because separate blocks of ports can be used for teach

2
bin/tests/system/conf.sh.win32
View File

@ -87,7 +87,7 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \
database digdelv dlv dlvauto dlz dlzexternal dname \
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa \
ednscompliance emptyzones \
fetchlimit filter-aaaa formerr forward geoip glue gost idna inline ixfr \
fetchlimit filter-aaaa formerr forward geoip glue idna inline ixfr \
keepalive @KEYMGR@ legacy limits logfileconfig masterfile \
masterformat metadata mkeys names notify nslookup nsupdate \
nzd2nzf padding pending pipelined @PKCS11_TEST@ reclimit \

1
bin/tests/system/dsdigest/ns2/sign.sh
View File

@ -37,7 +37,6 @@ $DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2
supported=`cat ../supported`
case "$supported" in
gost) algo=GOST ;;
*) algo=SHA-384 ;;
esac

2
bin/tests/system/dsdigest/ns3/named.conf.in
View File

@ -26,7 +26,7 @@ options {
dnssec-validation yes;
dnssec-must-be-secure . yes;
/* only SHA-256 is enabled */
disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; };
disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
};

2
bin/tests/system/dsdigest/ns4/named.conf.in
View File

@ -25,7 +25,7 @@ options {
dnssec-enable yes;
dnssec-validation yes;
/* only SHA-256 is enabled */
disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; };
disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
};
zone "." {

11
bin/tests/system/dsdigest/prereq.sh
View File

@ -12,17 +12,12 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
gostfail=0 ecdsafail=0
$SHELL ../testcrypto.sh -q gost || gostfail=1
ecdsafail=0
$SHELL ../testcrypto.sh -q ecdsa || ecdsafail=1
if [ $gostfail = 0 -a $ecdsafail = 0 ]; then
echo both > supported
elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then
echo_i "This test requires support for ECDSA or GOST cryptography." >&2
if [ $ecdsafail = 1 ]; then
echo_i "This test requires support for ECDSA cryptography." >&2
exit 255
elif [ $gostfail = 0 ]; then
echo gost > supported
else
echo ecdsa > supported
fi

19
bin/tests/system/gost/clean.sh
View File

@ -1,19 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f */K* */dsset-* */*.signed */trusted.conf
rm -f ns1/root.db
rm -f ns1/signer.err
rm -f dig.out*
rm -f */named.run
rm -f */named.memstats
rm -f ns*/named.lock
rm -f ns*/managed-keys.bind*

35
bin/tests/system/gost/ns1/named.conf
View File

@ -1,35 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db.signed";
};
include "trusted.conf";

19
bin/tests/system/gost/ns1/root.db.in
View File

@ -1,19 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
. IN SOA marka.isc.org. a.root.servers.nil. (
2010121600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1

38
bin/tests/system/gost/ns1/sign.sh
View File

@ -1,38 +0,0 @@
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=.
infile=root.db.in
zonefile=root.db
key1=`$KEYGEN -q -a ECCGOST -n zone $zone`
key2=`$KEYGEN -q -a ECCGOST -n zone -f KSK $zone`
$DSFROMKEY -a gost $key2.key > dsset-gost
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
# Configure the resolving server with a trusted key.
cat $key1.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > trusted.conf
cp trusted.conf ../ns2/trusted.conf

35
bin/tests/system/gost/ns2/named.conf
View File

@ -1,35 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";

15
bin/tests/system/gost/prereq.sh
View File

@ -1,15 +0,0 @@
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh gost

15
bin/tests/system/gost/setup.sh
View File

@ -1,15 +0,0 @@
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
cd ns1 && $SHELL sign.sh

35
bin/tests/system/gost/tests.sh
View File

@ -1,35 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
n=0
rm -f dig.out.*
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
# Check the example. domain
echo "I:checking that positive validation works ($n)"
ret=0
$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1

2
bin/tests/system/inline/clean.sh
View File

@ -114,7 +114,7 @@ rm -f ns3/test-?.bk
rm -f ns3/test-?.bk.signed
rm -f ns3/test-?.bk.signed.jnl
rm -f import.key Kimport*
rm -f checkgost checkdsa checkecdsa
rm -f checkdsa checkecdsa
rm -f ns3/a-file
rm -f ns*/named.lock
rm -f dig.out.*

9
bin/tests/system/inline/ns3/sign.sh
View File

@ -125,20 +125,13 @@ zone=externalkey
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
for alg in ECCGOST ECDSAP256SHA256 NSEC3RSASHA1 DSA
for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA
do
case $alg in
DSA)
$SHELL ../checkdsa.sh 2> /dev/null || continue
checkfile=../checkdsa
touch $checkfile ;;
ECCGOST)
fail=0
$KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1
rm -f Ktest*
[ $fail != 0 ] && continue
checkfile=../checkgost
touch $checkfile ;;
ECDSAP256SHA256)
fail=0
$KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1

4
bin/tests/system/inline/tests.sh
View File

@ -897,16 +897,14 @@ n=`expr $n + 1`
echo_i "testing adding external keys to a inline zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
for alg in 3 7 12 13
for alg in 3 7 13
do
[ $alg = 3 -a ! -f checkdsa ] && continue;
[ $alg = 12 -a ! -f checkgost ] && continue;
[ $alg = 13 -a ! -f checkecdsa ] && continue;
case $alg in
3) echo_i "checking DSA";;
7) echo_i "checking NSEC3RSASHA1";;
12) echo_i "checking GOST";;
13) echo_i "checking ECDSAP256SHA256";;
*) echo_i "checking $alg";;
esac

5
bin/tests/system/testcrypto.sh
View File

@ -30,11 +30,6 @@ while test "$#" -gt 0; do
alg="-a RSASHA1"
msg1="RSA cryptography"
;;
gost|GOST)
alg="-a eccgost"
msg1="GOST cryptography"
msg2="--with-gost"
;;
ecdsa|ECDSA)
alg="-a ecdsap256sha256"
msg1="ECDSA cryptography"

9
config.h.in
View File

@ -395,9 +395,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your OpenSSL version supports EVP AES */
#undef HAVE_OPENSSL_EVP_AES
/* Define if your OpenSSL version supports GOST. */
#undef HAVE_OPENSSL_GOST
/* Define if native PKCS#11 is used as cryptographic library provider */
#undef HAVE_PKCS11
@ -410,9 +407,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your PKCS11 provider supports Ed448. */
#undef HAVE_PKCS11_ED448
/* Define if your PKCS11 provider supports GOST. */
#undef HAVE_PKCS11_GOST
/* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
#undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
@ -604,9 +598,6 @@ int sigwait(const unsigned int *set, int *sig);
(O_NDELAY/O_NONBLOCK). */
#undef PORT_NONBLOCK
/* Define if GOST private keys are encoded in ASN.1. */
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
#undef SIZEOF_VOID_P

9
config.h.win32
View File

@ -327,9 +327,6 @@ typedef __int64 off_t;
/* Define if OpenSSL includes Ed448 support */
@HAVE_OPENSSL_ED448@
/* Define if your OpenSSL version supports GOST. */
@HAVE_OPENSSL_GOST@
/* Define if your OpenSSL version supports DH functions. */
@HAVE_DH_GET0_KEY@
@ -354,12 +351,6 @@ typedef __int64 off_t;
/* Define if your PKCS11 provider supports Ed448. */
@HAVE_PKCS11_ED448@
/* Define if your PKCS11 provider supports GOST. */
@HAVE_PKCS11_GOST@
/* Define if GOST private keys are encoded in ASN.1. */
@PREFER_GOSTASN1@
/* Define if OpenSSL is used as cryptographic library provider. */
@HAVE_OPENSSL@

150
configure vendored
View File

@ -800,7 +800,6 @@ NZDSRCS
NZD_TOOLS
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
PKCS11_ECDSA
PKCS11LINKSRCS
PKCS11LINKOBJS
@ -820,13 +819,10 @@ ISC_OPENSSL_LIBS
ISC_OPENSSL_INC
ISC_PLATFORM_OPENSSLHASH
ISC_PLATFORM_WANTAES
OPENSSL_GOST
OPENSSL_ED25519
OPENSSL_ECDSA
OPENSSLLINKSRCS
OPENSSLLINKOBJS
OPENSSLGOSTLINKSRCS
OPENSSLGOSTLINKOBJS
OPENSSLEDDSALINKSRCS
OPENSSLEDDSALINKOBJS
OPENSSLECDSALINKSRCS
@ -1001,7 +997,6 @@ enable_native_pkcs11
with_openssl
with_pkcs11
with_ecdsa
with_gost
with_eddsa
with_aes
with_cc_alg
@ -1747,7 +1742,6 @@ Optional Packages:
--with-pkcs11=PATH Build with PKCS11 support [yes|no|path] (PATH is for
the PKCS11 provider)
--with-ecdsa Crypto ECDSA
--with-gost Crypto GOST [yes|no|raw|asn1].
--with-eddsa Crypto EDDSA [yes|all|no].
--with-aes Crypto AES
--with-cc-alg=ALG choose the algorithm for Client Cookie
@ -16150,7 +16144,7 @@ fi
#
# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
# were --with-ecdsa, --with-eddsa, --with-aes specified
#
# Check whether --with-ecdsa was given.
@ -16161,14 +16155,6 @@ else
fi
# Check whether --with-gost was given.
if test "${with_gost+set}" = set; then :
withval=$with_gost; with_gost="$withval"
else
with_gost="auto"
fi
# Check whether --with-eddsa was given.
if test "${with_eddsa+set}" = set; then :
withval=$with_eddsa; with_eddsa="$withval"
@ -16245,26 +16231,7 @@ then
done
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
gosttype="raw"
case "$with_gost" in
raw)
with_gost="yes"
;;
asn1)
$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h
gosttype="asn1"
with_gost="yes"
;;
auto|yes|no)
;;
*)
as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5
;;
esac
case "$use_openssl" in
native_pkcs11)
@ -16277,8 +16244,6 @@ $as_echo "disabled because of native PKCS11" >&6; }
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
@ -16295,8 +16260,6 @@ $as_echo "no" >&6; }
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
@ -16308,8 +16271,6 @@ $as_echo "no" >&6; }
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -16663,89 +16624,6 @@ $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
$as_echo_n "checking for OpenSSL GOST support... " >&6; }
have_gost=""
case "$use_pkcs11" in
auto|no)
;;
*)
if $use_threads; then
CC="$CC -pthread"
fi
;;
esac
if test "$cross_compiling" = yes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
$as_echo "using --with-gost" >&6; }
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/conf.h>
#include <openssl/engine.h>
int main() {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
ENGINE *e;
EC_KEY *ek;
ek = NULL;
OPENSSL_config(NULL);
e = ENGINE_by_id("gost");
if (e == NULL)
return (1);
if (ENGINE_init(e) <= 0)
return (1);
return (0);
#else
return (1);
#endif
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
have_gost="yes"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
have_gost="no"
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
case "$with_gost" in
yes)
case "$have_gost" in
no) as_fn_error $? "gost not supported" "$LINENO" 5 ;;
*) have_gost=yes ;;
esac
;;
no)
have_gost=no ;;
*)
case "$have_gost" in
yes|no) ;;
*) as_fn_error $? "need --with-gost=[yes, no, raw or asn1]" "$LINENO" 5 ;;
esac
;;
esac
case $have_gost in
yes)
OPENSSL_GOST="yes"
OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
;;
*)
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
have_ed25519=""
@ -16954,9 +16832,6 @@ esac
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
then
@ -17211,7 +17086,6 @@ esac
PKCS11_ECDSA=""
PKCS11_GOST=""
PKCS11_ED25519=""
set_pk11_flavor="no"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
@ -17240,22 +17114,6 @@ $as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 GOST" >&5
$as_echo_n "checking for PKCS11 GOST... " >&6; }
case "$with_gost" in
yes)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
$as_echo "enabled" >&6; }
PKCS11_GOST="yes"
$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
$as_echo "disabled" >&6; }
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5
$as_echo_n "checking for PKCS11 Ed25519... " >&6; }
case "$with_eddsa" in
@ -17346,7 +17204,6 @@ esac
if test "X$CRYPTO" = "X"; then
# cat << \EOF
as_fn_error $? "No cryptography library has been found or provided.
@ -26455,9 +26312,6 @@ report() {
fi
echo " Provider library: $PKCS11_PROVIDER"
fi
if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
echo " GOST algorithm support (encoding: $gosttype) (--with-gost)"
fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
@ -26526,8 +26380,6 @@ report() {
fi
test "yes" = "$want_native_pkcs11" ||
echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
echo " GOST algorithm support (--with-gost)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \

117
configure.in
View File

@ -1419,13 +1419,10 @@ AC_ARG_WITH(pkcs11,
use_pkcs11="$withval", use_pkcs11="auto")
#
# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
# were --with-ecdsa, --with-eddsa, --with-aes specified
#
AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]),
with_ecdsa="$withval", with_ecdsa="auto")
AC_ARG_WITH(gost,
AS_HELP_STRING([--with-gost], [Crypto GOST [yes|no|raw|asn1].]),
with_gost="$withval", with_gost="auto")
AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]),
with_eddsa="$withval", with_eddsa="auto")
AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
@ -1486,25 +1483,7 @@ then
done
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
gosttype="raw"
case "$with_gost" in
raw)
with_gost="yes"
;;
asn1)
AC_DEFINE(PREFER_GOSTASN1, 1,
[Define if GOST private keys are encoded in ASN.1.])
gosttype="asn1"
with_gost="yes"
;;
auto|yes|no)
;;
*)
AC_MSG_ERROR(unknown GOST private key encoding)
;;
esac
case "$use_openssl" in
native_pkcs11)
@ -1516,8 +1495,6 @@ case "$use_openssl" in
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_DEFINE([HAVE_PKCS11],[1],[Define if native PKCS#11 is used as cryptographic library provider])
@ -1531,8 +1508,6 @@ case "$use_openssl" in
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
@ -1544,8 +1519,6 @@ case "$use_openssl" in
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
@ -1772,72 +1745,6 @@ int main() {
;;
esac
AC_MSG_CHECKING(for OpenSSL GOST support)
have_gost=""
case "$use_pkcs11" in
auto|no)
;;
*)
if $use_threads; then
CC="$CC -pthread"
fi
;;
esac
AC_TRY_RUN([
#include <openssl/conf.h>
#include <openssl/engine.h>
int main() {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
ENGINE *e;
EC_KEY *ek;
ek = NULL;
OPENSSL_config(NULL);
e = ENGINE_by_id("gost");
if (e == NULL)
return (1);
if (ENGINE_init(e) <= 0)
return (1);
return (0);
#else
return (1);
#endif
}
],
[AC_MSG_RESULT(yes)
have_gost="yes"],
[AC_MSG_RESULT(no)
have_gost="no"],
[AC_MSG_RESULT(using --with-gost)])
case "$with_gost" in
yes)
case "$have_gost" in
no) AC_MSG_ERROR([gost not supported]) ;;
*) have_gost=yes ;;
esac
;;
no)
have_gost=no ;;
*)
case "$have_gost" in
yes|no) ;;
*) AC_MSG_ERROR([need --with-gost=[[yes, no, raw or asn1]]]) ;;
esac
;;
esac
case $have_gost in
yes)
OPENSSL_GOST="yes"
OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
AC_DEFINE(HAVE_OPENSSL_GOST, 1,
[Define if your OpenSSL version supports GOST.])
;;
*)
;;
esac
AC_MSG_CHECKING(for OpenSSL Ed25519 support)
have_ed25519=""
have_ed448=""
@ -1984,13 +1891,10 @@ AC_SUBST(OPENSSLECDSALINKOBJS)
AC_SUBST(OPENSSLECDSALINKSRCS)
AC_SUBST(OPENSSLEDDSALINKOBJS)
AC_SUBST(OPENSSLEDDSALINKSRCS)
AC_SUBST(OPENSSLGOSTLINKOBJS)
AC_SUBST(OPENSSLGOSTLINKSRCS)
AC_SUBST(OPENSSLLINKOBJS)
AC_SUBST(OPENSSLLINKSRCS)
AC_SUBST(OPENSSL_ECDSA)
AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@ -2205,7 +2109,6 @@ esac
AC_SUBST(PKCS11_PROVIDER)
PKCS11_ECDSA=""
PKCS11_GOST=""
PKCS11_ED25519=""
set_pk11_flavor="no"
AC_MSG_CHECKING(for native PKCS11)
@ -2228,18 +2131,6 @@ case "$want_native_pkcs11" in
[Define if your PKCS11 provider supports ECDSA.])
;;
esac
AC_MSG_CHECKING(for PKCS11 GOST)
case "$with_gost" in
yes)
AC_MSG_RESULT(enabled)
PKCS11_GOST="yes"
AC_DEFINE(HAVE_PKCS11_GOST, 1,
[Define if your PKCS11 provider supports GOST.])
;;
*)
AC_MSG_RESULT(disabled)
;;
esac
AC_MSG_CHECKING(for PKCS11 Ed25519)
case "$with_eddsa" in
yes|all)
@ -2310,7 +2201,6 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
AC_SUBST(PKCS11_TEST)
@ -5363,9 +5253,6 @@ report() {
fi
echo " Provider library: $PKCS11_PROVIDER"
fi
if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
echo " GOST algorithm support (encoding: $gosttype) (--with-gost)"
fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
@ -5434,8 +5321,6 @@ report() {
fi
test "yes" = "$want_native_pkcs11" ||
echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
echo " GOST algorithm support (--with-gost)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \

2
doc/arm/pkcs11.xml
View File

@ -114,7 +114,7 @@ $ <userinput>./configure --enable-native-pkcs11 \
</para>
<screen>
$ <userinput> cd SoftHSMv2 </userinput>
$ <userinput> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </userinput>
$ <userinput> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr </userinput>
$ <userinput> make </userinput>
$ <userinput> make install </userinput>
$ <userinput> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </userinput>

20
doc/misc/rfc-compliance
View File

@ -67,25 +67,24 @@ or Best Current Practice (BCP) documents. The list is non exhaustive.
RFC5205
RFC5452 [11]
RFC5702
RFC5933 [12]
RFC5936
RFC5952
RFC5966
RFC6052
RFC6147 [13]
RFC6147 [12]
RFC6303
RFC6605 [14]
RFC6605 [13]
RFC6672
RFC6698
RFC6742
RFC6840 [15]
RFC6840 [14]
RFC6844
RFC6891
RFC7043
RFC7314
RFC7477
RFC7793
RFC7830 [16]
RFC7830 [15]
The following DNS related RFC have been obsoleted
@ -137,17 +136,14 @@ everywhere with or without --with-idn.
[11] Named only uses ports to extend the id space, address are not
used.
[12] Conditional on the OpenSSL library being linked against
supporting GOST.
[13] Section 5.5 does not match reality. Named uses the presence
[12] Section 5.5 does not match reality. Named uses the presence
of DO=1 to detect if validation may be occuring. CD has no bearing
on whether validation is occuring or not.
[14] Conditional on the OpenSSL library being linked against
[13] Conditional on the OpenSSL library being linked against
supporting ECDSA.
[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as
[14] Section 5.9 - Always set CD=1 on queries. This is *not* done as
it prevents DNSSEC working correctly through another recursive server.
When talking to a recurive server the best algorithm to do is send
@ -156,5 +152,5 @@ server has a bad clock and/or bad trust anchor. Alternatively one
can send CD=1 then CD=0 on validation failure in case the recursive
server is under attack or there is stale / bogus authoritative data.
[16] Named doesn't currently encrypt DNS requests so the PAD option
[15] Named doesn't currently encrypt DNS requests so the PAD option
is accepted but not returned in responses.

10
lib/dns/Makefile.in
View File

@ -41,16 +41,15 @@ LIBS = @LIBS@
# Alphabetically
OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@
OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
@OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \
@OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
opensslrsa_link.@O@
PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
pkcs11gost_link.@O@ pkcs11.@O@
pkcs11.@O@
DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
@ -86,16 +85,15 @@ OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
# Alphabetically
OPENSSLGOSTLINKSRCS = opensslgost_link.c
OPENSSLECDSALINKSRCS = opensslecdsa_link.c
OPENSSLEDDSALINKSRCS = openssleddsa_link.c
OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
@OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \
@OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
opensslrsa_link.c
PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
pkcs11ecdsa_link.c pkcs11eddsa_link.c \
pkcs11gost_link.c pkcs11.c
pkcs11.c
DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \

33
lib/dns/ds.c
View File

@ -31,10 +31,6 @@
#include <dst/dst.h>
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
#include "dst_gost.h"
#endif
isc_result_t
dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
unsigned int digest_type, unsigned char *buffer,
@ -49,9 +45,6 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
isc_sha1_t sha1;
isc_sha256_t sha256;
isc_sha384_t sha384;
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
isc_gost_t gost;
#endif
REQUIRE(key != NULL);
REQUIRE(key->type == dns_rdatatype_dnskey);
@ -76,26 +69,6 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
isc_sha1_final(&sha1, digest);
break;
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
#define RETERR(x) do { \
isc_result_t ret = (x); \
if (ret != ISC_R_SUCCESS) { \
isc_gost_invalidate(&gost); \
return (ret); \
} \
} while (0)
case DNS_DSDIGEST_GOST:
RETERR(isc_gost_init(&gost));
dns_name_toregion(name, &r);
RETERR(isc_gost_update(&gost, r.base, r.length));
dns_rdata_toregion(key, &r);
INSIST(r.length >= 4);
RETERR(isc_gost_update(&gost, r.base, r.length));
RETERR(isc_gost_final(&gost, digest));
break;
#endif
case DNS_DSDIGEST_SHA384:
isc_sha384_init(&sha384);
dns_name_toregion(name, &r);
@ -129,12 +102,6 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
ds.length = ISC_SHA1_DIGESTLENGTH;
break;
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
case DNS_DSDIGEST_GOST:
ds.length = ISC_GOST_DIGESTLENGTH;
break;
#endif
case DNS_DSDIGEST_SHA384:
ds.length = ISC_SHA384_DIGESTLENGTH;
break;

17
lib/dns/dst_api.c
View File

@ -204,9 +204,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
#ifndef PK11_DH_DISABLE
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#endif
#ifdef HAVE_OPENSSL_GOST
RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
#endif
#ifdef HAVE_OPENSSL_ECDSA
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
@ -243,9 +240,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
#ifdef HAVE_PKCS11_ED448
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
#ifdef HAVE_PKCS11_GOST
RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
#endif
#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
@ -292,16 +286,9 @@ dst_algorithm_supported(unsigned int alg) {
isc_boolean_t
dst_ds_digest_supported(unsigned int digest_type) {
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
digest_type == DNS_DSDIGEST_SHA256 ||
digest_type == DNS_DSDIGEST_GOST ||
digest_type == DNS_DSDIGEST_SHA384));
#else
return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
digest_type == DNS_DSDIGEST_SHA256 ||
digest_type == DNS_DSDIGEST_SHA384));
#endif
}
isc_result_t
@ -1244,9 +1231,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
*n = DNS_SIG_DSASIGSIZE;
break;
#endif
case DST_ALG_ECCGOST:
*n = DNS_SIG_GOSTSIGSIZE;
break;
case DST_ALG_ECDSA256:
*n = DNS_SIG_ECDSA256SIZE;
break;
@ -1598,7 +1582,6 @@ issymmetric(const dst_key_t *key) {
#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
#endif
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:

58
lib/dns/dst_gost.h
View File

@ -1,58 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#ifndef DST_GOST_H
#define DST_GOST_H 1
#include <isc/lang.h>
#include <isc/log.h>
#include <dst/result.h>
#define ISC_GOST_DIGESTLENGTH 32U
#ifdef HAVE_OPENSSL_GOST
#include <openssl/evp.h>
typedef struct {
EVP_MD_CTX *ctx;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_MD_CTX _ctx;
#endif
} isc_gost_t;
#endif
#ifdef HAVE_PKCS11_GOST
#include <pk11/pk11.h>
typedef pk11_context_t isc_gost_t;
#endif
ISC_LANG_BEGINDECLS
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
isc_result_t
isc_gost_init(isc_gost_t *ctx);
void
isc_gost_invalidate(isc_gost_t *ctx);
isc_result_t
isc_gost_update(isc_gost_t *ctx, const unsigned char *data, unsigned int len);
isc_result_t
isc_gost_final(isc_gost_t *ctx, unsigned char *digest);
ISC_LANG_ENDDECLS
#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */
#endif /* DST_GOST_H */

6
lib/dns/dst_internal.h
View File

@ -264,12 +264,6 @@ isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif
#ifdef HAVE_OPENSSL_GOST
isc_result_t dst__opensslgost_init(struct dst_func **funcp);
#endif
#ifdef HAVE_PKCS11_GOST
isc_result_t dst__pkcs11gost_init(struct dst_func **funcp);
#endif
/*%
* Destructors

22
lib/dns/dst_parse.c
View File

@ -103,9 +103,6 @@ static struct parse_map map[] = {
{TAG_DSA_PUBLIC, "Public_value(y):"},
#endif
{TAG_GOST_PRIVASN1, "GostAsn1:"},
{TAG_GOST_PRIVRAW, "PrivateKey:"},
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
{TAG_ECDSA_ENGINE, "Engine:" },
{TAG_ECDSA_LABEL, "Label:" },
@ -262,20 +259,6 @@ check_dsa(const dst_private_t *priv, isc_boolean_t external) {
}
#endif
static int
check_gost(const dst_private_t *priv, isc_boolean_t external) {
if (external)
return ((priv->nelements == 0)? 0 : -1);
if (priv->nelements != GOST_NTAGS)
return (-1);
if ((priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) &&
(priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 1)))
return (-1);
return (0);
}
static int
check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
int i, j;
@ -408,8 +391,6 @@ check_data(const dst_private_t *priv, const unsigned int alg,
case DST_ALG_NSEC3DSA:
return (check_dsa(priv, external));
#endif
case DST_ALG_ECCGOST:
return (check_gost(priv, external));
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
@ -758,9 +739,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
case DST_ALG_RSASHA512:
fprintf(fp, "(RSASHA512)\n");
break;
case DST_ALG_ECCGOST:
fprintf(fp, "(ECC-GOST)\n");
break;
case DST_ALG_ECDSA256:
fprintf(fp, "(ECDSAP256SHA256)\n");
break;

4
lib/dns/dst_parse.h
View File

@ -70,10 +70,6 @@
#define TAG_DSA_PRIVATE ((DST_ALG_DSA << TAG_SHIFT) + 3)
#define TAG_DSA_PUBLIC ((DST_ALG_DSA << TAG_SHIFT) + 4)
#define GOST_NTAGS 1
#define TAG_GOST_PRIVASN1 ((DST_ALG_ECCGOST << TAG_SHIFT) + 0)
#define TAG_GOST_PRIVRAW ((DST_ALG_ECCGOST << TAG_SHIFT) + 1)
#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)

2
lib/dns/include/dns/keyvalues.h
View File

@ -96,8 +96,6 @@
#define DNS_SIG_DSAMINBYTES 213
#define DNS_SIG_DSAMAXBYTES 405
#define DNS_SIG_GOSTSIGSIZE 64
#define DNS_SIG_ECDSA256SIZE 64
#define DNS_SIG_ECDSA384SIZE 96

627
lib/dns/opensslgost_link.c
View File

@ -1,627 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <config.h>
#if HAVE_OPENSSL && HAVE_OPENSSL_GOST
#include <isc/mem.h>
#include <isc/safe.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dst/result.h>
#include "dst_internal.h"
#include "dst_openssl.h"
#include "dst_parse.h"
#include "dst_gost.h"
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#include <openssl/engine.h>
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define EVP_MD_CTX_new() &(ctx->_ctx), EVP_MD_CTX_init(&(ctx->_ctx))
#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
#endif
static ENGINE *e = NULL;
static const EVP_MD *opensslgost_digest;
extern const EVP_MD *EVP_gost(void);
const EVP_MD *EVP_gost(void) {
return (opensslgost_digest);
}
/* ISC methods */
isc_result_t
isc_gost_init(isc_gost_t *ctx) {
const EVP_MD *md;
int ret;
INSIST(ctx != NULL);
md = EVP_gost();
if (md == NULL)
return (DST_R_CRYPTOFAILURE);
ctx->ctx = EVP_MD_CTX_new();
if (ctx->ctx == NULL)
return (ISC_R_NOMEMORY);
ret = EVP_DigestInit(ctx->ctx, md);
if (ret != 1)
return (DST_R_CRYPTOFAILURE);
return (ISC_R_SUCCESS);
}
void
isc_gost_invalidate(isc_gost_t *ctx) {
EVP_MD_CTX_free(ctx->ctx);
ctx->ctx = NULL;
}
isc_result_t
isc_gost_update(isc_gost_t *ctx, const unsigned char *data,
unsigned int len)
{
int ret;
INSIST(ctx != NULL);
INSIST(ctx->ctx != NULL);
INSIST(data != NULL);
ret = EVP_DigestUpdate(ctx->ctx, (const void *) data, (size_t) len);
if (ret != 1)
return (DST_R_CRYPTOFAILURE);
return (ISC_R_SUCCESS);
}
isc_result_t
isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
int ret;
INSIST(ctx != NULL);
INSIST(ctx->ctx != NULL);
INSIST(digest != NULL);
ret = EVP_DigestFinal(ctx->ctx, digest, NULL);
EVP_MD_CTX_free(ctx->ctx);
ctx->ctx = NULL;
if (ret != 1)
return (DST_R_CRYPTOFAILURE);
return (ISC_R_SUCCESS);
}
/* DST methods */
#define DST_RET(a) {ret = a; goto err;}
static isc_result_t opensslgost_todns(const dst_key_t *key,
isc_buffer_t *data);
static isc_result_t
opensslgost_createctx(dst_key_t *key, dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx;
const EVP_MD *md = EVP_gost();
UNUSED(key);
if (md == NULL)
return (DST_R_OPENSSLFAILURE);
evp_md_ctx = EVP_MD_CTX_create();
if (evp_md_ctx == NULL)
return (ISC_R_NOMEMORY);
if (!EVP_DigestInit_ex(evp_md_ctx, md, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx);
return (ISC_R_FAILURE);
}
dctx->ctxdata.evp_md_ctx = evp_md_ctx;
return (ISC_R_SUCCESS);
}
static void
opensslgost_destroyctx(dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
if (evp_md_ctx != NULL) {
EVP_MD_CTX_destroy(evp_md_ctx);
dctx->ctxdata.evp_md_ctx = NULL;
}
}
static isc_result_t
opensslgost_adddata(dst_context_t *dctx, const isc_region_t *data) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
return (ISC_R_FAILURE);
return (ISC_R_SUCCESS);
}
static isc_result_t
opensslgost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
dst_key_t *key = dctx->key;
isc_region_t r;
unsigned int siglen = 0;
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
isc_buffer_availableregion(sig, &r);
if (r.length < (unsigned int) EVP_PKEY_size(pkey))
return (ISC_R_NOSPACE);
if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey))
return (ISC_R_FAILURE);
isc_buffer_add(sig, siglen);
return (ISC_R_SUCCESS);
}
static isc_result_t
opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
dst_key_t *key = dctx->key;
int status = 0;
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
switch (status) {
case 1:
return (ISC_R_SUCCESS);
case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
default:
return (dst__openssl_toresult3(dctx->category,
"EVP_VerifyFinal",
DST_R_VERIFYFAILURE));
}
}
static isc_boolean_t
opensslgost_compare(const dst_key_t *key1, const dst_key_t *key2) {
EVP_PKEY *pkey1, *pkey2;
pkey1 = key1->keydata.pkey;
pkey2 = key2->keydata.pkey;
if (pkey1 == NULL && pkey2 == NULL)
return (ISC_TRUE);
else if (pkey1 == NULL || pkey2 == NULL)
return (ISC_FALSE);
if (EVP_PKEY_cmp(pkey1, pkey2) != 1)
return (ISC_FALSE);
return (ISC_TRUE);
}
static int
progress_cb(EVP_PKEY_CTX *ctx)
{
union {
void *dptr;
void (*fptr)(int);
} u;
int p;
u.dptr = EVP_PKEY_CTX_get_app_data(ctx);
p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
if (u.fptr != NULL)
u.fptr(p);
return (1);
}
static isc_result_t
opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
EVP_PKEY_CTX *ctx;
union {
void *dptr;
void (*fptr)(int);
} u;
EVP_PKEY *pkey = NULL;
isc_result_t ret;
UNUSED(unused);
ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL);
if (ctx == NULL)
DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
DST_R_OPENSSLFAILURE));
if (callback != NULL) {
u.fptr = callback;
EVP_PKEY_CTX_set_app_data(ctx, u.dptr);
EVP_PKEY_CTX_set_cb(ctx, &progress_cb);
}
if (EVP_PKEY_keygen_init(ctx) <= 0)
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
DST_R_OPENSSLFAILURE));
if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0)
DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str",
DST_R_OPENSSLFAILURE));
if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
DST_R_OPENSSLFAILURE));
key->keydata.pkey = pkey;
key->key_size = EVP_PKEY_bits(pkey);
EVP_PKEY_CTX_free(ctx);
return (ISC_R_SUCCESS);
err:
if (pkey != NULL)
EVP_PKEY_free(pkey);
if (ctx != NULL)
EVP_PKEY_CTX_free(ctx);
return (ret);
}
static isc_boolean_t
opensslgost_isprivate(const dst_key_t *key) {
EVP_PKEY *pkey = key->keydata.pkey;
EC_KEY *ec;
INSIST(pkey != NULL);
ec = EVP_PKEY_get0(pkey);
return (ISC_TF(ec != NULL && EC_KEY_get0_private_key(ec) != NULL));
}
static void
opensslgost_destroy(dst_key_t *key) {
EVP_PKEY *pkey = key->keydata.pkey;
EVP_PKEY_free(pkey);
key->keydata.pkey = NULL;
}
static const unsigned char gost_prefix[37] = {
0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07,
0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01, 0x06,
0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01,
0x03, 0x43, 0x00, 0x04, 0x40
};
static isc_result_t
opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) {
EVP_PKEY *pkey;
isc_region_t r;
unsigned char der[37 + 64], *p;
int len;
REQUIRE(key->keydata.pkey != NULL);
pkey = key->keydata.pkey;
isc_buffer_availableregion(data, &r);
if (r.length < 64)
return (ISC_R_NOSPACE);
p = der;
len = i2d_PUBKEY(pkey, &p);
INSIST(len == sizeof(der));
INSIST(isc_safe_memequal(gost_prefix, der, 37));
memmove(r.base, der + 37, 64);
isc_buffer_add(data, 64);
return (ISC_R_SUCCESS);
}
static isc_result_t
opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
isc_region_t r;
EVP_PKEY *pkey = NULL;
unsigned char der[37 + 64];
const unsigned char *p;
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
return (ISC_R_SUCCESS);
if (r.length != 64)
return (DST_R_INVALIDPUBLICKEY);
memmove(der, gost_prefix, 37);
memmove(der + 37, r.base, 64);
isc_buffer_forward(data, 64);
p = der;
if (d2i_PUBKEY(&pkey, &p, (long) sizeof(der)) == NULL)
return (dst__openssl_toresult2("d2i_PUBKEY",
DST_R_OPENSSLFAILURE));
key->keydata.pkey = pkey;
key->key_size = EVP_PKEY_bits(pkey);
return (ISC_R_SUCCESS);
}
#ifdef PREFER_GOSTASN1
static isc_result_t
opensslgost_tofile(const dst_key_t *key, const char *directory) {
EVP_PKEY *pkey;
dst_private_t priv;
isc_result_t result;
unsigned char *der, *p;
int len;
if (key->keydata.pkey == NULL)
return (DST_R_NULLKEY);
if (key->external) {
priv.nelements = 0;
return (dst__privstruct_writefile(key, &priv, directory));
}
pkey = key->keydata.pkey;
len = i2d_PrivateKey(pkey, NULL);
der = isc_mem_get(key->mctx, (size_t) len);
if (der == NULL)
return (ISC_R_NOMEMORY);
p = der;
if (i2d_PrivateKey(pkey, &p) != len) {
result = dst__openssl_toresult2("i2d_PrivateKey",
DST_R_OPENSSLFAILURE);
goto fail;
}
priv.elements[0].tag = TAG_GOST_PRIVASN1;
priv.elements[0].length = len;
priv.elements[0].data = der;
priv.nelements = 1;
result = dst__privstruct_writefile(key, &priv, directory);
fail:
if (der != NULL)
isc_mem_put(key->mctx, der, (size_t) len);
return (result);
}
#else
static isc_result_t
opensslgost_tofile(const dst_key_t *key, const char *directory) {
EVP_PKEY *pkey;
EC_KEY *eckey;
const BIGNUM *privkey;
dst_private_t priv;
isc_result_t ret;
unsigned char *buf = NULL;
if (key->keydata.pkey == NULL)
return (DST_R_NULLKEY);
if (key->external) {
priv.nelements = 0;
return (dst__privstruct_writefile(key, &priv, directory));
}
pkey = key->keydata.pkey;
eckey = EVP_PKEY_get0(pkey);
if (eckey == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
privkey = EC_KEY_get0_private_key(eckey);
if (privkey == NULL)
return (ISC_R_FAILURE);
buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
if (buf == NULL)
return (ISC_R_NOMEMORY);
priv.elements[0].tag = TAG_GOST_PRIVRAW;
priv.elements[0].length = BN_num_bytes(privkey);
BN_bn2bin(privkey, buf);
priv.elements[0].data = buf;
priv.nelements = 1;
ret = dst__privstruct_writefile(key, &priv, directory);
if (buf != NULL)
isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
return (ret);
}
#endif
static unsigned char gost_dummy_key[71] = {
0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
};
static isc_result_t
opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
isc_mem_t *mctx = key->mctx;
EVP_PKEY *pkey = NULL;
EC_KEY *eckey;
const EC_POINT *pubkey = NULL;
BIGNUM *privkey = NULL;
const unsigned char *p;
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_ECCGOST, lexer, mctx, &priv);
if (ret != ISC_R_SUCCESS)
return (ret);
if (key->external) {
if (priv.nelements != 0)
DST_RET(DST_R_INVALIDPRIVATEKEY);
if (pub == NULL)
DST_RET(DST_R_INVALIDPRIVATEKEY);
key->keydata.pkey = pub->keydata.pkey;
pub->keydata.pkey = NULL;
key->key_size = pub->key_size;
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
return (ISC_R_SUCCESS);
}
INSIST((priv.elements[0].tag == TAG_GOST_PRIVASN1) ||
(priv.elements[0].tag == TAG_GOST_PRIVRAW));
if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
p = priv.elements[0].data;
if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
(long) priv.elements[0].length) == NULL)
DST_RET(dst__openssl_toresult2(
"d2i_PrivateKey",
DST_R_INVALIDPRIVATEKEY));
} else {
if ((pub != NULL) && (pub->keydata.pkey != NULL)) {
eckey = EVP_PKEY_get0(pub->keydata.pkey);
pubkey = EC_KEY_get0_public_key(eckey);
}
privkey = BN_bin2bn(priv.elements[0].data,
priv.elements[0].length, NULL);
if (privkey == NULL)
DST_RET(ISC_R_NOMEMORY);
/* can't create directly the whole key */
p = gost_dummy_key;
if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
(long) sizeof(gost_dummy_key)) == NULL)
DST_RET(dst__openssl_toresult2(
"d2i_PrivateKey",
DST_R_INVALIDPRIVATEKEY));
eckey = EVP_PKEY_get0(pkey);
if (eckey == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
if (!EC_KEY_set_private_key(eckey, privkey))
DST_RET(ISC_R_NOMEMORY);
/* have to (re)set the public key */
#ifdef notyet
(void) gost2001_compute_public(eckey);
#else
if ((pubkey != NULL) && !EC_KEY_set_public_key(eckey, pubkey))
DST_RET(ISC_R_NOMEMORY);
#endif
BN_clear_free(privkey);
privkey = NULL;
}
key->keydata.pkey = pkey;
key->key_size = EVP_PKEY_bits(pkey);
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
return (ISC_R_SUCCESS);
err:
if (privkey != NULL)
BN_clear_free(privkey);
if (pkey != NULL)
EVP_PKEY_free(pkey);
opensslgost_destroy(key);
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
return (ret);
}
static void
opensslgost_cleanup(void) {
if (e != NULL) {
ENGINE_finish(e);
ENGINE_free(e);
e = NULL;
}
}
static dst_func_t opensslgost_functions = {
opensslgost_createctx,
NULL, /*%< createctx2 */
opensslgost_destroyctx,
opensslgost_adddata,
opensslgost_sign,
opensslgost_verify,
NULL, /*%< verify2 */
NULL, /*%< computesecret */
opensslgost_compare,
NULL, /*%< paramcompare */
opensslgost_generate,
opensslgost_isprivate,
opensslgost_destroy,
opensslgost_todns,
opensslgost_fromdns,
opensslgost_tofile,
opensslgost_parse,
opensslgost_cleanup,
NULL, /*%< fromlabel */
NULL, /*%< dump */
NULL /*%< restore */
};
isc_result_t
dst__opensslgost_init(dst_func_t **funcp) {
isc_result_t ret;
REQUIRE(funcp != NULL);
/* check if the gost engine works properly */
e = ENGINE_by_id("gost");
if (e == NULL)
return (dst__openssl_toresult2("ENGINE_by_id",
DST_R_OPENSSLFAILURE));
if (ENGINE_init(e) <= 0) {
ENGINE_free(e);
e = NULL;
return (dst__openssl_toresult2("ENGINE_init",
DST_R_OPENSSLFAILURE));
}
/* better than to rely on digest_gost symbol */
opensslgost_digest = ENGINE_get_digest(e, NID_id_GostR3411_94);
if (opensslgost_digest == NULL)
DST_RET(dst__openssl_toresult2("ENGINE_get_digest",
DST_R_OPENSSLFAILURE));
/* from openssl.cnf */
if (ENGINE_register_pkey_asn1_meths(e) <= 0)
DST_RET(dst__openssl_toresult2(
"ENGINE_register_pkey_asn1_meths",
DST_R_OPENSSLFAILURE));
if (ENGINE_ctrl_cmd_string(e,
"CRYPT_PARAMS",
"id-Gost28147-89-CryptoPro-A-ParamSet",
0) <= 0)
DST_RET(dst__openssl_toresult2("ENGINE_ctrl_cmd_string",
DST_R_OPENSSLFAILURE));
if (*funcp == NULL)
*funcp = &opensslgost_functions;
return (ISC_R_SUCCESS);
err:
ENGINE_finish(e);
ENGINE_free(e);
e = NULL;
return (ret);
}
#else /* HAVE_OPENSSL && HAVE_OPENSSL_GOST */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_OPENSSL && HAVE_OPENSSL_GOST */
/*! \file */

954
lib/dns/pkcs11gost_link.c
View File

@ -1,954 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <config.h>
#if HAVE_PKCS11 && defined(HAVE_PKCS11_GOST)
#include <isc/mem.h>
#include <isc/safe.h>
#include <isc/sha2.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dst/result.h>
#include "dst_internal.h"
#include "dst_parse.h"
#include "dst_pkcs11.h"
#include "dst_gost.h"
#include <pk11/pk11.h>
#include <pk11/internal.h>
#define WANT_GOST_PARAMS
#include <pk11/constants.h>
#include <pkcs11/pkcs11.h>
/*
* RU CryptoPro GOST keys:
* mechanisms:
* CKM_GOSTR3411
* CKM_GOSTR3410_WITH_GOSTR3411
* CKM_GOSTR3410_KEY_PAIR_GEN
* domain parameters:
* CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1)
* CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1)
* CKA_GOST28147_PARAMS (optional, don't use)
* public keys:
* object class CKO_PUBLIC_KEY
* key type CKK_GOSTR3410
* attribute CKA_VALUE (point Q)
* attribute CKA_GOSTR3410_PARAMS
* attribute CKA_GOSTR3411_PARAMS
* attribute CKA_GOST28147_PARAMS
* private keys:
* object class CKO_PRIVATE_KEY
* key type CKK_GOSTR3410
* attribute CKA_VALUE (big int d)
* attribute CKA_GOSTR3410_PARAMS
* attribute CKA_GOSTR3411_PARAMS
* attribute CKA_GOST28147_PARAMS
* point format: <x> <y> (little endian)
*/
#define CKA_VALUE2 CKA_PRIVATE_EXPONENT
#define ISC_GOST_SIGNATURELENGTH 64
#define ISC_GOST_PUBKEYLENGTH 64
#define ISC_GOST_KEYSIZE 256
/* HASH methods */
isc_result_t
isc_gost_init(isc_gost_t *ctx) {
CK_RV rv;
CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 };
int ret = ISC_R_SUCCESS;
ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if (ret != ISC_R_SUCCESS)
return (ret);
PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE);
return (ret);
}
void
isc_gost_invalidate(isc_gost_t *ctx) {
CK_BYTE garbage[ISC_GOST_DIGESTLENGTH];
CK_ULONG len = ISC_GOST_DIGESTLENGTH;
if (ctx->handle == NULL)
return;
(void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
isc_safe_memwipe(garbage, sizeof(garbage));
pk11_return_session(ctx);
}
isc_result_t
isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) {
CK_RV rv;
CK_BYTE_PTR pPart;
int ret = ISC_R_SUCCESS;
DE_CONST(buf, pPart);
PK11_CALL(pkcs_C_DigestUpdate,
(ctx->session, pPart, (CK_ULONG) len),
ISC_R_FAILURE);
return (ret);
}
isc_result_t
isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
CK_RV rv;
CK_ULONG len = ISC_GOST_DIGESTLENGTH;
int ret = ISC_R_SUCCESS;
PK11_CALL(pkcs_C_DigestFinal,
(ctx->session, (CK_BYTE_PTR) digest, &len),
ISC_R_FAILURE);
pk11_return_session(ctx);
return (ret);
}
/* DST methods */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
#define DST_RET(a) {ret = a; goto err;}
static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data);
static void pkcs11gost_destroy(dst_key_t *key);
static isc_result_t
pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
CK_RV rv;
CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_GOSTR3410;
CK_ATTRIBUTE keyTemplate[] =
{
{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, 0 },
{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
(CK_ULONG) sizeof(pk11_gost_a_paramset) },
{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
(CK_ULONG) sizeof(pk11_gost_paramset) }
};
CK_ATTRIBUTE *attr;
pk11_object_t *gost;
pk11_context_t *pk11_ctx;
isc_result_t ret;
unsigned int i;
REQUIRE(key != NULL);
gost = key->keydata.pkey;
REQUIRE(gost != NULL);
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
gost->reqlogon, NULL,
pk11_get_best_token(OP_GOST));
if (ret != ISC_R_SUCCESS)
goto err;
if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
pk11_ctx->ontoken = gost->ontoken;
pk11_ctx->object = gost->object;
goto token_key;
}
for (attr = pk11_attribute_first(gost);
attr != NULL;
attr = pk11_attribute_next(gost, attr))
switch (attr->type) {
case CKA_VALUE2:
INSIST(keyTemplate[6].type == CKA_VALUE);
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen);
if (keyTemplate[6].pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
break;
}
pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = ISC_FALSE;
PK11_RET(pkcs_C_CreateObject,
(pk11_ctx->session,
keyTemplate, (CK_ULONG) 9,
&pk11_ctx->object),
ISC_R_FAILURE);
token_key:
PK11_RET(pkcs_C_SignInit,
(pk11_ctx->session, &mech, pk11_ctx->object),
ISC_R_FAILURE);
dctx->ctxdata.pk11_ctx = pk11_ctx;
for (i = 6; i <= 6; i++)
if (keyTemplate[i].pValue != NULL) {
isc_safe_memwipe(keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
isc_mem_put(dctx->mctx,
keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
}
return (ISC_R_SUCCESS);
err:
if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
for (i = 6; i <= 6; i++)
if (keyTemplate[i].pValue != NULL) {
isc_safe_memwipe(keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
isc_mem_put(dctx->mctx,
keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
}
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
return (ret);
}
static isc_result_t
pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
CK_RV rv;
CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
CK_KEY_TYPE keyType = CKK_GOSTR3410;
CK_ATTRIBUTE keyTemplate[] =
{
{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, 0 },
{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
(CK_ULONG) sizeof(pk11_gost_a_paramset) },
{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
(CK_ULONG) sizeof(pk11_gost_paramset) }
};
CK_ATTRIBUTE *attr;
pk11_object_t *gost;
pk11_context_t *pk11_ctx;
isc_result_t ret;
unsigned int i;
REQUIRE(key != NULL);
gost = key->keydata.pkey;
REQUIRE(gost != NULL);
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
gost->reqlogon, NULL,
pk11_get_best_token(OP_GOST));
if (ret != ISC_R_SUCCESS)
goto err;
if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
pk11_ctx->ontoken = gost->ontoken;
pk11_ctx->object = gost->object;
goto token_key;
}
for (attr = pk11_attribute_first(gost);
attr != NULL;
attr = pk11_attribute_next(gost, attr))
switch (attr->type) {
case CKA_VALUE:
INSIST(keyTemplate[5].type == attr->type);
keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen);
if (keyTemplate[5].pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memmove(keyTemplate[5].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[5].ulValueLen = attr->ulValueLen;
break;
}
pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = ISC_FALSE;
PK11_RET(pkcs_C_CreateObject,
(pk11_ctx->session,
keyTemplate, (CK_ULONG) 8,
&pk11_ctx->object),
ISC_R_FAILURE);
token_key:
PK11_RET(pkcs_C_VerifyInit,
(pk11_ctx->session, &mech, pk11_ctx->object),
ISC_R_FAILURE);
dctx->ctxdata.pk11_ctx = pk11_ctx;
for (i = 5; i <= 5; i++)
if (keyTemplate[i].pValue != NULL) {
isc_safe_memwipe(keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
isc_mem_put(dctx->mctx,
keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
}
return (ISC_R_SUCCESS);
err:
if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
for (i = 5; i <= 5; i++)
if (keyTemplate[i].pValue != NULL) {
isc_safe_memwipe(keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
isc_mem_put(dctx->mctx,
keyTemplate[i].pValue,
keyTemplate[i].ulValueLen);
}
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
return (ret);
}
static isc_result_t
pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) {
if (dctx->use == DO_SIGN)
return (pkcs11gost_createctx_sign(key, dctx));
else
return (pkcs11gost_createctx_verify(key, dctx));
}
static void
pkcs11gost_destroyctx(dst_context_t *dctx) {
pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
if (pk11_ctx != NULL) {
if (!pk11_ctx->ontoken &&
(pk11_ctx->object != CK_INVALID_HANDLE))
(void) pkcs_C_DestroyObject(pk11_ctx->session,
pk11_ctx->object);
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
dctx->ctxdata.pk11_ctx = NULL;
}
}
static isc_result_t
pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) {
CK_RV rv;
pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
isc_result_t ret = ISC_R_SUCCESS;
if (dctx->use == DO_SIGN)
PK11_CALL(pkcs_C_SignUpdate,
(pk11_ctx->session,
(CK_BYTE_PTR) data->base,
(CK_ULONG) data->length),
ISC_R_FAILURE);
else
PK11_CALL(pkcs_C_VerifyUpdate,
(pk11_ctx->session,
(CK_BYTE_PTR) data->base,
(CK_ULONG) data->length),
ISC_R_FAILURE);
return (ret);
}
static isc_result_t
pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
CK_RV rv;
CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH;
isc_region_t r;
pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
isc_result_t ret = ISC_R_SUCCESS;
isc_buffer_availableregion(sig, &r);
if (r.length < ISC_GOST_SIGNATURELENGTH)
return (ISC_R_NOSPACE);
PK11_RET(pkcs_C_SignFinal,
(pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
DST_R_SIGNFAILURE);
if (siglen != ISC_GOST_SIGNATURELENGTH)
return (DST_R_SIGNFAILURE);
isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH);
err:
return (ret);
}
static isc_result_t
pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) {
CK_RV rv;
pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
isc_result_t ret = ISC_R_SUCCESS;
PK11_CALL(pkcs_C_VerifyFinal,
(pk11_ctx->session,
(CK_BYTE_PTR) sig->base,
(CK_ULONG) sig->length),
DST_R_VERIFYFAILURE);
return (ret);
}
static isc_boolean_t
pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) {
pk11_object_t *gost1, *gost2;
CK_ATTRIBUTE *attr1, *attr2;
gost1 = key1->keydata.pkey;
gost2 = key2->keydata.pkey;
if ((gost1 == NULL) && (gost2 == NULL))
return (ISC_TRUE);
else if ((gost1 == NULL) || (gost2 == NULL))
return (ISC_FALSE);
attr1 = pk11_attribute_bytype(gost1, CKA_VALUE);
attr2 = pk11_attribute_bytype(gost2, CKA_VALUE);
if ((attr1 == NULL) && (attr2 == NULL))
return (ISC_TRUE);
else if ((attr1 == NULL) || (attr2 == NULL) ||
(attr1->ulValueLen != attr2->ulValueLen) ||
!isc_safe_memequal(attr1->pValue, attr2->pValue,
attr1->ulValueLen))
return (ISC_FALSE);
attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2);
attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2);
if (((attr1 != NULL) || (attr2 != NULL)) &&
((attr1 == NULL) || (attr2 == NULL) ||
(attr1->ulValueLen != attr2->ulValueLen) ||
!isc_safe_memequal(attr1->pValue, attr2->pValue,
attr1->ulValueLen)))
return (ISC_FALSE);
if (!gost1->ontoken && !gost2->ontoken)
return (ISC_TRUE);
else if (gost1->ontoken || gost2->ontoken ||
(gost1->object != gost2->object))
return (ISC_FALSE);
return (ISC_TRUE);
}
static isc_result_t
pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
CK_RV rv;
CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 };
CK_KEY_TYPE keyType = CKK_GOSTR3410;
CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
CK_ATTRIBUTE pubTemplate[] =
{
{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
(CK_ULONG) sizeof(pk11_gost_a_paramset) },
{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
(CK_ULONG) sizeof(pk11_gost_paramset) }
};
CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
CK_ATTRIBUTE privTemplate[] =
{
{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
};
CK_ATTRIBUTE *attr;
pk11_object_t *gost;
pk11_context_t *pk11_ctx;
isc_result_t ret;
UNUSED(unused);
UNUSED(callback);
pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
if (ret != ISC_R_SUCCESS)
goto err;
PK11_RET(pkcs_C_GenerateKeyPair,
(pk11_ctx->session, &mech,
pubTemplate, (CK_ULONG) 7,
privTemplate, (CK_ULONG) 7,
&pub, &priv),
DST_R_CRYPTOFAILURE);
gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
if (gost == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(gost, 0, sizeof(*gost));
key->keydata.pkey = gost;
key->key_size = ISC_GOST_KEYSIZE;
gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
sizeof(*attr) * 2);
if (gost->repr == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(gost->repr, 0, sizeof(*attr) * 2);
gost->attrcnt = 2;
attr = gost->repr;
attr[0].type = CKA_VALUE;
attr[1].type = CKA_VALUE2;
attr = gost->repr;
PK11_RET(pkcs_C_GetAttributeValue,
(pk11_ctx->session, pub, attr, 1),
DST_R_CRYPTOFAILURE);
attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
if (attr->pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(attr->pValue, 0, attr->ulValueLen);
PK11_RET(pkcs_C_GetAttributeValue,
(pk11_ctx->session, pub, attr, 1),
DST_R_CRYPTOFAILURE);
attr++;
attr->type = CKA_VALUE;
PK11_RET(pkcs_C_GetAttributeValue,
(pk11_ctx->session, priv, attr, 1),
DST_R_CRYPTOFAILURE);
attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
if (attr->pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(attr->pValue, 0, attr->ulValueLen);
PK11_RET(pkcs_C_GetAttributeValue,
(pk11_ctx->session, priv, attr, 1),
DST_R_CRYPTOFAILURE);
attr->type = CKA_VALUE2;
(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
return (ISC_R_SUCCESS);
err:
pkcs11gost_destroy(key);
if (priv != CK_INVALID_HANDLE)
(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
if (pub != CK_INVALID_HANDLE)
(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
return (ret);
}
static isc_boolean_t
pkcs11gost_isprivate(const dst_key_t *key) {
pk11_object_t *gost = key->keydata.pkey;
CK_ATTRIBUTE *attr;
if (gost == NULL)
return (ISC_FALSE);
attr = pk11_attribute_bytype(gost, CKA_VALUE2);
return (ISC_TF((attr != NULL) || gost->ontoken));
}
static void
pkcs11gost_destroy(dst_key_t *key) {
pk11_object_t *gost = key->keydata.pkey;
CK_ATTRIBUTE *attr;
if (gost == NULL)
return;
INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken);
for (attr = pk11_attribute_first(gost);
attr != NULL;
attr = pk11_attribute_next(gost, attr))
switch (attr->type) {
case CKA_VALUE:
case CKA_VALUE2:
if (attr->pValue != NULL) {
isc_safe_memwipe(attr->pValue,
attr->ulValueLen);
isc_mem_put(key->mctx,
attr->pValue,
attr->ulValueLen);
}
break;
}
if (gost->repr != NULL) {
isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
isc_mem_put(key->mctx,
gost->repr, gost->attrcnt * sizeof(*attr));
}
isc_safe_memwipe(gost, sizeof(*gost));
isc_mem_put(key->mctx, gost, sizeof(*gost));
key->keydata.pkey = NULL;
}
static isc_result_t
pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) {
pk11_object_t *gost;
isc_region_t r;
CK_ATTRIBUTE *attr;
REQUIRE(key->keydata.pkey != NULL);
gost = key->keydata.pkey;
attr = pk11_attribute_bytype(gost, CKA_VALUE);
if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH))
return (ISC_R_FAILURE);
isc_buffer_availableregion(data, &r);
if (r.length < ISC_GOST_PUBKEYLENGTH)
return (ISC_R_NOSPACE);
memmove(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH);
isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH);
return (ISC_R_SUCCESS);
}
static isc_result_t
pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
pk11_object_t *gost;
isc_region_t r;
CK_ATTRIBUTE *attr;
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
return (ISC_R_SUCCESS);
if (r.length != ISC_GOST_PUBKEYLENGTH)
return (DST_R_INVALIDPUBLICKEY);
gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
if (gost == NULL)
return (ISC_R_NOMEMORY);
memset(gost, 0, sizeof(*gost));
gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr));
if (gost->repr == NULL)
goto nomemory;
gost->attrcnt = 1;
attr = gost->repr;
attr->type = CKA_VALUE;
attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH);
if (attr->pValue == NULL)
goto nomemory;
memmove((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH);
attr->ulValueLen = ISC_GOST_PUBKEYLENGTH;
isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH);
key->keydata.pkey = gost;
key->key_size = ISC_GOST_KEYSIZE;
return (ISC_R_SUCCESS);
nomemory:
for (attr = pk11_attribute_first(gost);
attr != NULL;
attr = pk11_attribute_next(gost, attr))
switch (attr->type) {
case CKA_VALUE:
if (attr->pValue != NULL) {
isc_safe_memwipe(attr->pValue,
attr->ulValueLen);
isc_mem_put(key->mctx,
attr->pValue,
attr->ulValueLen);
}
break;
}
if (gost->repr != NULL) {
isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
isc_mem_put(key->mctx,
gost->repr, gost->attrcnt * sizeof(*attr));
}
isc_safe_memwipe(gost, sizeof(*gost));
isc_mem_put(key->mctx, gost, sizeof(*gost));
return (ISC_R_NOMEMORY);
}
static unsigned char gost_private_der[39] = {
0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20
};
#ifdef PREFER_GOSTASN1
static isc_result_t
pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
isc_result_t ret;
pk11_object_t *gost;
dst_private_t priv;
unsigned char *buf = NULL;
unsigned int i = 0;
CK_ATTRIBUTE *attr;
int adj;
if (key->keydata.pkey == NULL)
return (DST_R_NULLKEY);
if (key->external) {
priv.nelements = 0;
return (dst__privstruct_writefile(key, &priv, directory));
}
gost = key->keydata.pkey;
attr = pk11_attribute_bytype(gost, CKA_VALUE2);
if (attr != NULL) {
buf = isc_mem_get(key->mctx, attr->ulValueLen + 39);
if (buf == NULL)
return (ISC_R_NOMEMORY);
priv.elements[i].tag = TAG_GOST_PRIVASN1;
priv.elements[i].length =
(unsigned short) attr->ulValueLen + 39;
memmove(buf, gost_private_der, 39);
memmove(buf + 39, attr->pValue, attr->ulValueLen);
adj = (int) attr->ulValueLen - 32;
if (adj != 0) {
buf[1] += adj;
buf[36] += adj;
buf[38] += adj;
}
priv.elements[i].data = buf;
i++;
} else
return (DST_R_CRYPTOFAILURE);
priv.nelements = i;
ret = dst__privstruct_writefile(key, &priv, directory);
if (buf != NULL) {
isc_safe_memwipe(buf, attr->ulValueLen);
isc_mem_put(key->mctx, buf, attr->ulValueLen);
}
return (ret);
}
#else
static isc_result_t
pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
isc_result_t ret;
pk11_object_t *gost;
dst_private_t priv;
unsigned char *buf = NULL;
unsigned int i = 0;
CK_ATTRIBUTE *attr;
if (key->keydata.pkey == NULL)
return (DST_R_NULLKEY);
if (key->external) {
priv.nelements = 0;
return (dst__privstruct_writefile(key, &priv, directory));
}
gost = key->keydata.pkey;
attr = pk11_attribute_bytype(gost, CKA_VALUE2);
if (attr != NULL) {
buf = isc_mem_get(key->mctx, attr->ulValueLen);
if (buf == NULL)
return (ISC_R_NOMEMORY);
priv.elements[i].tag = TAG_GOST_PRIVRAW;
priv.elements[i].length = (unsigned short) attr->ulValueLen;
memmove(buf, attr->pValue, attr->ulValueLen);
priv.elements[i].data = buf;
i++;
} else
return (DST_R_CRYPTOFAILURE);
priv.nelements = i;
ret = dst__privstruct_writefile(key, &priv, directory);
if (buf != NULL) {
isc_safe_memwipe(buf, attr->ulValueLen);
isc_mem_put(key->mctx, buf, attr->ulValueLen);
}
return (ret);
}
#endif
static isc_result_t
pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
pk11_object_t *gost = NULL;
CK_ATTRIBUTE *attr, *pattr;
isc_mem_t *mctx = key->mctx;
if ((pub == NULL) || (pub->keydata.pkey == NULL))
DST_RET(DST_R_INVALIDPRIVATEKEY);
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
if (ret != ISC_R_SUCCESS)
return (ret);
if (key->external) {
if (priv.nelements != 0)
DST_RET(DST_R_INVALIDPRIVATEKEY);
key->keydata.pkey = pub->keydata.pkey;
pub->keydata.pkey = NULL;
key->key_size = pub->key_size;
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
return (ISC_R_SUCCESS);
}
if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
int adj = (int) priv.elements[0].length - (39 + 32);
unsigned char buf[39];
if ((adj > 0) || (adj < -31))
DST_RET(DST_R_INVALIDPRIVATEKEY);
memmove(buf, gost_private_der, 39);
if (adj != 0) {
buf[1] += adj;
buf[36] += adj;
buf[38] += adj;
}
if (!isc_safe_memequal(priv.elements[0].data, buf, 39))
DST_RET(DST_R_INVALIDPRIVATEKEY);
priv.elements[0].tag = TAG_GOST_PRIVRAW;
priv.elements[0].length -= 39;
memmove(priv.elements[0].data,
priv.elements[0].data + 39,
32 + adj);
}
gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
if (gost == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(gost, 0, sizeof(*gost));
key->keydata.pkey = gost;
key->key_size = ISC_GOST_KEYSIZE;
gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
sizeof(*attr) * 2);
if (gost->repr == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(gost->repr, 0, sizeof(*attr) * 2);
gost->attrcnt = 2;
attr = gost->repr;
attr->type = CKA_VALUE;
pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
INSIST(pattr != NULL);
attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
if (attr->pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
attr->ulValueLen = pattr->ulValueLen;
attr++;
attr->type = CKA_VALUE2;
attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
if (attr->pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
attr->ulValueLen = priv.elements[0].length;
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
return (ISC_R_SUCCESS);
err:
pkcs11gost_destroy(key);
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
return (ret);
}
static dst_func_t pkcs11gost_functions = {
pkcs11gost_createctx,
NULL, /*%< createctx2 */
pkcs11gost_destroyctx,
pkcs11gost_adddata,
pkcs11gost_sign,
pkcs11gost_verify,
NULL, /*%< verify2 */
NULL, /*%< computesecret */
pkcs11gost_compare,
NULL, /*%< paramcompare */
pkcs11gost_generate,
pkcs11gost_isprivate,
pkcs11gost_destroy,
pkcs11gost_todns,
pkcs11gost_fromdns,
pkcs11gost_tofile,
pkcs11gost_parse,
NULL, /*%< cleanup */
NULL, /*%< fromlabel */
NULL, /*%< dump */
NULL, /*%< restore */
};
isc_result_t
dst__pkcs11gost_init(dst_func_t **funcp) {
REQUIRE(funcp != NULL);
if (*funcp == NULL)
*funcp = &pkcs11gost_functions;
return (ISC_R_SUCCESS);
}
#else /* HAVE_PKCS11 && HAVE_PKCS11_GOST */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_PKCS11 && HAVE_PKCS11_GOST */
/*! \file */

2
lib/dns/rdata/generic/cds_59.c
View File

@ -21,8 +21,6 @@
#include <dns/ds.h>
#include "dst_gost.h"
static inline isc_result_t
fromtext_cds(ARGS_FROMTEXT) {

2
lib/dns/rdata/generic/dlv_32769.c
View File

@ -22,8 +22,6 @@
#include <dns/ds.h>
#include "dst_gost.h"
static inline isc_result_t
fromtext_dlv(ARGS_FROMTEXT) {

20
lib/dns/rdata/generic/ds_43.c
View File

@ -23,8 +23,6 @@
#include <dns/ds.h>
#include "dst_gost.h"
static inline isc_result_t
generic_fromtext_ds(ARGS_FROMTEXT) {
isc_token_t token;
@ -72,11 +70,6 @@ generic_fromtext_ds(ARGS_FROMTEXT) {
case DNS_DSDIGEST_SHA256:
length = ISC_SHA256_DIGESTLENGTH;
break;
#ifdef ISC_GOST_DIGESTLENGTH
case DNS_DSDIGEST_GOST:
length = ISC_GOST_DIGESTLENGTH;
break;
#endif
case DNS_DSDIGEST_SHA384:
length = ISC_SHA384_DIGESTLENGTH;
break;
@ -178,10 +171,6 @@ generic_fromwire_ds(ARGS_FROMWIRE) {
sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
(sr.base[3] == DNS_DSDIGEST_SHA256 &&
sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
#ifdef ISC_GOST_DIGESTLENGTH
(sr.base[3] == DNS_DSDIGEST_GOST &&
sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
#endif
(sr.base[3] == DNS_DSDIGEST_SHA384 &&
sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
return (ISC_R_UNEXPECTEDEND);
@ -195,10 +184,6 @@ generic_fromwire_ds(ARGS_FROMWIRE) {
sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
else if (sr.base[3] == DNS_DSDIGEST_SHA256)
sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
#ifdef ISC_GOST_DIGESTLENGTH
else if (sr.base[3] == DNS_DSDIGEST_GOST)
sr.length = 4 + ISC_GOST_DIGESTLENGTH;
#endif
else if (sr.base[3] == DNS_DSDIGEST_SHA384)
sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
@ -262,11 +247,6 @@ generic_fromstruct_ds(ARGS_FROMSTRUCT) {
case DNS_DSDIGEST_SHA256:
REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
break;
#ifdef ISC_GOST_DIGESTLENGTH
case DNS_DSDIGEST_GOST:
REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH);
break;
#endif
case DNS_DSDIGEST_SHA384:
REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
break;

1
lib/dns/tests/Atffile
View File

@ -12,7 +12,6 @@ tp: dispatch_test
tp: dnstap_test
tp: dst_test
tp: geoip_test
tp: gost_test
tp: keytable_test
tp: master_test
tp: name_test

1
lib/dns/tests/Kyuafile
View File

@ -11,7 +11,6 @@ atf_test_program{name='dispatch_test'}
atf_test_program{name='dnstap_test'}
atf_test_program{name='dst_test'}
atf_test_program{name='geoip_test'}
atf_test_program{name='gost_test'}
atf_test_program{name='keytable_test'}
atf_test_program{name='master_test'}
atf_test_program{name='name_test'}

7
lib/dns/tests/Makefile.in
View File

@ -41,7 +41,6 @@ SRCS = acl_test.c \
dst_test.c \
dnstest.c \
geoip_test.c \
gost_test.c \
keytable_test.c \
master_test.c \
name_test.c \
@ -73,7 +72,6 @@ TARGETS = acl_test@EXEEXT@ \
dnstap_test@EXEEXT@ \
dst_test@EXEEXT@ \
geoip_test@EXEEXT@ \
gost_test@EXEEXT@ \
keytable_test@EXEEXT@ \
master_test@EXEEXT@ \
name_test@EXEEXT@ \
@ -146,11 +144,6 @@ geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
gost_test@EXEEXT@: gost_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
gost_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
keytable_test@EXEEXT@: keytable_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
keytable_test.@O@ dnstest.@O@ ${DNSLIBS} \

379
lib/dns/tests/gost_test.c
View File

@ -1,379 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/* ! \file */
#include <config.h>
#include <atf-c.h>
#include <stdio.h>
#include <string.h>
#include <isc/util.h>
#include <isc/print.h>
#include <isc/string.h>
#include "dnstest.h"
#ifdef HAVE_OPENSSL_GOST
#include "../dst_gost.h"
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#include <openssl/engine.h>
#include <openssl/bn.h>
#endif
#ifdef HAVE_PKCS11_GOST
#include "../dst_gost.h"
#include <pk11/internal.h>
#define WANT_GOST_PARAMS
#include <pk11/constants.h>
#include <pkcs11/pkcs11.h>
#endif
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
/*
* Test data from Wikipedia GOST (hash function)
*/
unsigned char digest[ISC_GOST_DIGESTLENGTH];
unsigned char buffer[1024];
const char *s;
char str[2 * ISC_GOST_DIGESTLENGTH + 3];
int i = 0;
/*
* Precondition: a hexadecimal number in *d, the length of that number in len,
* and a pointer to a character array to put the output (*out).
* Postcondition: A String representation of the given hexadecimal number is
* placed into the array *out
*
* 'out' MUST point to an array of at least len * 2 + 1
*
* Return values: ISC_R_SUCCESS if the operation is sucessful
*/
static isc_result_t
tohexstr(unsigned char *d, unsigned int len, char *out, size_t out_size) {
char c_ret[] = "AA";
unsigned int j;
out[0] = '\0';
strlcat(out, "0x", out_size);
for (j = 0; j < len; j++) {
snprintf(c_ret, sizeof(c_ret), "%02X", d[j]);
strlcat(out, c_ret, out_size);
}
return (ISC_R_SUCCESS);
}
#define TEST_INPUT(x) (x), sizeof(x)-1
typedef struct hash_testcase {
const char *input;
size_t input_len;
const char *result;
int repeats;
} hash_testcase_t;
ATF_TC(isc_gost_md);
ATF_TC_HEAD(isc_gost_md, tc) {
atf_tc_set_md_var(tc, "descr",
"GOST R 34.11-94 examples from Wikipedia");
}
ATF_TC_BODY(isc_gost_md, tc) {
isc_gost_t gost;
isc_result_t result;
UNUSED(tc);
/*
* These are the various test vectors. All of these are passed
* through the hash function and the results are compared to the
* result specified here.
*/
hash_testcase_t testcases[] = {
/* Test 1 */
{
TEST_INPUT(""),
"0x981E5F3CA30C841487830F84FB433E1"
"3AC1101569B9C13584AC483234CD656C0",
1
},
/* Test 2 */
{
TEST_INPUT("a"),
"0xE74C52DD282183BF37AF0079C9F7805"
"5715A103F17E3133CEFF1AACF2F403011",
1
},
/* Test 3 */
{
TEST_INPUT("abc"),
"0xB285056DBF18D7392D7677369524DD1"
"4747459ED8143997E163B2986F92FD42C",
1
},
/* Test 4 */
{
TEST_INPUT("message digest"),
"0xBC6041DD2AA401EBFA6E9886734174F"
"EBDB4729AA972D60F549AC39B29721BA0",
1
},
/* Test 5 */
{
TEST_INPUT("The quick brown fox jumps "
"over the lazy dog"),
"0x9004294A361A508C586FE53D1F1B027"
"46765E71B765472786E4770D565830A76",
1
},
/* Test 6 */
{
TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcde"
"fghijklmnopqrstuvwxyz0123456789"),
"0x73B70A39497DE53A6E08C67B6D4DB85"
"3540F03E9389299D9B0156EF7E85D0F61",
1
},
/* Test 7 */
{
TEST_INPUT("1234567890123456789012345678901"
"2345678901234567890123456789012"
"345678901234567890"),
"0x6BC7B38989B28CF93AE8842BF9D7529"
"05910A7528A61E5BCE0782DE43E610C90",
1
},
/* Test 8 */
{
TEST_INPUT("This is message, length=32 bytes"),
"0x2CEFC2F7B7BDC514E18EA57FA74FF35"
"7E7FA17D652C75F69CB1BE7893EDE48EB",
1
},
/* Test 9 */
{
TEST_INPUT("Suppose the original message "
"has length = 50 bytes"),
"0xC3730C5CBCCACF915AC292676F21E8B"
"D4EF75331D9405E5F1A61DC3130A65011",
1
},
/* Test 10 */
{
TEST_INPUT("U") /* times 128 */,
"0x1C4AC7614691BBF427FA2316216BE8F"
"10D92EDFD37CD1027514C1008F649C4E8",
128
},
/* Test 11 */
{
TEST_INPUT("a") /* times 1000000 */,
"0x8693287AA62F9478F7CB312EC0866B6"
"C4E4A0F11160441E8F4FFCD2715DD554F",
1000000
},
{ NULL, 0, NULL, 1 }
};
result = dns_test_begin(NULL, ISC_FALSE);
ATF_REQUIRE(result == ISC_R_SUCCESS);
hash_testcase_t *testcase = testcases;
while (testcase->input != NULL && testcase->result != NULL) {
result = isc_gost_init(&gost);
ATF_REQUIRE(result == ISC_R_SUCCESS);
for(i = 0; i < testcase->repeats; i++) {
result = isc_gost_update(&gost,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
ATF_REQUIRE(result == ISC_R_SUCCESS);
}
result = isc_gost_final(&gost, digest);
ATF_REQUIRE(result == ISC_R_SUCCESS);
tohexstr(digest, ISC_GOST_DIGESTLENGTH, str, sizeof(str));
ATF_CHECK_STREQ(str, testcase->result);
testcase++;
}
dns_test_end();
}
ATF_TC(isc_gost_private);
ATF_TC_HEAD(isc_gost_private, tc) {
atf_tc_set_md_var(tc, "descr", "GOST R 34.10-2001 private key");
}
ATF_TC_BODY(isc_gost_private, tc) {
isc_result_t result;
unsigned char privraw[31] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
};
#ifdef HAVE_OPENSSL_GOST
unsigned char rbuf[32];
unsigned char privasn1[70] = {
0x30, 0x44, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
0x02, 0x1e, 0x01, 0x04, 0x21, 0x02, 0x1f, 0x01,
0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
0x1a, 0x1b, 0x1c, 0x1d, 0x1e
};
unsigned char abuf[71];
unsigned char gost_dummy_key[71] = {
0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
};
EVP_PKEY *pkey;
EC_KEY *eckey;
BIGNUM *privkey;
const BIGNUM *privkey1;
const unsigned char *p;
int len;
unsigned char *q;
result = dns_test_begin(NULL, ISC_FALSE);
ATF_REQUIRE(result == ISC_R_SUCCESS);
/* raw parse */
privkey = BN_bin2bn(privraw, (int) sizeof(privraw), NULL);
ATF_REQUIRE(privkey != NULL);
p = gost_dummy_key;
pkey = NULL;
ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
(long) sizeof(gost_dummy_key)) != NULL);
ATF_REQUIRE(pkey != NULL);
ATF_REQUIRE(EVP_PKEY_bits(pkey) == 256);
eckey = EVP_PKEY_get0(pkey);
ATF_REQUIRE(eckey != NULL);
ATF_REQUIRE(EC_KEY_set_private_key(eckey, privkey) == 1);
BN_clear_free(privkey);
/* asn1 tofile */
len = i2d_PrivateKey(pkey, NULL);
ATF_REQUIRE(len == 70);
q = abuf;
ATF_REQUIRE(i2d_PrivateKey(pkey, &q) == len);
ATF_REQUIRE(memcmp(abuf, privasn1, len) == 0);
EVP_PKEY_free(pkey);
/* asn1 parse */
p = privasn1;
pkey = NULL;
ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
(long) len) != NULL);
ATF_REQUIRE(pkey != NULL);
eckey = EVP_PKEY_get0(pkey);
ATF_REQUIRE(eckey != NULL);
privkey1 = EC_KEY_get0_private_key(eckey);
len = BN_num_bytes(privkey1);
ATF_REQUIRE(len == 31);
ATF_REQUIRE(BN_bn2bin(privkey1, rbuf) == len);
ATF_REQUIRE(memcmp(rbuf, privraw, len) == 0);
dns_test_end();
#else
CK_BBOOL truevalue = TRUE;
CK_BBOOL falsevalue = FALSE;
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_GOSTR3410;
CK_ATTRIBUTE keyTemplate[] =
{
{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, privraw, sizeof(privraw) },
{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
(CK_ULONG) sizeof(pk11_gost_a_paramset) },
{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
(CK_ULONG) sizeof(pk11_gost_paramset) }
};
CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
CK_BYTE sig[64];
CK_ULONG siglen;
pk11_context_t pk11_ctx;
result = dns_test_begin(NULL, ISC_FALSE);
ATF_REQUIRE(result == ISC_R_SUCCESS);
/* create the private key */
memset(&pk11_ctx, 0, sizeof(pk11_ctx));
ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_TRUE,
ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_GOST)) ==
ISC_R_SUCCESS);
pk11_ctx.object = CK_INVALID_HANDLE;
pk11_ctx.ontoken = ISC_FALSE;
ATF_REQUIRE(pkcs_C_CreateObject(pk11_ctx.session, keyTemplate,
(CK_ULONG) 9, &pk11_ctx.object) ==
CKR_OK);
ATF_REQUIRE(pk11_ctx.object != CK_INVALID_HANDLE);
/* sign something */
ATF_REQUIRE(pkcs_C_SignInit(pk11_ctx.session, &mech,
pk11_ctx.object) == CKR_OK);
siglen = 0;
ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64,
NULL, &siglen) == CKR_OK);
ATF_REQUIRE(siglen == 64);
ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64,
sig, &siglen) == CKR_OK);
ATF_REQUIRE(siglen == 64);
dns_test_end();
#endif
};
#else
ATF_TC(untested);
ATF_TC_HEAD(untested, tc) {
atf_tc_set_md_var(tc, "descr", "skipping gost test");
}
ATF_TC_BODY(untested, tc) {
UNUSED(tc);
atf_tc_skip("GOST not available");
}
#endif
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
ATF_TP_ADD_TC(tp, isc_gost_md);
ATF_TP_ADD_TC(tp, isc_gost_private);
#else
ATF_TP_ADD_TC(tp, untested);
#endif
return (atf_no_error());
}

9
lib/dns/win32/libdns.vcxproj.filters.in
View File

@ -312,9 +312,6 @@
<ClCompile Include="..\openssleddsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClCompile Include="..\opensslgost_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClCompile Include="..\opensslrsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
@ -335,9 +332,6 @@
<ClCompile Include="..\pkcs11eddsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClCompile Include="..\pkcs11gost_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClCompile Include="..\pkcs11rsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
@ -658,9 +652,6 @@
<ClInclude Include="..\include\dst\result.h">
<Filter>Dst Header Files</Filter>
</ClInclude>
<ClInclude Include="..\dst_gost.h">
<Filter>Dst Header Files</Filter>
</ClInclude>
<ClInclude Include="..\dst_internal.h">
<Filter>Dst Header Files</Filter>
</ClInclude>

3
lib/dns/win32/libdns.vcxproj.in
View File

@ -165,7 +165,6 @@
<ClCompile Include="..\openssldsa_link.c" />
<ClCompile Include="..\opensslecdsa_link.c" />
<ClCompile Include="..\openssleddsa_link.c" />
<ClCompile Include="..\opensslgost_link.c" />
<ClCompile Include="..\opensslrsa_link.c" />
<ClCompile Include="..\openssl_link.c" />
@END OPENSSL
@ -177,7 +176,6 @@
<ClCompile Include="..\pkcs11dsa_link.c" />
<ClCompile Include="..\pkcs11ecdsa_link.c" />
<ClCompile Include="..\pkcs11eddsa_link.c" />
<ClCompile Include="..\pkcs11gost_link.c" />
<ClCompile Include="..\pkcs11rsa_link.c" />
@END PKCS11
<ClCompile Include="..\portlist.c" />
@ -223,7 +221,6 @@
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\code.h" />
<ClInclude Include="..\dst_gost.h" />
<ClInclude Include="..\dst_internal.h" />
@IF OPENSSL
<ClInclude Include="..\dst_openssl.h" />

6
lib/isc/include/pk11/README.site
View File

@ -15,7 +15,6 @@ selected tokens per algorithm:
- DH (secret derivation)
- digest (hash)
- EC (ECDSA, sign/verify)
- GOST (Russian hash and sign/verify)
- AES (encrypt/decrypt)
...and a summary of PKCS#11 tokens that have been found.
@ -56,15 +55,12 @@ may be taken, depending on which algorithms indicate failures:
- EC: you may wish to configure BIND9 without ECDSA support by adding
--without-ecdsa to the "configure" arguments.
- GOST: you SHOULD configure BIND9 without GOST support by adding
--without-gost to the "configure" arguments.
- AES: you MUST reconfigure bind9 without AES support by adding
--without-aes to configure arguments.
You can disable some algorithms (e.g. DSA, DH and MD5) using the
"disable-algorithms" option in named.conf, and some other algorithms can be
disabled at compile time (ECDSA, GOST, AES). Note, however, that disabling
disabled at compile time (ECDSA, AES). Note, however, that disabling
algorithms can have unwanted side effects; for instance, disabling DH breaks
TKEY support.

9
lib/isc/include/pk11/constants.h
View File

@ -95,13 +95,4 @@ static CK_BYTE pk11_dh_bn1536[] = {
};
#endif
#ifdef WANT_GOST_PARAMS
static CK_BYTE pk11_gost_a_paramset[] = {
0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01
};
static CK_BYTE pk11_gost_paramset[] = {
0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01
};
#endif
#endif /* PK11_CONSTANTS_H */

39
lib/isc/pk11.c
View File

@ -84,7 +84,6 @@ static pk11_token_t *best_dsa_token;
static pk11_token_t *best_dh_token;
static pk11_token_t *digest_token;
static pk11_token_t *best_ec_token;
static pk11_token_t *best_gost_token;
static pk11_token_t *aes_token;
static isc_result_t free_all_sessions(void);
@ -266,8 +265,6 @@ pk11_finalize(void) {
digest_token = NULL;
if (token == best_ec_token)
best_ec_token = NULL;
if (token == best_gost_token)
best_gost_token = NULL;
if (token == aes_token)
aes_token = NULL;
pk11_mem_put(token, sizeof(*token));
@ -852,41 +849,11 @@ scan_slots(void) {
PK11_TRACEM(CKM_ECDSA);
}
if (bad)
goto try_gost;
goto try_eddsa;
token->operations |= 1 << OP_EC;
if (best_ec_token == NULL)
best_ec_token = token;
try_gost:
bad = ISC_FALSE;
/* does GOST require digest too? */
rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
bad = ISC_TRUE;
PK11_TRACEM(CKM_GOSTR3411);
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
bad = ISC_TRUE;
PK11_TRACEM(CKM_GOSTR3410_KEY_PAIR_GEN);
}
rv = pkcs_C_GetMechanismInfo(slot,
CKM_GOSTR3410_WITH_GOSTR3411,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
((mechInfo.flags & CKF_VERIFY) == 0)) {
bad = ISC_TRUE;
PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
}
if (bad)
goto try_eddsa;
token->operations |= 1 << OP_GOST;
if (best_gost_token == NULL)
best_gost_token = token;
try_eddsa:
#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
bad = ISC_FALSE;
@ -949,9 +916,6 @@ pk11_get_best_token(pk11_optype_t optype) {
case OP_EC:
token = best_ec_token;
break;
case OP_GOST:
token = best_gost_token;
break;
case OP_AES:
token = aes_token;
break;
@ -1340,7 +1304,6 @@ pk11_dump_tokens(void) {
printf("\tbest_dh_token=%p\n", best_dh_token);
printf("\tdigest_token=%p\n", digest_token);
printf("\tbest_ec_token=%p\n", best_ec_token);
printf("\tbest_gost_token=%p\n", best_gost_token);
printf("\taes_token=%p\n", aes_token);
for (token = ISC_LIST_HEAD(tokens);

12
util/copyrights
View File

@ -1383,14 +1383,6 @@
./bin/tests/system/glue/tests.sh SH 2000,2001,2003,2004,2007,2012,2013,2016,2017,2018
./bin/tests/system/glue/xx.good X 2000,2001,2018
./bin/tests/system/glue/yy.good X 2000,2001,2003,2018
./bin/tests/system/gost/clean.sh SH 2010,2012,2014,2016,2018
./bin/tests/system/gost/ns1/named.conf CONF-C 2010,2016,2018
./bin/tests/system/gost/ns1/root.db.in ZONE 2010,2016,2018
./bin/tests/system/gost/ns1/sign.sh SH 2010,2012,2014,2016,2018
./bin/tests/system/gost/ns2/named.conf CONF-C 2010,2016,2018
./bin/tests/system/gost/prereq.sh SH 2010,2012,2014,2016,2018
./bin/tests/system/gost/setup.sh SH 2010,2012,2014,2016,2017,2018
./bin/tests/system/gost/tests.sh SH 2010,2012,2013,2016,2018
./bin/tests/system/idna/clean.sh SH 2018
./bin/tests/system/idna/ns1/named.conf.in CONF-C 2018
./bin/tests/system/idna/ns1/root.db ZONE 2018
@ -2950,7 +2942,6 @@
./lib/dns/dnstap.proto X 2015,2018
./lib/dns/ds.c C 2002,2003,2004,2005,2006,2007,2010,2012,2014,2016,2018
./lib/dns/dst_api.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/dst_gost.h C 2014,2016,2018
./lib/dns/dst_internal.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018
./lib/dns/dst_lib.c C 1999,2000,2001,2004,2005,2007,2016,2018
./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012,2015,2016,2018
@ -3096,7 +3087,6 @@
./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/opensslecdsa_link.c C 2012,2013,2014,2015,2016,2017,2018
./lib/dns/openssleddsa_link.c C 2017,2018
./lib/dns/opensslgost_link.c C 2010,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/order.c C 2002,2004,2005,2007,2015,2016,2017,2018
./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018
@ -3105,7 +3095,6 @@
./lib/dns/pkcs11dsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11ecdsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11eddsa_link.c C 2017,2018
./lib/dns/pkcs11gost_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11rsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/portlist.c C 2003,2004,2005,2006,2007,2014,2016,2018
./lib/dns/private.c C 2009,2011,2012,2015,2016,2017,2018
@ -3313,7 +3302,6 @@
./lib/dns/tests/dnstest.h C 2011,2012,2014,2015,2016,2017,2018
./lib/dns/tests/dst_test.c C 2018
./lib/dns/tests/geoip_test.c C 2013,2014,2015,2016,2017,2018
./lib/dns/tests/gost_test.c C 2014,2015,2016,2017,2018
./lib/dns/tests/keytable_test.c C 2014,2015,2016,2017,2018
./lib/dns/tests/master_test.c C 2011,2012,2013,2015,2016,2017,2018
./lib/dns/tests/mkraw.pl PERL 2011,2012,2016,2018

97
win32utils/Configure
View File

@ -208,7 +208,6 @@ my @substdefh = ("AES_CC",
"HAVE_OPENSSL_ED25519",
"HAVE_OPENSSL_ED448",
"HAVE_OPENSSL_EVP_AES",
"HAVE_OPENSSL_GOST",
"HAVE_DH_GET0_KEY",
"HAVE_DSA_GET0_PQG",
"HAVE_ECDSA_SIG_GET0",
@ -217,13 +216,11 @@ my @substdefh = ("AES_CC",
"HAVE_PKCS11_ECDSA",
"HAVE_PKCS11_ED25519",
"HAVE_PKCS11_ED448",
"HAVE_PKCS11_GOST",
"HAVE_READLINE",
"HAVE_ZLIB",
"HMAC_SHA1_CC",
"HMAC_SHA256_CC",
"ISC_LIST_CHECKINIT",
"PREFER_GOSTASN1",
"TUNE_LARGE",
"WANT_QUERYTRACE",
"WITH_IDN");
@ -383,7 +380,6 @@ my @withlist = ("aes",
"extra-tests",
"gssapi",
"geoip",
"gost",
"iconv",
"idn",
"openssl",
@ -440,7 +436,6 @@ my @help = (
" with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n",
" with-ecdsa crypto ECDSA\n",
" with-eddsa crypto EDDSA yes|all|no\n",
" with-gost[=ENC] crypto GOST yes|no|raw|ans1\n",
" with-aes crypto AES\n",
" with-cc-alg choose the algorithm for cookies aes|sha1|sha256\n",
" with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n",
@ -488,8 +483,6 @@ my $pkcs11_path = "unknown";
my $use_ecdsa = "auto";
my $use_eddsa = "auto";
my $use_ed448 = "auto";
my $use_gost = "auto";
my $gost_encoding = "raw";
my $use_aes = "auto";
my $cookie_algorithm = "aes";
my $use_gssapi = "no";
@ -787,13 +780,6 @@ sub mywith {
$use_ed448 = "yes";
}
}
} elsif ($key =~ /^gost$/i) {
if ($val =~ /^no$/i) {
$use_gost = "no";
} elsif ($val !~ /^no$/i) {
$use_gost = "yes";
$gost_encoding = $val;
}
} elsif ($key =~ /^aes$/i) {
if ($val =~ /^no$/i) {
$use_aes = "no";
@ -1038,12 +1024,6 @@ if ($verbose) {
print "ed448: enabled\n";
}
}
if ($use_gost eq "no") {
print "gost: disabled\n";
} else {
print "gost: enabled\n";
print "gost private key encoding: $gost_encoding\n";
}
if ($use_aes eq "no") {
print "aes: disabled\n";
} else {
@ -1363,16 +1343,6 @@ if ($enable_native_pkcs11 eq "yes") {
$configdefh{"HAVE_PKCS11_ED448"} = 1;
}
}
if ($use_gost eq "no") {
if ($verbose) {
print "no GOST support in native PKCS#11\n";
}
} else {
if ($verbose) {
print "enabled GOST support in native PKCS#11\n";
}
$configdefh{"HAVE_PKCS11_GOST"} = 1;
}
if ($use_aes eq "no") {
if ($verbose) {
print "no AES support in native PKCS#11\n";
@ -1814,72 +1784,6 @@ if ($use_ed448 ne "no") {
$configdefh{"HAVE_OPENSSL_ED448"} = 1;
}
# with-gost
if ($use_openssl eq "no") {
$use_gost = "no";
}
if ($use_gost eq "auto") {
if ($verbose) {
print "checking for OpenSSL GOST support\n";
}
open F, ">testgost.c" || die $!;
print F << 'EOF';
#include <openssl/conf.h>
#include <openssl/engine.h>
int
main(void)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
ENGINE *e;
EC_KEY *ek;
ek = NULL;
OPENSSL_config(NULL);
e = ENGINE_by_id("gost");
if (e == NULL)
return (1);
if (ENGINE_init(e) <= 0)
return (1);
return (0);
#else
return (1);
#endif
}
EOF
close F;
my $include = $configinc{"OPENSSL_INC"};
my $library = $configlib{"OPENSSL_LIB"};
$compret = `cl /nologo /MD /I "$include" testgost.c "$library"`;
if (grep { -f and -x } ".\\testgost.exe") {
`.\\testgost.exe`;
if ($? != 0) {
if ($verbose) {
print "GOST test failed: disabling GOST\n";
}
$use_gost = "no";
}
} else {
if ($verbose) {
print "can't compile GOST test: $compret\n";
print "disabling GOST\n";
}
$use_gost = "no";
}
}
if ($use_gost ne "no") {
$use_gost = "yes";
$configdefh{"HAVE_OPENSSL_GOST"} = 1;
}
if ($gost_encoding eq "ans1") {
$configdefh{"PREFER_GOSTASN1"} = 1;
} elsif ($gost_encoding ne "raw") {
die "Unrecognized GOST private key encoding: $gost_encoding\n";
}
# with-aes
if ($use_openssl eq "no") {
if ($use_aes ne "pkcs11") {
@ -3350,7 +3254,6 @@ exit 0;
# --with-pkcs11 supported
# --with-ecdsa supported
# --with-eddsa supported
# --with-gost supported
# --with-aes supported
# --with-cc-alg supported
# --with-randomdev not supported on WIN32 (makes no sense)

3
win32utils/build.txt
View File

@ -73,8 +73,7 @@ Step 1: Download and build OpenSSL
nmake /f ms\ntdll.mak
The "enable-static-engine" option is needed when an OpenSSL engine
will be used -- for example, when using the GOST signing algorithm or
OpenSSL-based PKCS#11 support.
will be used -- for example, when using OpenSSL-based PKCS#11 support.
If you wish to use OpenSSL-based PKCS#11 to control a cryptographic
hardware service module, please see "PKCS#11 (Cryptoki) support" in