diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index dc825d8eda..dd07cdcdff 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -1115,7 +1115,7 @@ usage(void) { program); fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "Options:\n" -" -a digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n" +" -a digest algorithm (SHA-1 / SHA-256 / SHA-384)\n" " -c of domain (default IN)\n" " -D prefer CDNSKEY records instead of CDS\n" " -d where to find parent dsset- file\n" diff --git a/bin/dnssec/dnssec-cds.docbook b/bin/dnssec/dnssec-cds.docbook index 9f671a7af6..60f53539e4 100644 --- a/bin/dnssec/dnssec-cds.docbook +++ b/bin/dnssec/dnssec-cds.docbook @@ -144,7 +144,7 @@ The algorithm must be one of SHA-1 - (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These + (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These values are case insensitive. If no algorithm is specified, the default is SHA-256. diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index fad4f56fbd..190979d617 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -117,7 +117,7 @@ Select the digest algorithm. The value of must be one of SHA-1 (SHA1), - SHA-256 (SHA256), GOST or SHA-384 (SHA384). + SHA-256 (SHA256) or SHA-384 (SHA384). These values are case insensitive. diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index cb0c9b66d7..1cbaf978e8 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -97,7 +97,7 @@

Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1), - SHA-256 (SHA256), GOST or SHA-384 (SHA384). + SHA-256 (SHA256) or SHA-384 (SHA384). These values are case insensitive.

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 2dc104ab30..3438be443e 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -64,7 +64,7 @@ usage(void) { fprintf(stderr, " -a algorithm: \n" " RSA | RSAMD5 | DH | DSA | RSASHA1 |\n" " NSEC3DSA | NSEC3RSASHA1 |\n" - " RSASHA256 | RSASHA512 | ECCGOST |\n" + " RSASHA256 | RSASHA512 |\n" " ECDSAP256SHA256 | ECDSAP384SHA384\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); @@ -427,7 +427,6 @@ main(int argc, char **argv) { case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: - case DST_ALG_ECCGOST: case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index b3f88b9330..61d9fe0bd7 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -106,7 +106,7 @@ Selects the cryptographic algorithm. The value of must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 9a3a919770..9bb625490d 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -79,7 +79,7 @@ usage(void) { fprintf(stderr, " -a :\n"); fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1" " | NSEC3DSA |\n"); - fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n"); + fprintf(stderr, " RSASHA256 | RSASHA512 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); fprintf(stderr, " ED25519 | ED448 | DH\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 378522d128..66fc1ef828 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -123,7 +123,7 @@ Selects the cryptographic algorithm. For DNSSEC keys, the value of must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 5a8208bb84..efa6706daf 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -360,10 +360,6 @@ strtodsdigest(const char *algname) { strcasecmp(algname, "SHA-256") == 0) { return (DNS_DSDIGEST_SHA256); -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - } else if (strcasecmp(algname, "GOST") == 0) { - return (DNS_DSDIGEST_GOST); -#endif } else if (strcasecmp(algname, "SHA384") == 0 || strcasecmp(algname, "SHA-384") == 0) { diff --git a/bin/python/isc/dnskey.py.in b/bin/python/isc/dnskey.py.in index 8c5a80f7c1..18a193acd4 100644 --- a/bin/python/isc/dnskey.py.in +++ b/bin/python/isc/dnskey.py.in @@ -32,7 +32,7 @@ class dnskey: _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1', 'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None, - 'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256', + 'RSASHA512', None, None, 'ECDSAP256SHA256', 'ECDSAP384SHA384', 'ED25519', 'ED448') def __init__(self, key, directory=None, keyttl=None): diff --git a/bin/python/isc/policy.py.in b/bin/python/isc/policy.py.in index fd6cdf85bc..99fa22ca11 100644 --- a/bin/python/isc/policy.py.in +++ b/bin/python/isc/policy.py.in @@ -71,7 +71,7 @@ class PolicyLex: return t def t_ALGNAME(self, t): - r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b' + r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b' t.value = t.value.upper() return t @@ -139,7 +139,6 @@ class Policy: 'NSEC3RSASHA1': [512, 4096], 'RSASHA256': [1024, 4096], 'RSASHA512': [1024, 4096], - 'ECCGOST': None, 'ECDSAP256SHA256': None, 'ECDSAP384SHA384': None, 'ED25519': None, @@ -278,8 +277,7 @@ class Policy: ('ZSK key size %d not divisible by 64 ' + 'as required for DSA') % self.zsk_keysize - if self.algorithm in ['ECCGOST', \ - 'ECDSAP256SHA256', \ + if self.algorithm in ['ECDSAP256SHA256', \ 'ECDSAP384SHA384', \ 'ED25519', \ 'ED448']: @@ -369,10 +367,6 @@ class dnssec_policy: self.alg_policy['RSASHA512'].algorithm = "RSASHA512" self.alg_policy['RSASHA512'].name = "RSASHA512" - self.alg_policy['ECCGOST'] = copy(p) - self.alg_policy['ECCGOST'].algorithm = "ECCGOST" - self.alg_policy['ECCGOST'].name = "ECCGOST" - self.alg_policy['ECDSAP256SHA256'] = copy(p) self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256" self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256" diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 2d6c9632b6..5518c7918f 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -76,7 +76,7 @@ KRB5_CONFIG=/dev/null # # List of tests hard-coded to use ports 5300 and 9953. For this # reason, these must be run sequentially. -SEQUENTIALDIRS="ecdsa eddsa gost @PKCS11_TEST@ tkey" +SEQUENTIALDIRS="ecdsa eddsa @PKCS11_TEST@ tkey" # List of tests that use ports assigned by caller (other than 5300 # and 9953). Because separate blocks of ports can be used for teach diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32 index 61a020dc67..4da318fca8 100644 --- a/bin/tests/system/conf.sh.win32 +++ b/bin/tests/system/conf.sh.win32 @@ -87,7 +87,7 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \ database digdelv dlv dlvauto dlz dlzexternal dname \ dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa \ ednscompliance emptyzones \ - fetchlimit filter-aaaa formerr forward geoip glue gost idna inline ixfr \ + fetchlimit filter-aaaa formerr forward geoip glue idna inline ixfr \ keepalive @KEYMGR@ legacy limits logfileconfig masterfile \ masterformat metadata mkeys names notify nslookup nsupdate \ nzd2nzf padding pending pipelined @PKCS11_TEST@ reclimit \ diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh index e61d8b232a..184efaf725 100644 --- a/bin/tests/system/dsdigest/ns2/sign.sh +++ b/bin/tests/system/dsdigest/ns2/sign.sh @@ -37,7 +37,6 @@ $DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 supported=`cat ../supported` case "$supported" in - gost) algo=GOST ;; *) algo=SHA-384 ;; esac diff --git a/bin/tests/system/dsdigest/ns3/named.conf.in b/bin/tests/system/dsdigest/ns3/named.conf.in index 1bc621561b..04b4a5e93a 100644 --- a/bin/tests/system/dsdigest/ns3/named.conf.in +++ b/bin/tests/system/dsdigest/ns3/named.conf.in @@ -26,7 +26,7 @@ options { dnssec-validation yes; dnssec-must-be-secure . yes; /* only SHA-256 is enabled */ - disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; }; + disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; }; }; diff --git a/bin/tests/system/dsdigest/ns4/named.conf.in b/bin/tests/system/dsdigest/ns4/named.conf.in index b5a49597d8..5047a287d3 100644 --- a/bin/tests/system/dsdigest/ns4/named.conf.in +++ b/bin/tests/system/dsdigest/ns4/named.conf.in @@ -25,7 +25,7 @@ options { dnssec-enable yes; dnssec-validation yes; /* only SHA-256 is enabled */ - disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; }; + disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; }; }; zone "." { diff --git a/bin/tests/system/dsdigest/prereq.sh b/bin/tests/system/dsdigest/prereq.sh index 1febbd5220..fa65139c2c 100644 --- a/bin/tests/system/dsdigest/prereq.sh +++ b/bin/tests/system/dsdigest/prereq.sh @@ -12,17 +12,12 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -gostfail=0 ecdsafail=0 -$SHELL ../testcrypto.sh -q gost || gostfail=1 +ecdsafail=0 $SHELL ../testcrypto.sh -q ecdsa || ecdsafail=1 -if [ $gostfail = 0 -a $ecdsafail = 0 ]; then - echo both > supported -elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then - echo_i "This test requires support for ECDSA or GOST cryptography." >&2 +if [ $ecdsafail = 1 ]; then + echo_i "This test requires support for ECDSA cryptography." >&2 exit 255 -elif [ $gostfail = 0 ]; then - echo gost > supported else echo ecdsa > supported fi diff --git a/bin/tests/system/gost/clean.sh b/bin/tests/system/gost/clean.sh deleted file mode 100644 index 6cfeec2466..0000000000 --- a/bin/tests/system/gost/clean.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -rm -f */K* */dsset-* */*.signed */trusted.conf -rm -f ns1/root.db -rm -f ns1/signer.err -rm -f dig.out* -rm -f */named.run -rm -f */named.memstats -rm -f ns*/named.lock -rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/gost/ns1/named.conf b/bin/tests/system/gost/ns1/named.conf deleted file mode 100644 index 715f7d3f76..0000000000 --- a/bin/tests/system/gost/ns1/named.conf +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS1 - -controls { /* empty */ }; - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; - dnssec-enable yes; - dnssec-validation yes; -}; - -zone "." { - type master; - file "root.db.signed"; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/gost/ns1/root.db.in b/bin/tests/system/gost/ns1/root.db.in deleted file mode 100644 index e882893e6f..0000000000 --- a/bin/tests/system/gost/ns1/root.db.in +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -. IN SOA marka.isc.org. a.root.servers.nil. ( - 2010121600 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 600 ; minimum - ) -. NS a.root-servers.nil. -a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/gost/ns1/sign.sh b/bin/tests/system/gost/ns1/sign.sh deleted file mode 100644 index 5eccd6bdaf..0000000000 --- a/bin/tests/system/gost/ns1/sign.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -e -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh - -zone=. -infile=root.db.in -zonefile=root.db - -key1=`$KEYGEN -q -a ECCGOST -n zone $zone` -key2=`$KEYGEN -q -a ECCGOST -n zone -f KSK $zone` -$DSFROMKEY -a gost $key2.key > dsset-gost - -cat $infile $key1.key $key2.key > $zonefile - -$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err - -# Configure the resolving server with a trusted key. - -cat $key1.key | grep -v '^; ' | $PERL -n -e ' -local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; -local $key = join("", @rest); -print < trusted.conf -cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/gost/ns2/named.conf b/bin/tests/system/gost/ns2/named.conf deleted file mode 100644 index 50621a53f1..0000000000 --- a/bin/tests/system/gost/ns2/named.conf +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS2 - -controls { /* empty */ }; - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion yes; - notify yes; - dnssec-enable yes; - dnssec-validation yes; -}; - -zone "." { - type hint; - file "../../common/root.hint"; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/gost/prereq.sh b/bin/tests/system/gost/prereq.sh deleted file mode 100644 index f5295b7185..0000000000 --- a/bin/tests/system/gost/prereq.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -e -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -exec $SHELL ../testcrypto.sh gost diff --git a/bin/tests/system/gost/setup.sh b/bin/tests/system/gost/setup.sh deleted file mode 100644 index f5482e6c38..0000000000 --- a/bin/tests/system/gost/setup.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -e -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -cd ns1 && $SHELL sign.sh diff --git a/bin/tests/system/gost/tests.sh b/bin/tests/system/gost/tests.sh deleted file mode 100644 index 516f0c1350..0000000000 --- a/bin/tests/system/gost/tests.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -status=0 -n=0 - -rm -f dig.out.* - -DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" - -# Check the example. domain - -echo "I:checking that positive validation works ($n)" -ret=0 -$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -echo "I:exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index 7da6af1a15..9b8601c919 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -114,7 +114,7 @@ rm -f ns3/test-?.bk rm -f ns3/test-?.bk.signed rm -f ns3/test-?.bk.signed.jnl rm -f import.key Kimport* -rm -f checkgost checkdsa checkecdsa +rm -f checkdsa checkecdsa rm -f ns3/a-file rm -f ns*/named.lock rm -f dig.out.* diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index 8e6add5d3b..6735e8a415 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -125,20 +125,13 @@ zone=externalkey rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -for alg in ECCGOST ECDSAP256SHA256 NSEC3RSASHA1 DSA +for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA do case $alg in DSA) $SHELL ../checkdsa.sh 2> /dev/null || continue checkfile=../checkdsa touch $checkfile ;; - ECCGOST) - fail=0 - $KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1 - rm -f Ktest* - [ $fail != 0 ] && continue - checkfile=../checkgost - touch $checkfile ;; ECDSAP256SHA256) fail=0 $KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1 diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index ea813d559b..5bff5254f4 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -897,16 +897,14 @@ n=`expr $n + 1` echo_i "testing adding external keys to a inline zone ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n -for alg in 3 7 12 13 +for alg in 3 7 13 do [ $alg = 3 -a ! -f checkdsa ] && continue; - [ $alg = 12 -a ! -f checkgost ] && continue; [ $alg = 13 -a ! -f checkecdsa ] && continue; case $alg in 3) echo_i "checking DSA";; 7) echo_i "checking NSEC3RSASHA1";; - 12) echo_i "checking GOST";; 13) echo_i "checking ECDSAP256SHA256";; *) echo_i "checking $alg";; esac diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index 9fb895cf9f..5ed278512d 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -30,11 +30,6 @@ while test "$#" -gt 0; do alg="-a RSASHA1" msg1="RSA cryptography" ;; - gost|GOST) - alg="-a eccgost" - msg1="GOST cryptography" - msg2="--with-gost" - ;; ecdsa|ECDSA) alg="-a ecdsap256sha256" msg1="ECDSA cryptography" diff --git a/config.h.in b/config.h.in index 1d149f7afd..5c07e18977 100644 --- a/config.h.in +++ b/config.h.in @@ -395,9 +395,6 @@ int sigwait(const unsigned int *set, int *sig); /* Define if your OpenSSL version supports EVP AES */ #undef HAVE_OPENSSL_EVP_AES -/* Define if your OpenSSL version supports GOST. */ -#undef HAVE_OPENSSL_GOST - /* Define if native PKCS#11 is used as cryptographic library provider */ #undef HAVE_PKCS11 @@ -410,9 +407,6 @@ int sigwait(const unsigned int *set, int *sig); /* Define if your PKCS11 provider supports Ed448. */ #undef HAVE_PKCS11_ED448 -/* Define if your PKCS11 provider supports GOST. */ -#undef HAVE_PKCS11_GOST - /* Support for PTHREAD_MUTEX_ADAPTIVE_NP */ #undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP @@ -604,9 +598,6 @@ int sigwait(const unsigned int *set, int *sig); (O_NDELAY/O_NONBLOCK). */ #undef PORT_NONBLOCK -/* Define if GOST private keys are encoded in ASN.1. */ -#undef PREFER_GOSTASN1 - /* The size of `void *', as computed by sizeof. */ #undef SIZEOF_VOID_P diff --git a/config.h.win32 b/config.h.win32 index 87a2dca778..c62b30ecc6 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -327,9 +327,6 @@ typedef __int64 off_t; /* Define if OpenSSL includes Ed448 support */ @HAVE_OPENSSL_ED448@ -/* Define if your OpenSSL version supports GOST. */ -@HAVE_OPENSSL_GOST@ - /* Define if your OpenSSL version supports DH functions. */ @HAVE_DH_GET0_KEY@ @@ -354,12 +351,6 @@ typedef __int64 off_t; /* Define if your PKCS11 provider supports Ed448. */ @HAVE_PKCS11_ED448@ -/* Define if your PKCS11 provider supports GOST. */ -@HAVE_PKCS11_GOST@ - -/* Define if GOST private keys are encoded in ASN.1. */ -@PREFER_GOSTASN1@ - /* Define if OpenSSL is used as cryptographic library provider. */ @HAVE_OPENSSL@ diff --git a/configure b/configure index f99d7cf5d7..2115254fde 100755 --- a/configure +++ b/configure @@ -800,7 +800,6 @@ NZDSRCS NZD_TOOLS PKCS11_TEST PKCS11_ED25519 -PKCS11_GOST PKCS11_ECDSA PKCS11LINKSRCS PKCS11LINKOBJS @@ -820,13 +819,10 @@ ISC_OPENSSL_LIBS ISC_OPENSSL_INC ISC_PLATFORM_OPENSSLHASH ISC_PLATFORM_WANTAES -OPENSSL_GOST OPENSSL_ED25519 OPENSSL_ECDSA OPENSSLLINKSRCS OPENSSLLINKOBJS -OPENSSLGOSTLINKSRCS -OPENSSLGOSTLINKOBJS OPENSSLEDDSALINKSRCS OPENSSLEDDSALINKOBJS OPENSSLECDSALINKSRCS @@ -1001,7 +997,6 @@ enable_native_pkcs11 with_openssl with_pkcs11 with_ecdsa -with_gost with_eddsa with_aes with_cc_alg @@ -1747,7 +1742,6 @@ Optional Packages: --with-pkcs11=PATH Build with PKCS11 support [yes|no|path] (PATH is for the PKCS11 provider) --with-ecdsa Crypto ECDSA - --with-gost Crypto GOST [yes|no|raw|asn1]. --with-eddsa Crypto EDDSA [yes|all|no]. --with-aes Crypto AES --with-cc-alg=ALG choose the algorithm for Client Cookie @@ -16150,7 +16144,7 @@ fi # -# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified +# were --with-ecdsa, --with-eddsa, --with-aes specified # # Check whether --with-ecdsa was given. @@ -16161,14 +16155,6 @@ else fi -# Check whether --with-gost was given. -if test "${with_gost+set}" = set; then : - withval=$with_gost; with_gost="$withval" -else - with_gost="auto" -fi - - # Check whether --with-eddsa was given. if test "${with_eddsa+set}" = set; then : withval=$with_eddsa; with_eddsa="$withval" @@ -16245,26 +16231,7 @@ then done fi OPENSSL_ECDSA="" -OPENSSL_GOST="" OPENSSL_ED25519="" -gosttype="raw" -case "$with_gost" in - raw) - with_gost="yes" - ;; - asn1) - -$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h - - gosttype="asn1" - with_gost="yes" - ;; - auto|yes|no) - ;; - *) - as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5 - ;; -esac case "$use_openssl" in native_pkcs11) @@ -16277,8 +16244,6 @@ $as_echo "disabled because of native PKCS11" >&6; } OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRCS="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" @@ -16295,8 +16260,6 @@ $as_echo "no" >&6; } OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRCS="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" ;; @@ -16308,8 +16271,6 @@ $as_echo "no" >&6; } OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRCS="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -16663,89 +16624,6 @@ $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h ;; esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5 -$as_echo_n "checking for OpenSSL GOST support... " >&6; } - have_gost="" - case "$use_pkcs11" in - auto|no) - ;; - *) - if $use_threads; then - CC="$CC -pthread" - fi - ;; - esac - if test "$cross_compiling" = yes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5 -$as_echo "using --with-gost" >&6; } -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -#include -int main() { -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) - ENGINE *e; - EC_KEY *ek; - - ek = NULL; - OPENSSL_config(NULL); - - e = ENGINE_by_id("gost"); - if (e == NULL) - return (1); - if (ENGINE_init(e) <= 0) - return (1); - return (0); -#else - return (1); -#endif -} - -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_gost="yes" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - have_gost="no" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - case "$with_gost" in - yes) - case "$have_gost" in - no) as_fn_error $? "gost not supported" "$LINENO" 5 ;; - *) have_gost=yes ;; - esac - ;; - no) - have_gost=no ;; - *) - case "$have_gost" in - yes|no) ;; - *) as_fn_error $? "need --with-gost=[yes, no, raw or asn1]" "$LINENO" 5 ;; - esac - ;; - esac - case $have_gost in - yes) - OPENSSL_GOST="yes" - OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}' - OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}' - -$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h - - ;; - *) - ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5 $as_echo_n "checking for OpenSSL Ed25519 support... " >&6; } have_ed25519="" @@ -16954,9 +16832,6 @@ esac - - - ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" then @@ -17211,7 +17086,6 @@ esac PKCS11_ECDSA="" -PKCS11_GOST="" PKCS11_ED25519="" set_pk11_flavor="no" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5 @@ -17240,22 +17114,6 @@ $as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h ;; esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 GOST" >&5 -$as_echo_n "checking for PKCS11 GOST... " >&6; } - case "$with_gost" in - yes) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5 -$as_echo "enabled" >&6; } - PKCS11_GOST="yes" - -$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h - - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; - esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5 $as_echo_n "checking for PKCS11 Ed25519... " >&6; } case "$with_eddsa" in @@ -17346,7 +17204,6 @@ esac - if test "X$CRYPTO" = "X"; then # cat << \EOF as_fn_error $? "No cryptography library has been found or provided. @@ -26455,9 +26312,6 @@ report() { fi echo " Provider library: $PKCS11_PROVIDER" fi - if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then - echo " GOST algorithm support (encoding: $gosttype) (--with-gost)" - fi test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \ echo " ECDSA algorithm support (--with-ecdsa)" test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \ @@ -26526,8 +26380,6 @@ report() { fi test "yes" = "$want_native_pkcs11" || echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)" - test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \ - echo " GOST algorithm support (--with-gost)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \ echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ diff --git a/configure.in b/configure.in index 5dd0b2ceb4..3b1bf70270 100644 --- a/configure.in +++ b/configure.in @@ -1419,13 +1419,10 @@ AC_ARG_WITH(pkcs11, use_pkcs11="$withval", use_pkcs11="auto") # -# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified +# were --with-ecdsa, --with-eddsa, --with-aes specified # AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]), with_ecdsa="$withval", with_ecdsa="auto") -AC_ARG_WITH(gost, - AS_HELP_STRING([--with-gost], [Crypto GOST [yes|no|raw|asn1].]), - with_gost="$withval", with_gost="auto") AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]), with_eddsa="$withval", with_eddsa="auto") AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]), @@ -1486,25 +1483,7 @@ then done fi OPENSSL_ECDSA="" -OPENSSL_GOST="" OPENSSL_ED25519="" -gosttype="raw" -case "$with_gost" in - raw) - with_gost="yes" - ;; - asn1) - AC_DEFINE(PREFER_GOSTASN1, 1, - [Define if GOST private keys are encoded in ASN.1.]) - gosttype="asn1" - with_gost="yes" - ;; - auto|yes|no) - ;; - *) - AC_MSG_ERROR(unknown GOST private key encoding) - ;; -esac case "$use_openssl" in native_pkcs11) @@ -1516,8 +1495,6 @@ case "$use_openssl" in OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRCS="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" AC_DEFINE([HAVE_PKCS11],[1],[Define if native PKCS#11 is used as cryptographic library provider]) @@ -1531,8 +1508,6 @@ case "$use_openssl" in OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRCS="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" ;; @@ -1544,8 +1519,6 @@ case "$use_openssl" in OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRCS="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" AC_MSG_ERROR( @@ -1772,72 +1745,6 @@ int main() { ;; esac - AC_MSG_CHECKING(for OpenSSL GOST support) - have_gost="" - case "$use_pkcs11" in - auto|no) - ;; - *) - if $use_threads; then - CC="$CC -pthread" - fi - ;; - esac - AC_TRY_RUN([ -#include -#include -int main() { -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) - ENGINE *e; - EC_KEY *ek; - - ek = NULL; - OPENSSL_config(NULL); - - e = ENGINE_by_id("gost"); - if (e == NULL) - return (1); - if (ENGINE_init(e) <= 0) - return (1); - return (0); -#else - return (1); -#endif -} -], - [AC_MSG_RESULT(yes) - have_gost="yes"], - [AC_MSG_RESULT(no) - have_gost="no"], - [AC_MSG_RESULT(using --with-gost)]) - case "$with_gost" in - yes) - case "$have_gost" in - no) AC_MSG_ERROR([gost not supported]) ;; - *) have_gost=yes ;; - esac - ;; - no) - have_gost=no ;; - *) - case "$have_gost" in - yes|no) ;; - *) AC_MSG_ERROR([need --with-gost=[[yes, no, raw or asn1]]]) ;; - esac - ;; - esac - case $have_gost in - yes) - OPENSSL_GOST="yes" - OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}' - OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}' - AC_DEFINE(HAVE_OPENSSL_GOST, 1, - [Define if your OpenSSL version supports GOST.]) - ;; - *) - ;; - esac - AC_MSG_CHECKING(for OpenSSL Ed25519 support) have_ed25519="" have_ed448="" @@ -1984,13 +1891,10 @@ AC_SUBST(OPENSSLECDSALINKOBJS) AC_SUBST(OPENSSLECDSALINKSRCS) AC_SUBST(OPENSSLEDDSALINKOBJS) AC_SUBST(OPENSSLEDDSALINKSRCS) -AC_SUBST(OPENSSLGOSTLINKOBJS) -AC_SUBST(OPENSSLGOSTLINKSRCS) AC_SUBST(OPENSSLLINKOBJS) AC_SUBST(OPENSSLLINKSRCS) AC_SUBST(OPENSSL_ECDSA) AC_SUBST(OPENSSL_ED25519) -AC_SUBST(OPENSSL_GOST) ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" @@ -2205,7 +2109,6 @@ esac AC_SUBST(PKCS11_PROVIDER) PKCS11_ECDSA="" -PKCS11_GOST="" PKCS11_ED25519="" set_pk11_flavor="no" AC_MSG_CHECKING(for native PKCS11) @@ -2228,18 +2131,6 @@ case "$want_native_pkcs11" in [Define if your PKCS11 provider supports ECDSA.]) ;; esac - AC_MSG_CHECKING(for PKCS11 GOST) - case "$with_gost" in - yes) - AC_MSG_RESULT(enabled) - PKCS11_GOST="yes" - AC_DEFINE(HAVE_PKCS11_GOST, 1, - [Define if your PKCS11 provider supports GOST.]) - ;; - *) - AC_MSG_RESULT(disabled) - ;; - esac AC_MSG_CHECKING(for PKCS11 Ed25519) case "$with_eddsa" in yes|all) @@ -2310,7 +2201,6 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(PKCS11_ECDSA) -AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_ED25519) AC_SUBST(PKCS11_TEST) @@ -5363,9 +5253,6 @@ report() { fi echo " Provider library: $PKCS11_PROVIDER" fi - if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then - echo " GOST algorithm support (encoding: $gosttype) (--with-gost)" - fi test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \ echo " ECDSA algorithm support (--with-ecdsa)" test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \ @@ -5434,8 +5321,6 @@ report() { fi test "yes" = "$want_native_pkcs11" || echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)" - test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \ - echo " GOST algorithm support (--with-gost)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \ echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml index 973845f10c..b64f953c10 100644 --- a/doc/arm/pkcs11.xml +++ b/doc/arm/pkcs11.xml @@ -114,7 +114,7 @@ $ ./configure --enable-native-pkcs11 \ $ cd SoftHSMv2 -$ configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost +$ configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr $ make $ make install $ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 0dbc9d4d6d..370f8ca1c6 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -67,25 +67,24 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC5205 RFC5452 [11] RFC5702 - RFC5933 [12] RFC5936 RFC5952 RFC5966 RFC6052 - RFC6147 [13] + RFC6147 [12] RFC6303 - RFC6605 [14] + RFC6605 [13] RFC6672 RFC6698 RFC6742 - RFC6840 [15] + RFC6840 [14] RFC6844 RFC6891 RFC7043 RFC7314 RFC7477 RFC7793 - RFC7830 [16] + RFC7830 [15] The following DNS related RFC have been obsoleted @@ -137,17 +136,14 @@ everywhere with or without --with-idn. [11] Named only uses ports to extend the id space, address are not used. -[12] Conditional on the OpenSSL library being linked against -supporting GOST. - -[13] Section 5.5 does not match reality. Named uses the presence +[12] Section 5.5 does not match reality. Named uses the presence of DO=1 to detect if validation may be occuring. CD has no bearing on whether validation is occuring or not. -[14] Conditional on the OpenSSL library being linked against +[13] Conditional on the OpenSSL library being linked against supporting ECDSA. -[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as +[14] Section 5.9 - Always set CD=1 on queries. This is *not* done as it prevents DNSSEC working correctly through another recursive server. When talking to a recurive server the best algorithm to do is send @@ -156,5 +152,5 @@ server has a bad clock and/or bad trust anchor. Alternatively one can send CD=1 then CD=0 on validation failure in case the recursive server is under attack or there is stale / bogus authoritative data. -[16] Named doesn't currently encrypt DNS requests so the PAD option +[15] Named doesn't currently encrypt DNS requests so the PAD option is accepted but not returned in responses. diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index 313c532474..22d2a313ee 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -41,16 +41,15 @@ LIBS = @LIBS@ # Alphabetically -OPENSSLGOSTLINKOBJS = opensslgost_link.@O@ OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@ OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@ OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ @OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \ - @OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@ + opensslrsa_link.@O@ PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \ pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \ - pkcs11gost_link.@O@ pkcs11.@O@ + pkcs11.@O@ DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \ dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \ @@ -86,16 +85,15 @@ OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \ # Alphabetically -OPENSSLGOSTLINKSRCS = opensslgost_link.c OPENSSLECDSALINKSRCS = opensslecdsa_link.c OPENSSLEDDSALINKSRCS = openssleddsa_link.c OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \ @OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \ - @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c + opensslrsa_link.c PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \ pkcs11ecdsa_link.c pkcs11eddsa_link.c \ - pkcs11gost_link.c pkcs11.c + pkcs11.c DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \ dst_api.c dst_lib.c dst_parse.c \ diff --git a/lib/dns/ds.c b/lib/dns/ds.c index d1a507bcc2..05c3f71ab1 100644 --- a/lib/dns/ds.c +++ b/lib/dns/ds.c @@ -31,10 +31,6 @@ #include -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -#include "dst_gost.h" -#endif - isc_result_t dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, unsigned int digest_type, unsigned char *buffer, @@ -49,9 +45,6 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, isc_sha1_t sha1; isc_sha256_t sha256; isc_sha384_t sha384; -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - isc_gost_t gost; -#endif REQUIRE(key != NULL); REQUIRE(key->type == dns_rdatatype_dnskey); @@ -76,26 +69,6 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, isc_sha1_final(&sha1, digest); break; -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -#define RETERR(x) do { \ - isc_result_t ret = (x); \ - if (ret != ISC_R_SUCCESS) { \ - isc_gost_invalidate(&gost); \ - return (ret); \ - } \ -} while (0) - - case DNS_DSDIGEST_GOST: - RETERR(isc_gost_init(&gost)); - dns_name_toregion(name, &r); - RETERR(isc_gost_update(&gost, r.base, r.length)); - dns_rdata_toregion(key, &r); - INSIST(r.length >= 4); - RETERR(isc_gost_update(&gost, r.base, r.length)); - RETERR(isc_gost_final(&gost, digest)); - break; -#endif - case DNS_DSDIGEST_SHA384: isc_sha384_init(&sha384); dns_name_toregion(name, &r); @@ -129,12 +102,6 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, ds.length = ISC_SHA1_DIGESTLENGTH; break; -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - case DNS_DSDIGEST_GOST: - ds.length = ISC_GOST_DIGESTLENGTH; - break; -#endif - case DNS_DSDIGEST_SHA384: ds.length = ISC_SHA384_DIGESTLENGTH; break; diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 564c9aa206..7c9eb10657 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -204,9 +204,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { #ifndef PK11_DH_DISABLE RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); #endif -#ifdef HAVE_OPENSSL_GOST - RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST])); -#endif #ifdef HAVE_OPENSSL_ECDSA RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); @@ -243,9 +240,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { #ifdef HAVE_PKCS11_ED448 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448])); #endif -#ifdef HAVE_PKCS11_GOST - RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST])); -#endif #endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); @@ -292,16 +286,9 @@ dst_algorithm_supported(unsigned int alg) { isc_boolean_t dst_ds_digest_supported(unsigned int digest_type) { -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 || - digest_type == DNS_DSDIGEST_SHA256 || - digest_type == DNS_DSDIGEST_GOST || - digest_type == DNS_DSDIGEST_SHA384)); -#else return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 || digest_type == DNS_DSDIGEST_SHA256 || digest_type == DNS_DSDIGEST_SHA384)); -#endif } isc_result_t @@ -1244,9 +1231,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { *n = DNS_SIG_DSASIGSIZE; break; #endif - case DST_ALG_ECCGOST: - *n = DNS_SIG_GOSTSIGSIZE; - break; case DST_ALG_ECDSA256: *n = DNS_SIG_ECDSA256SIZE; break; @@ -1598,7 +1582,6 @@ issymmetric(const dst_key_t *key) { #ifndef PK11_DH_DISABLE case DST_ALG_DH: #endif - case DST_ALG_ECCGOST: case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: diff --git a/lib/dns/dst_gost.h b/lib/dns/dst_gost.h deleted file mode 100644 index e42c6a1592..0000000000 --- a/lib/dns/dst_gost.h +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#ifndef DST_GOST_H -#define DST_GOST_H 1 - -#include -#include -#include - -#define ISC_GOST_DIGESTLENGTH 32U - -#ifdef HAVE_OPENSSL_GOST -#include - -typedef struct { - EVP_MD_CTX *ctx; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - EVP_MD_CTX _ctx; -#endif -} isc_gost_t; - -#endif -#ifdef HAVE_PKCS11_GOST -#include - -typedef pk11_context_t isc_gost_t; -#endif - -ISC_LANG_BEGINDECLS - -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - -isc_result_t -isc_gost_init(isc_gost_t *ctx); - -void -isc_gost_invalidate(isc_gost_t *ctx); - -isc_result_t -isc_gost_update(isc_gost_t *ctx, const unsigned char *data, unsigned int len); - -isc_result_t -isc_gost_final(isc_gost_t *ctx, unsigned char *digest); - -ISC_LANG_ENDDECLS - -#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */ - -#endif /* DST_GOST_H */ diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 534ae744c5..a13d234edd 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -264,12 +264,6 @@ isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp); #if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp); #endif -#ifdef HAVE_OPENSSL_GOST -isc_result_t dst__opensslgost_init(struct dst_func **funcp); -#endif -#ifdef HAVE_PKCS11_GOST -isc_result_t dst__pkcs11gost_init(struct dst_func **funcp); -#endif /*% * Destructors diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index b0e5c895c6..384df0850e 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -103,9 +103,6 @@ static struct parse_map map[] = { {TAG_DSA_PUBLIC, "Public_value(y):"}, #endif - {TAG_GOST_PRIVASN1, "GostAsn1:"}, - {TAG_GOST_PRIVRAW, "PrivateKey:"}, - {TAG_ECDSA_PRIVATEKEY, "PrivateKey:"}, {TAG_ECDSA_ENGINE, "Engine:" }, {TAG_ECDSA_LABEL, "Label:" }, @@ -262,20 +259,6 @@ check_dsa(const dst_private_t *priv, isc_boolean_t external) { } #endif -static int -check_gost(const dst_private_t *priv, isc_boolean_t external) { - - if (external) - return ((priv->nelements == 0)? 0 : -1); - - if (priv->nelements != GOST_NTAGS) - return (-1); - if ((priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) && - (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 1))) - return (-1); - return (0); -} - static int check_ecdsa(const dst_private_t *priv, isc_boolean_t external) { int i, j; @@ -408,8 +391,6 @@ check_data(const dst_private_t *priv, const unsigned int alg, case DST_ALG_NSEC3DSA: return (check_dsa(priv, external)); #endif - case DST_ALG_ECCGOST: - return (check_gost(priv, external)); case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: return (check_ecdsa(priv, external)); @@ -758,9 +739,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, case DST_ALG_RSASHA512: fprintf(fp, "(RSASHA512)\n"); break; - case DST_ALG_ECCGOST: - fprintf(fp, "(ECC-GOST)\n"); - break; case DST_ALG_ECDSA256: fprintf(fp, "(ECDSAP256SHA256)\n"); break; diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h index a2600e1d58..5ec58463a4 100644 --- a/lib/dns/dst_parse.h +++ b/lib/dns/dst_parse.h @@ -70,10 +70,6 @@ #define TAG_DSA_PRIVATE ((DST_ALG_DSA << TAG_SHIFT) + 3) #define TAG_DSA_PUBLIC ((DST_ALG_DSA << TAG_SHIFT) + 4) -#define GOST_NTAGS 1 -#define TAG_GOST_PRIVASN1 ((DST_ALG_ECCGOST << TAG_SHIFT) + 0) -#define TAG_GOST_PRIVRAW ((DST_ALG_ECCGOST << TAG_SHIFT) + 1) - #define ECDSA_NTAGS 4 #define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0) #define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1) diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h index ad17261a74..003d63f114 100644 --- a/lib/dns/include/dns/keyvalues.h +++ b/lib/dns/include/dns/keyvalues.h @@ -96,8 +96,6 @@ #define DNS_SIG_DSAMINBYTES 213 #define DNS_SIG_DSAMAXBYTES 405 -#define DNS_SIG_GOSTSIGSIZE 64 - #define DNS_SIG_ECDSA256SIZE 64 #define DNS_SIG_ECDSA384SIZE 96 diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c deleted file mode 100644 index 847106b815..0000000000 --- a/lib/dns/opensslgost_link.c +++ /dev/null @@ -1,627 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include - -#if HAVE_OPENSSL && HAVE_OPENSSL_GOST - -#include -#include -#include -#include - -#include - -#include "dst_internal.h" -#include "dst_openssl.h" -#include "dst_parse.h" -#include "dst_gost.h" - -#include -#include -#include -#include - -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -#define EVP_MD_CTX_new() &(ctx->_ctx), EVP_MD_CTX_init(&(ctx->_ctx)) -#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) -#endif - -static ENGINE *e = NULL; -static const EVP_MD *opensslgost_digest; -extern const EVP_MD *EVP_gost(void); - -const EVP_MD *EVP_gost(void) { - return (opensslgost_digest); -} - -/* ISC methods */ - -isc_result_t -isc_gost_init(isc_gost_t *ctx) { - const EVP_MD *md; - int ret; - - INSIST(ctx != NULL); - - md = EVP_gost(); - if (md == NULL) - return (DST_R_CRYPTOFAILURE); - ctx->ctx = EVP_MD_CTX_new(); - if (ctx->ctx == NULL) - return (ISC_R_NOMEMORY); - ret = EVP_DigestInit(ctx->ctx, md); - if (ret != 1) - return (DST_R_CRYPTOFAILURE); - return (ISC_R_SUCCESS); -} - -void -isc_gost_invalidate(isc_gost_t *ctx) { - EVP_MD_CTX_free(ctx->ctx); - ctx->ctx = NULL; -} - -isc_result_t -isc_gost_update(isc_gost_t *ctx, const unsigned char *data, - unsigned int len) -{ - int ret; - - INSIST(ctx != NULL); - INSIST(ctx->ctx != NULL); - INSIST(data != NULL); - - ret = EVP_DigestUpdate(ctx->ctx, (const void *) data, (size_t) len); - if (ret != 1) - return (DST_R_CRYPTOFAILURE); - return (ISC_R_SUCCESS); -} - -isc_result_t -isc_gost_final(isc_gost_t *ctx, unsigned char *digest) { - int ret; - - INSIST(ctx != NULL); - INSIST(ctx->ctx != NULL); - INSIST(digest != NULL); - - ret = EVP_DigestFinal(ctx->ctx, digest, NULL); - EVP_MD_CTX_free(ctx->ctx); - ctx->ctx = NULL; - if (ret != 1) - return (DST_R_CRYPTOFAILURE); - return (ISC_R_SUCCESS); -} - -/* DST methods */ - -#define DST_RET(a) {ret = a; goto err;} - -static isc_result_t opensslgost_todns(const dst_key_t *key, - isc_buffer_t *data); - -static isc_result_t -opensslgost_createctx(dst_key_t *key, dst_context_t *dctx) { - EVP_MD_CTX *evp_md_ctx; - const EVP_MD *md = EVP_gost(); - - UNUSED(key); - - if (md == NULL) - return (DST_R_OPENSSLFAILURE); - - evp_md_ctx = EVP_MD_CTX_create(); - if (evp_md_ctx == NULL) - return (ISC_R_NOMEMORY); - - if (!EVP_DigestInit_ex(evp_md_ctx, md, NULL)) { - EVP_MD_CTX_destroy(evp_md_ctx); - return (ISC_R_FAILURE); - } - dctx->ctxdata.evp_md_ctx = evp_md_ctx; - - return (ISC_R_SUCCESS); -} - -static void -opensslgost_destroyctx(dst_context_t *dctx) { - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - - if (evp_md_ctx != NULL) { - EVP_MD_CTX_destroy(evp_md_ctx); - dctx->ctxdata.evp_md_ctx = NULL; - } -} - -static isc_result_t -opensslgost_adddata(dst_context_t *dctx, const isc_region_t *data) { - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - - if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) - return (ISC_R_FAILURE); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -opensslgost_sign(dst_context_t *dctx, isc_buffer_t *sig) { - dst_key_t *key = dctx->key; - isc_region_t r; - unsigned int siglen = 0; - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey = key->keydata.pkey; - - isc_buffer_availableregion(sig, &r); - - if (r.length < (unsigned int) EVP_PKEY_size(pkey)) - return (ISC_R_NOSPACE); - - if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) - return (ISC_R_FAILURE); - - isc_buffer_add(sig, siglen); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) { - dst_key_t *key = dctx->key; - int status = 0; - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey = key->keydata.pkey; - - status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey); - switch (status) { - case 1: - return (ISC_R_SUCCESS); - case 0: - return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); - default: - return (dst__openssl_toresult3(dctx->category, - "EVP_VerifyFinal", - DST_R_VERIFYFAILURE)); - } -} - -static isc_boolean_t -opensslgost_compare(const dst_key_t *key1, const dst_key_t *key2) { - EVP_PKEY *pkey1, *pkey2; - - pkey1 = key1->keydata.pkey; - pkey2 = key2->keydata.pkey; - - if (pkey1 == NULL && pkey2 == NULL) - return (ISC_TRUE); - else if (pkey1 == NULL || pkey2 == NULL) - return (ISC_FALSE); - - if (EVP_PKEY_cmp(pkey1, pkey2) != 1) - return (ISC_FALSE); - return (ISC_TRUE); -} - -static int -progress_cb(EVP_PKEY_CTX *ctx) -{ - union { - void *dptr; - void (*fptr)(int); - } u; - int p; - - u.dptr = EVP_PKEY_CTX_get_app_data(ctx); - p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); - if (u.fptr != NULL) - u.fptr(p); - return (1); -} - -static isc_result_t -opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) { - EVP_PKEY_CTX *ctx; - union { - void *dptr; - void (*fptr)(int); - } u; - EVP_PKEY *pkey = NULL; - isc_result_t ret; - - UNUSED(unused); - ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL); - if (ctx == NULL) - DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id", - DST_R_OPENSSLFAILURE)); - if (callback != NULL) { - u.fptr = callback; - EVP_PKEY_CTX_set_app_data(ctx, u.dptr); - EVP_PKEY_CTX_set_cb(ctx, &progress_cb); - } - if (EVP_PKEY_keygen_init(ctx) <= 0) - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init", - DST_R_OPENSSLFAILURE)); - if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) - DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str", - DST_R_OPENSSLFAILURE)); - if (EVP_PKEY_keygen(ctx, &pkey) <= 0) - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", - DST_R_OPENSSLFAILURE)); - key->keydata.pkey = pkey; - key->key_size = EVP_PKEY_bits(pkey); - EVP_PKEY_CTX_free(ctx); - return (ISC_R_SUCCESS); - -err: - if (pkey != NULL) - EVP_PKEY_free(pkey); - if (ctx != NULL) - EVP_PKEY_CTX_free(ctx); - return (ret); -} - -static isc_boolean_t -opensslgost_isprivate(const dst_key_t *key) { - EVP_PKEY *pkey = key->keydata.pkey; - EC_KEY *ec; - - INSIST(pkey != NULL); - - ec = EVP_PKEY_get0(pkey); - return (ISC_TF(ec != NULL && EC_KEY_get0_private_key(ec) != NULL)); -} - -static void -opensslgost_destroy(dst_key_t *key) { - EVP_PKEY *pkey = key->keydata.pkey; - - EVP_PKEY_free(pkey); - key->keydata.pkey = NULL; -} - -static const unsigned char gost_prefix[37] = { - 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, - 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, - 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01, - 0x03, 0x43, 0x00, 0x04, 0x40 -}; - -static isc_result_t -opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) { - EVP_PKEY *pkey; - isc_region_t r; - unsigned char der[37 + 64], *p; - int len; - - REQUIRE(key->keydata.pkey != NULL); - - pkey = key->keydata.pkey; - - isc_buffer_availableregion(data, &r); - if (r.length < 64) - return (ISC_R_NOSPACE); - - p = der; - len = i2d_PUBKEY(pkey, &p); - INSIST(len == sizeof(der)); - INSIST(isc_safe_memequal(gost_prefix, der, 37)); - memmove(r.base, der + 37, 64); - isc_buffer_add(data, 64); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) { - isc_region_t r; - EVP_PKEY *pkey = NULL; - unsigned char der[37 + 64]; - const unsigned char *p; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - - if (r.length != 64) - return (DST_R_INVALIDPUBLICKEY); - memmove(der, gost_prefix, 37); - memmove(der + 37, r.base, 64); - isc_buffer_forward(data, 64); - - p = der; - if (d2i_PUBKEY(&pkey, &p, (long) sizeof(der)) == NULL) - return (dst__openssl_toresult2("d2i_PUBKEY", - DST_R_OPENSSLFAILURE)); - key->keydata.pkey = pkey; - key->key_size = EVP_PKEY_bits(pkey); - - return (ISC_R_SUCCESS); -} - -#ifdef PREFER_GOSTASN1 - -static isc_result_t -opensslgost_tofile(const dst_key_t *key, const char *directory) { - EVP_PKEY *pkey; - dst_private_t priv; - isc_result_t result; - unsigned char *der, *p; - int len; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - pkey = key->keydata.pkey; - - len = i2d_PrivateKey(pkey, NULL); - der = isc_mem_get(key->mctx, (size_t) len); - if (der == NULL) - return (ISC_R_NOMEMORY); - - p = der; - if (i2d_PrivateKey(pkey, &p) != len) { - result = dst__openssl_toresult2("i2d_PrivateKey", - DST_R_OPENSSLFAILURE); - goto fail; - } - - priv.elements[0].tag = TAG_GOST_PRIVASN1; - priv.elements[0].length = len; - priv.elements[0].data = der; - priv.nelements = 1; - - result = dst__privstruct_writefile(key, &priv, directory); - fail: - if (der != NULL) - isc_mem_put(key->mctx, der, (size_t) len); - return (result); -} - -#else - -static isc_result_t -opensslgost_tofile(const dst_key_t *key, const char *directory) { - EVP_PKEY *pkey; - EC_KEY *eckey; - const BIGNUM *privkey; - dst_private_t priv; - isc_result_t ret; - unsigned char *buf = NULL; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - pkey = key->keydata.pkey; - eckey = EVP_PKEY_get0(pkey); - if (eckey == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - privkey = EC_KEY_get0_private_key(eckey); - if (privkey == NULL) - return (ISC_R_FAILURE); - - buf = isc_mem_get(key->mctx, BN_num_bytes(privkey)); - if (buf == NULL) - return (ISC_R_NOMEMORY); - - priv.elements[0].tag = TAG_GOST_PRIVRAW; - priv.elements[0].length = BN_num_bytes(privkey); - BN_bn2bin(privkey, buf); - priv.elements[0].data = buf; - priv.nelements = 1; - - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) - isc_mem_put(key->mctx, buf, BN_num_bytes(privkey)); - return (ret); -} -#endif - -static unsigned char gost_dummy_key[71] = { - 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, - 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30, - 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, - 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, - 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b, - 0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5, - 0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65, - 0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63, - 0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6 -}; - -static isc_result_t -opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - isc_mem_t *mctx = key->mctx; - EVP_PKEY *pkey = NULL; - EC_KEY *eckey; - const EC_POINT *pubkey = NULL; - BIGNUM *privkey = NULL; - const unsigned char *p; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ECCGOST, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - if (pub == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ISC_R_SUCCESS); - } - - INSIST((priv.elements[0].tag == TAG_GOST_PRIVASN1) || - (priv.elements[0].tag == TAG_GOST_PRIVRAW)); - - if (priv.elements[0].tag == TAG_GOST_PRIVASN1) { - p = priv.elements[0].data; - if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p, - (long) priv.elements[0].length) == NULL) - DST_RET(dst__openssl_toresult2( - "d2i_PrivateKey", - DST_R_INVALIDPRIVATEKEY)); - } else { - if ((pub != NULL) && (pub->keydata.pkey != NULL)) { - eckey = EVP_PKEY_get0(pub->keydata.pkey); - pubkey = EC_KEY_get0_public_key(eckey); - } - - privkey = BN_bin2bn(priv.elements[0].data, - priv.elements[0].length, NULL); - if (privkey == NULL) - DST_RET(ISC_R_NOMEMORY); - - /* can't create directly the whole key */ - p = gost_dummy_key; - if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p, - (long) sizeof(gost_dummy_key)) == NULL) - DST_RET(dst__openssl_toresult2( - "d2i_PrivateKey", - DST_R_INVALIDPRIVATEKEY)); - - eckey = EVP_PKEY_get0(pkey); - if (eckey == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - if (!EC_KEY_set_private_key(eckey, privkey)) - DST_RET(ISC_R_NOMEMORY); - - /* have to (re)set the public key */ -#ifdef notyet - (void) gost2001_compute_public(eckey); -#else - if ((pubkey != NULL) && !EC_KEY_set_public_key(eckey, pubkey)) - DST_RET(ISC_R_NOMEMORY); -#endif - BN_clear_free(privkey); - privkey = NULL; - } - key->keydata.pkey = pkey; - key->key_size = EVP_PKEY_bits(pkey); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ISC_R_SUCCESS); - - err: - if (privkey != NULL) - BN_clear_free(privkey); - if (pkey != NULL) - EVP_PKEY_free(pkey); - opensslgost_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static void -opensslgost_cleanup(void) { - if (e != NULL) { - ENGINE_finish(e); - ENGINE_free(e); - e = NULL; - } -} - -static dst_func_t opensslgost_functions = { - opensslgost_createctx, - NULL, /*%< createctx2 */ - opensslgost_destroyctx, - opensslgost_adddata, - opensslgost_sign, - opensslgost_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - opensslgost_compare, - NULL, /*%< paramcompare */ - opensslgost_generate, - opensslgost_isprivate, - opensslgost_destroy, - opensslgost_todns, - opensslgost_fromdns, - opensslgost_tofile, - opensslgost_parse, - opensslgost_cleanup, - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL /*%< restore */ -}; - -isc_result_t -dst__opensslgost_init(dst_func_t **funcp) { - isc_result_t ret; - - REQUIRE(funcp != NULL); - - /* check if the gost engine works properly */ - e = ENGINE_by_id("gost"); - if (e == NULL) - return (dst__openssl_toresult2("ENGINE_by_id", - DST_R_OPENSSLFAILURE)); - if (ENGINE_init(e) <= 0) { - ENGINE_free(e); - e = NULL; - return (dst__openssl_toresult2("ENGINE_init", - DST_R_OPENSSLFAILURE)); - } - /* better than to rely on digest_gost symbol */ - opensslgost_digest = ENGINE_get_digest(e, NID_id_GostR3411_94); - if (opensslgost_digest == NULL) - DST_RET(dst__openssl_toresult2("ENGINE_get_digest", - DST_R_OPENSSLFAILURE)); - /* from openssl.cnf */ - if (ENGINE_register_pkey_asn1_meths(e) <= 0) - DST_RET(dst__openssl_toresult2( - "ENGINE_register_pkey_asn1_meths", - DST_R_OPENSSLFAILURE)); - if (ENGINE_ctrl_cmd_string(e, - "CRYPT_PARAMS", - "id-Gost28147-89-CryptoPro-A-ParamSet", - 0) <= 0) - DST_RET(dst__openssl_toresult2("ENGINE_ctrl_cmd_string", - DST_R_OPENSSLFAILURE)); - - if (*funcp == NULL) - *funcp = &opensslgost_functions; - return (ISC_R_SUCCESS); - - err: - ENGINE_finish(e); - ENGINE_free(e); - e = NULL; - return (ret); -} - -#else /* HAVE_OPENSSL && HAVE_OPENSSL_GOST */ - -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_OPENSSL && HAVE_OPENSSL_GOST */ -/*! \file */ diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c deleted file mode 100644 index 48d51067db..0000000000 --- a/lib/dns/pkcs11gost_link.c +++ /dev/null @@ -1,954 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include - -#if HAVE_PKCS11 && defined(HAVE_PKCS11_GOST) - -#include -#include -#include -#include -#include - -#include -#include -#include - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" -#include "dst_gost.h" - -#include -#include -#define WANT_GOST_PARAMS -#include - -#include - -/* - * RU CryptoPro GOST keys: - * mechanisms: - * CKM_GOSTR3411 - * CKM_GOSTR3410_WITH_GOSTR3411 - * CKM_GOSTR3410_KEY_PAIR_GEN - * domain parameters: - * CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1) - * CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1) - * CKA_GOST28147_PARAMS (optional, don't use) - * public keys: - * object class CKO_PUBLIC_KEY - * key type CKK_GOSTR3410 - * attribute CKA_VALUE (point Q) - * attribute CKA_GOSTR3410_PARAMS - * attribute CKA_GOSTR3411_PARAMS - * attribute CKA_GOST28147_PARAMS - * private keys: - * object class CKO_PRIVATE_KEY - * key type CKK_GOSTR3410 - * attribute CKA_VALUE (big int d) - * attribute CKA_GOSTR3410_PARAMS - * attribute CKA_GOSTR3411_PARAMS - * attribute CKA_GOST28147_PARAMS - * point format: (little endian) - */ - -#define CKA_VALUE2 CKA_PRIVATE_EXPONENT - -#define ISC_GOST_SIGNATURELENGTH 64 -#define ISC_GOST_PUBKEYLENGTH 64 -#define ISC_GOST_KEYSIZE 256 - -/* HASH methods */ - -isc_result_t -isc_gost_init(isc_gost_t *ctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 }; - int ret = ISC_R_SUCCESS; - - ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0); - if (ret != ISC_R_SUCCESS) - return (ret); - PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE); - return (ret); -} - -void -isc_gost_invalidate(isc_gost_t *ctx) { - CK_BYTE garbage[ISC_GOST_DIGESTLENGTH]; - CK_ULONG len = ISC_GOST_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(ctx); -} - -isc_result_t -isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) { - CK_RV rv; - CK_BYTE_PTR pPart; - int ret = ISC_R_SUCCESS; - - DE_CONST(buf, pPart); - PK11_CALL(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len), - ISC_R_FAILURE); - return (ret); -} - -isc_result_t -isc_gost_final(isc_gost_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_GOST_DIGESTLENGTH; - int ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len), - ISC_R_FAILURE); - pk11_return_session(ctx); - return (ret); -} - -/* DST methods */ - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -#define DST_RET(a) {ret = a; goto err;} - -static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data); -static void pkcs11gost_destroy(dst_key_t *key); - -static isc_result_t -pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_GOSTR3410; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, 0 }, - { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, - (CK_ULONG) sizeof(pk11_gost_a_paramset) }, - { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, - (CK_ULONG) sizeof(pk11_gost_paramset) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *gost; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - REQUIRE(key != NULL); - gost = key->keydata.pkey; - REQUIRE(gost != NULL); - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - gost->reqlogon, NULL, - pk11_get_best_token(OP_GOST)); - if (ret != ISC_R_SUCCESS) - goto err; - - if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = gost->ontoken; - pk11_ctx->object = gost->object; - goto token_key; - } - - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE2: - INSIST(keyTemplate[6].type == CKA_VALUE); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 9, - &pk11_ctx->object), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 6; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - for (i = 6; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_GOSTR3410; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, 0 }, - { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, - (CK_ULONG) sizeof(pk11_gost_a_paramset) }, - { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, - (CK_ULONG) sizeof(pk11_gost_paramset) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *gost; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - REQUIRE(key != NULL); - gost = key->keydata.pkey; - REQUIRE(gost != NULL); - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - gost->reqlogon, NULL, - pk11_get_best_token(OP_GOST)); - if (ret != ISC_R_SUCCESS) - goto err; - - if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = gost->ontoken; - pk11_ctx->object = gost->object; - goto token_key; - } - - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 8, - &pk11_ctx->object), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 5; i <= 5; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - for (i = 5; i <= 5; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) { - if (dctx->use == DO_SIGN) - return (pkcs11gost_createctx_sign(key, dctx)); - else - return (pkcs11gost_createctx_verify(key, dctx)); -} - -static void -pkcs11gost_destroyctx(dst_context_t *dctx) { - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - if (pk11_ctx != NULL) { - if (!pk11_ctx->ontoken && - (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, - pk11_ctx->object); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - if (dctx->use == DO_SIGN) - PK11_CALL(pkcs_C_SignUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - else - PK11_CALL(pkcs_C_VerifyUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - return (ret); -} - -static isc_result_t -pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH; - isc_region_t r; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - isc_buffer_availableregion(sig, &r); - if (r.length < ISC_GOST_SIGNATURELENGTH) - return (ISC_R_NOSPACE); - - PK11_RET(pkcs_C_SignFinal, - (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen), - DST_R_SIGNFAILURE); - if (siglen != ISC_GOST_SIGNATURELENGTH) - return (DST_R_SIGNFAILURE); - - isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH); - - err: - return (ret); -} - -static isc_result_t -pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_VerifyFinal, - (pk11_ctx->session, - (CK_BYTE_PTR) sig->base, - (CK_ULONG) sig->length), - DST_R_VERIFYFAILURE); - return (ret); -} - -static isc_boolean_t -pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *gost1, *gost2; - CK_ATTRIBUTE *attr1, *attr2; - - gost1 = key1->keydata.pkey; - gost2 = key2->keydata.pkey; - - if ((gost1 == NULL) && (gost2 == NULL)) - return (ISC_TRUE); - else if ((gost1 == NULL) || (gost2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(gost1, CKA_VALUE); - attr2 = pk11_attribute_bytype(gost2, CKA_VALUE); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2); - attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - return (ISC_FALSE); - - if (!gost1->ontoken && !gost2->ontoken) - return (ISC_TRUE); - else if (gost1->ontoken || gost2->ontoken || - (gost1->object != gost2->object)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -static isc_result_t -pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 }; - CK_KEY_TYPE keyType = CKK_GOSTR3410; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_ATTRIBUTE pubTemplate[] = - { - { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, - (CK_ULONG) sizeof(pk11_gost_a_paramset) }, - { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, - (CK_ULONG) sizeof(pk11_gost_paramset) } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = - { - { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *gost; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - UNUSED(unused); - UNUSED(callback); - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); - if (ret != ISC_R_SUCCESS) - goto err; - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, - pubTemplate, (CK_ULONG) 7, - privTemplate, (CK_ULONG) 7, - &pub, &priv), - DST_R_CRYPTOFAILURE); - - gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); - if (gost == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost, 0, sizeof(*gost)); - key->keydata.pkey = gost; - key->key_size = ISC_GOST_KEYSIZE; - gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, - sizeof(*attr) * 2); - if (gost->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost->repr, 0, sizeof(*attr) * 2); - gost->attrcnt = 2; - - attr = gost->repr; - attr[0].type = CKA_VALUE; - attr[1].type = CKA_VALUE2; - - attr = gost->repr; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - - attr++; - attr->type = CKA_VALUE; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->type = CKA_VALUE2; - - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - - err: - pkcs11gost_destroy(key); - if (priv != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - if (pub != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_boolean_t -pkcs11gost_isprivate(const dst_key_t *key) { - pk11_object_t *gost = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (gost == NULL) - return (ISC_FALSE); - attr = pk11_attribute_bytype(gost, CKA_VALUE2); - return (ISC_TF((attr != NULL) || gost->ontoken)); -} - -static void -pkcs11gost_destroy(dst_key_t *key) { - pk11_object_t *gost = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (gost == NULL) - return; - - INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken); - - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE: - case CKA_VALUE2: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (gost->repr != NULL) { - isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - gost->repr, gost->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(gost, sizeof(*gost)); - isc_mem_put(key->mctx, gost, sizeof(*gost)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *gost; - isc_region_t r; - CK_ATTRIBUTE *attr; - - REQUIRE(key->keydata.pkey != NULL); - - gost = key->keydata.pkey; - attr = pk11_attribute_bytype(gost, CKA_VALUE); - if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH)) - return (ISC_R_FAILURE); - - isc_buffer_availableregion(data, &r); - if (r.length < ISC_GOST_PUBKEYLENGTH) - return (ISC_R_NOSPACE); - memmove(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH); - isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *gost; - isc_region_t r; - CK_ATTRIBUTE *attr; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - if (r.length != ISC_GOST_PUBKEYLENGTH) - return (DST_R_INVALIDPUBLICKEY); - - gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); - if (gost == NULL) - return (ISC_R_NOMEMORY); - memset(gost, 0, sizeof(*gost)); - gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr)); - if (gost->repr == NULL) - goto nomemory; - gost->attrcnt = 1; - - attr = gost->repr; - attr->type = CKA_VALUE; - attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH); - if (attr->pValue == NULL) - goto nomemory; - memmove((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH); - attr->ulValueLen = ISC_GOST_PUBKEYLENGTH; - - isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH); - key->keydata.pkey = gost; - key->key_size = ISC_GOST_KEYSIZE; - return (ISC_R_SUCCESS); - - nomemory: - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (gost->repr != NULL) { - isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - gost->repr, gost->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(gost, sizeof(*gost)); - isc_mem_put(key->mctx, gost, sizeof(*gost)); - return (ISC_R_NOMEMORY); -} - -static unsigned char gost_private_der[39] = { - 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, - 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30, - 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, - 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, - 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20 -}; - -#ifdef PREFER_GOSTASN1 - -static isc_result_t -pkcs11gost_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *gost; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - int adj; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - gost = key->keydata.pkey; - attr = pk11_attribute_bytype(gost, CKA_VALUE2); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen + 39); - if (buf == NULL) - return (ISC_R_NOMEMORY); - priv.elements[i].tag = TAG_GOST_PRIVASN1; - priv.elements[i].length = - (unsigned short) attr->ulValueLen + 39; - memmove(buf, gost_private_der, 39); - memmove(buf + 39, attr->pValue, attr->ulValueLen); - adj = (int) attr->ulValueLen - 32; - if (adj != 0) { - buf[1] += adj; - buf[36] += adj; - buf[38] += adj; - } - priv.elements[i].data = buf; - i++; - } else - return (DST_R_CRYPTOFAILURE); - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - isc_safe_memwipe(buf, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} - -#else - -static isc_result_t -pkcs11gost_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *gost; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - gost = key->keydata.pkey; - attr = pk11_attribute_bytype(gost, CKA_VALUE2); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen); - if (buf == NULL) - return (ISC_R_NOMEMORY); - priv.elements[i].tag = TAG_GOST_PRIVRAW; - priv.elements[i].length = (unsigned short) attr->ulValueLen; - memmove(buf, attr->pValue, attr->ulValueLen); - priv.elements[i].data = buf; - i++; - } else - return (DST_R_CRYPTOFAILURE); - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - isc_safe_memwipe(buf, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} -#endif - -static isc_result_t -pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - pk11_object_t *gost = NULL; - CK_ATTRIBUTE *attr, *pattr; - isc_mem_t *mctx = key->mctx; - - if ((pub == NULL) || (pub->keydata.pkey == NULL)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - if (priv.elements[0].tag == TAG_GOST_PRIVASN1) { - int adj = (int) priv.elements[0].length - (39 + 32); - unsigned char buf[39]; - - if ((adj > 0) || (adj < -31)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - memmove(buf, gost_private_der, 39); - if (adj != 0) { - buf[1] += adj; - buf[36] += adj; - buf[38] += adj; - } - if (!isc_safe_memequal(priv.elements[0].data, buf, 39)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - priv.elements[0].tag = TAG_GOST_PRIVRAW; - priv.elements[0].length -= 39; - memmove(priv.elements[0].data, - priv.elements[0].data + 39, - 32 + adj); - } - - gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); - if (gost == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost, 0, sizeof(*gost)); - key->keydata.pkey = gost; - key->key_size = ISC_GOST_KEYSIZE; - - gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, - sizeof(*attr) * 2); - if (gost->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost->repr, 0, sizeof(*attr) * 2); - gost->attrcnt = 2; - - attr = gost->repr; - attr->type = CKA_VALUE; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_VALUE2; - attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length); - attr->ulValueLen = priv.elements[0].length; - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - - err: - pkcs11gost_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static dst_func_t pkcs11gost_functions = { - pkcs11gost_createctx, - NULL, /*%< createctx2 */ - pkcs11gost_destroyctx, - pkcs11gost_adddata, - pkcs11gost_sign, - pkcs11gost_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11gost_compare, - NULL, /*%< paramcompare */ - pkcs11gost_generate, - pkcs11gost_isprivate, - pkcs11gost_destroy, - pkcs11gost_todns, - pkcs11gost_fromdns, - pkcs11gost_tofile, - pkcs11gost_parse, - NULL, /*%< cleanup */ - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11gost_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &pkcs11gost_functions; - return (ISC_R_SUCCESS); -} - -#else /* HAVE_PKCS11 && HAVE_PKCS11_GOST */ - -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_PKCS11 && HAVE_PKCS11_GOST */ -/*! \file */ diff --git a/lib/dns/rdata/generic/cds_59.c b/lib/dns/rdata/generic/cds_59.c index 6e3fdeb040..496cb95654 100644 --- a/lib/dns/rdata/generic/cds_59.c +++ b/lib/dns/rdata/generic/cds_59.c @@ -21,8 +21,6 @@ #include -#include "dst_gost.h" - static inline isc_result_t fromtext_cds(ARGS_FROMTEXT) { diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c index 01b4308779..604af98e73 100644 --- a/lib/dns/rdata/generic/dlv_32769.c +++ b/lib/dns/rdata/generic/dlv_32769.c @@ -22,8 +22,6 @@ #include -#include "dst_gost.h" - static inline isc_result_t fromtext_dlv(ARGS_FROMTEXT) { diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c index 2da4bdabdf..a6f1328ffb 100644 --- a/lib/dns/rdata/generic/ds_43.c +++ b/lib/dns/rdata/generic/ds_43.c @@ -23,8 +23,6 @@ #include -#include "dst_gost.h" - static inline isc_result_t generic_fromtext_ds(ARGS_FROMTEXT) { isc_token_t token; @@ -72,11 +70,6 @@ generic_fromtext_ds(ARGS_FROMTEXT) { case DNS_DSDIGEST_SHA256: length = ISC_SHA256_DIGESTLENGTH; break; -#ifdef ISC_GOST_DIGESTLENGTH - case DNS_DSDIGEST_GOST: - length = ISC_GOST_DIGESTLENGTH; - break; -#endif case DNS_DSDIGEST_SHA384: length = ISC_SHA384_DIGESTLENGTH; break; @@ -178,10 +171,6 @@ generic_fromwire_ds(ARGS_FROMWIRE) { sr.length < 4 + ISC_SHA1_DIGESTLENGTH) || (sr.base[3] == DNS_DSDIGEST_SHA256 && sr.length < 4 + ISC_SHA256_DIGESTLENGTH) || -#ifdef ISC_GOST_DIGESTLENGTH - (sr.base[3] == DNS_DSDIGEST_GOST && - sr.length < 4 + ISC_GOST_DIGESTLENGTH) || -#endif (sr.base[3] == DNS_DSDIGEST_SHA384 && sr.length < 4 + ISC_SHA384_DIGESTLENGTH)) return (ISC_R_UNEXPECTEDEND); @@ -195,10 +184,6 @@ generic_fromwire_ds(ARGS_FROMWIRE) { sr.length = 4 + ISC_SHA1_DIGESTLENGTH; else if (sr.base[3] == DNS_DSDIGEST_SHA256) sr.length = 4 + ISC_SHA256_DIGESTLENGTH; -#ifdef ISC_GOST_DIGESTLENGTH - else if (sr.base[3] == DNS_DSDIGEST_GOST) - sr.length = 4 + ISC_GOST_DIGESTLENGTH; -#endif else if (sr.base[3] == DNS_DSDIGEST_SHA384) sr.length = 4 + ISC_SHA384_DIGESTLENGTH; @@ -262,11 +247,6 @@ generic_fromstruct_ds(ARGS_FROMSTRUCT) { case DNS_DSDIGEST_SHA256: REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH); break; -#ifdef ISC_GOST_DIGESTLENGTH - case DNS_DSDIGEST_GOST: - REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH); - break; -#endif case DNS_DSDIGEST_SHA384: REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH); break; diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile index 953082d420..11ccd1e420 100644 --- a/lib/dns/tests/Atffile +++ b/lib/dns/tests/Atffile @@ -12,7 +12,6 @@ tp: dispatch_test tp: dnstap_test tp: dst_test tp: geoip_test -tp: gost_test tp: keytable_test tp: master_test tp: name_test diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile index 0353a73990..fcdfeeb1e6 100644 --- a/lib/dns/tests/Kyuafile +++ b/lib/dns/tests/Kyuafile @@ -11,7 +11,6 @@ atf_test_program{name='dispatch_test'} atf_test_program{name='dnstap_test'} atf_test_program{name='dst_test'} atf_test_program{name='geoip_test'} -atf_test_program{name='gost_test'} atf_test_program{name='keytable_test'} atf_test_program{name='master_test'} atf_test_program{name='name_test'} diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in index 078de59823..ee99c0cd3b 100644 --- a/lib/dns/tests/Makefile.in +++ b/lib/dns/tests/Makefile.in @@ -41,7 +41,6 @@ SRCS = acl_test.c \ dst_test.c \ dnstest.c \ geoip_test.c \ - gost_test.c \ keytable_test.c \ master_test.c \ name_test.c \ @@ -73,7 +72,6 @@ TARGETS = acl_test@EXEEXT@ \ dnstap_test@EXEEXT@ \ dst_test@EXEEXT@ \ geoip_test@EXEEXT@ \ - gost_test@EXEEXT@ \ keytable_test@EXEEXT@ \ master_test@EXEEXT@ \ name_test@EXEEXT@ \ @@ -146,11 +144,6 @@ geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \ ${ISCLIBS} ${LIBS} -gost_test@EXEEXT@: gost_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - gost_test.@O@ dnstest.@O@ ${DNSLIBS} \ - ${ISCLIBS} ${LIBS} - keytable_test@EXEEXT@: keytable_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ keytable_test.@O@ dnstest.@O@ ${DNSLIBS} \ diff --git a/lib/dns/tests/gost_test.c b/lib/dns/tests/gost_test.c deleted file mode 100644 index 1246575af5..0000000000 --- a/lib/dns/tests/gost_test.c +++ /dev/null @@ -1,379 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - - -/* ! \file */ - -#include - -#include - -#include -#include - -#include -#include -#include - -#include "dnstest.h" - -#ifdef HAVE_OPENSSL_GOST -#include "../dst_gost.h" -#include -#include -#include -#include -#include -#endif - -#ifdef HAVE_PKCS11_GOST -#include "../dst_gost.h" -#include -#define WANT_GOST_PARAMS -#include -#include -#endif - -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -/* - * Test data from Wikipedia GOST (hash function) - */ - -unsigned char digest[ISC_GOST_DIGESTLENGTH]; -unsigned char buffer[1024]; -const char *s; -char str[2 * ISC_GOST_DIGESTLENGTH + 3]; -int i = 0; - -/* - * Precondition: a hexadecimal number in *d, the length of that number in len, - * and a pointer to a character array to put the output (*out). - * Postcondition: A String representation of the given hexadecimal number is - * placed into the array *out - * - * 'out' MUST point to an array of at least len * 2 + 1 - * - * Return values: ISC_R_SUCCESS if the operation is sucessful - */ -static isc_result_t -tohexstr(unsigned char *d, unsigned int len, char *out, size_t out_size) { - char c_ret[] = "AA"; - unsigned int j; - - out[0] = '\0'; - strlcat(out, "0x", out_size); - for (j = 0; j < len; j++) { - snprintf(c_ret, sizeof(c_ret), "%02X", d[j]); - strlcat(out, c_ret, out_size); - } - return (ISC_R_SUCCESS); -} - - -#define TEST_INPUT(x) (x), sizeof(x)-1 - -typedef struct hash_testcase { - const char *input; - size_t input_len; - const char *result; - int repeats; -} hash_testcase_t; - -ATF_TC(isc_gost_md); -ATF_TC_HEAD(isc_gost_md, tc) { - atf_tc_set_md_var(tc, "descr", - "GOST R 34.11-94 examples from Wikipedia"); -} -ATF_TC_BODY(isc_gost_md, tc) { - isc_gost_t gost; - isc_result_t result; - - UNUSED(tc); - - /* - * These are the various test vectors. All of these are passed - * through the hash function and the results are compared to the - * result specified here. - */ - hash_testcase_t testcases[] = { - /* Test 1 */ - { - TEST_INPUT(""), - "0x981E5F3CA30C841487830F84FB433E1" - "3AC1101569B9C13584AC483234CD656C0", - 1 - }, - /* Test 2 */ - { - TEST_INPUT("a"), - "0xE74C52DD282183BF37AF0079C9F7805" - "5715A103F17E3133CEFF1AACF2F403011", - 1 - }, - /* Test 3 */ - { - TEST_INPUT("abc"), - "0xB285056DBF18D7392D7677369524DD1" - "4747459ED8143997E163B2986F92FD42C", - 1 - }, - /* Test 4 */ - { - TEST_INPUT("message digest"), - "0xBC6041DD2AA401EBFA6E9886734174F" - "EBDB4729AA972D60F549AC39B29721BA0", - 1 - }, - /* Test 5 */ - { - TEST_INPUT("The quick brown fox jumps " - "over the lazy dog"), - "0x9004294A361A508C586FE53D1F1B027" - "46765E71B765472786E4770D565830A76", - 1 - }, - - /* Test 6 */ - { - TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcde" - "fghijklmnopqrstuvwxyz0123456789"), - "0x73B70A39497DE53A6E08C67B6D4DB85" - "3540F03E9389299D9B0156EF7E85D0F61", - 1 - }, - /* Test 7 */ - { - TEST_INPUT("1234567890123456789012345678901" - "2345678901234567890123456789012" - "345678901234567890"), - "0x6BC7B38989B28CF93AE8842BF9D7529" - "05910A7528A61E5BCE0782DE43E610C90", - 1 - }, - /* Test 8 */ - { - TEST_INPUT("This is message, length=32 bytes"), - "0x2CEFC2F7B7BDC514E18EA57FA74FF35" - "7E7FA17D652C75F69CB1BE7893EDE48EB", - 1 - }, - /* Test 9 */ - { - TEST_INPUT("Suppose the original message " - "has length = 50 bytes"), - "0xC3730C5CBCCACF915AC292676F21E8B" - "D4EF75331D9405E5F1A61DC3130A65011", - 1 - }, - /* Test 10 */ - { - TEST_INPUT("U") /* times 128 */, - "0x1C4AC7614691BBF427FA2316216BE8F" - "10D92EDFD37CD1027514C1008F649C4E8", - 128 - }, - /* Test 11 */ - { - TEST_INPUT("a") /* times 1000000 */, - "0x8693287AA62F9478F7CB312EC0866B6" - "C4E4A0F11160441E8F4FFCD2715DD554F", - 1000000 - }, - { NULL, 0, NULL, 1 } - }; - - result = dns_test_begin(NULL, ISC_FALSE); - ATF_REQUIRE(result == ISC_R_SUCCESS); - - hash_testcase_t *testcase = testcases; - - while (testcase->input != NULL && testcase->result != NULL) { - result = isc_gost_init(&gost); - ATF_REQUIRE(result == ISC_R_SUCCESS); - for(i = 0; i < testcase->repeats; i++) { - result = isc_gost_update(&gost, - (const isc_uint8_t *) testcase->input, - testcase->input_len); - ATF_REQUIRE(result == ISC_R_SUCCESS); - } - result = isc_gost_final(&gost, digest); - ATF_REQUIRE(result == ISC_R_SUCCESS); - tohexstr(digest, ISC_GOST_DIGESTLENGTH, str, sizeof(str)); - ATF_CHECK_STREQ(str, testcase->result); - - testcase++; - } - - dns_test_end(); -} - -ATF_TC(isc_gost_private); -ATF_TC_HEAD(isc_gost_private, tc) { - atf_tc_set_md_var(tc, "descr", "GOST R 34.10-2001 private key"); -} -ATF_TC_BODY(isc_gost_private, tc) { - isc_result_t result; - unsigned char privraw[31] = { - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e - }; -#ifdef HAVE_OPENSSL_GOST - unsigned char rbuf[32]; - unsigned char privasn1[70] = { - 0x30, 0x44, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, - 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30, - 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, - 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, - 0x02, 0x1e, 0x01, 0x04, 0x21, 0x02, 0x1f, 0x01, - 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, - 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, - 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, - 0x1a, 0x1b, 0x1c, 0x1d, 0x1e - }; - unsigned char abuf[71]; - unsigned char gost_dummy_key[71] = { - 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, - 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30, - 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, - 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, - 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b, - 0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5, - 0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65, - 0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63, - 0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6 - }; - EVP_PKEY *pkey; - EC_KEY *eckey; - BIGNUM *privkey; - const BIGNUM *privkey1; - const unsigned char *p; - int len; - unsigned char *q; - - result = dns_test_begin(NULL, ISC_FALSE); - ATF_REQUIRE(result == ISC_R_SUCCESS); - - /* raw parse */ - privkey = BN_bin2bn(privraw, (int) sizeof(privraw), NULL); - ATF_REQUIRE(privkey != NULL); - p = gost_dummy_key; - pkey = NULL; - ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p, - (long) sizeof(gost_dummy_key)) != NULL); - ATF_REQUIRE(pkey != NULL); - ATF_REQUIRE(EVP_PKEY_bits(pkey) == 256); - eckey = EVP_PKEY_get0(pkey); - ATF_REQUIRE(eckey != NULL); - ATF_REQUIRE(EC_KEY_set_private_key(eckey, privkey) == 1); - BN_clear_free(privkey); - - /* asn1 tofile */ - len = i2d_PrivateKey(pkey, NULL); - ATF_REQUIRE(len == 70); - q = abuf; - ATF_REQUIRE(i2d_PrivateKey(pkey, &q) == len); - ATF_REQUIRE(memcmp(abuf, privasn1, len) == 0); - EVP_PKEY_free(pkey); - - /* asn1 parse */ - p = privasn1; - pkey = NULL; - ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p, - (long) len) != NULL); - ATF_REQUIRE(pkey != NULL); - eckey = EVP_PKEY_get0(pkey); - ATF_REQUIRE(eckey != NULL); - privkey1 = EC_KEY_get0_private_key(eckey); - len = BN_num_bytes(privkey1); - ATF_REQUIRE(len == 31); - ATF_REQUIRE(BN_bn2bin(privkey1, rbuf) == len); - ATF_REQUIRE(memcmp(rbuf, privraw, len) == 0); - - dns_test_end(); -#else - CK_BBOOL truevalue = TRUE; - CK_BBOOL falsevalue = FALSE; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_GOSTR3410; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, privraw, sizeof(privraw) }, - { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, - (CK_ULONG) sizeof(pk11_gost_a_paramset) }, - { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, - (CK_ULONG) sizeof(pk11_gost_paramset) } - }; - CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 }; - CK_BYTE sig[64]; - CK_ULONG siglen; - pk11_context_t pk11_ctx; - - result = dns_test_begin(NULL, ISC_FALSE); - ATF_REQUIRE(result == ISC_R_SUCCESS); - - /* create the private key */ - memset(&pk11_ctx, 0, sizeof(pk11_ctx)); - ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_TRUE, - ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_GOST)) == - ISC_R_SUCCESS); - pk11_ctx.object = CK_INVALID_HANDLE; - pk11_ctx.ontoken = ISC_FALSE; - ATF_REQUIRE(pkcs_C_CreateObject(pk11_ctx.session, keyTemplate, - (CK_ULONG) 9, &pk11_ctx.object) == - CKR_OK); - ATF_REQUIRE(pk11_ctx.object != CK_INVALID_HANDLE); - - /* sign something */ - ATF_REQUIRE(pkcs_C_SignInit(pk11_ctx.session, &mech, - pk11_ctx.object) == CKR_OK); - siglen = 0; - ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64, - NULL, &siglen) == CKR_OK); - ATF_REQUIRE(siglen == 64); - ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64, - sig, &siglen) == CKR_OK); - ATF_REQUIRE(siglen == 64); - - dns_test_end(); -#endif -}; -#else -ATF_TC(untested); -ATF_TC_HEAD(untested, tc) { - atf_tc_set_md_var(tc, "descr", "skipping gost test"); -} -ATF_TC_BODY(untested, tc) { - UNUSED(tc); - atf_tc_skip("GOST not available"); -} -#endif -/* - * Main - */ -ATF_TP_ADD_TCS(tp) { -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - ATF_TP_ADD_TC(tp, isc_gost_md); - ATF_TP_ADD_TC(tp, isc_gost_private); -#else - ATF_TP_ADD_TC(tp, untested); -#endif - return (atf_no_error()); -} - diff --git a/lib/dns/win32/libdns.vcxproj.filters.in b/lib/dns/win32/libdns.vcxproj.filters.in index 3ae2af9888..5031fdeef0 100644 --- a/lib/dns/win32/libdns.vcxproj.filters.in +++ b/lib/dns/win32/libdns.vcxproj.filters.in @@ -312,9 +312,6 @@ Dst Source Files - - Dst Source Files - Dst Source Files @@ -335,9 +332,6 @@ Dst Source Files - - Dst Source Files - Dst Source Files @@ -658,9 +652,6 @@ Dst Header Files - - Dst Header Files - Dst Header Files diff --git a/lib/dns/win32/libdns.vcxproj.in b/lib/dns/win32/libdns.vcxproj.in index ea568bd702..319c203e91 100644 --- a/lib/dns/win32/libdns.vcxproj.in +++ b/lib/dns/win32/libdns.vcxproj.in @@ -165,7 +165,6 @@ - @END OPENSSL @@ -177,7 +176,6 @@ - @END PKCS11 @@ -223,7 +221,6 @@ - @IF OPENSSL diff --git a/lib/isc/include/pk11/README.site b/lib/isc/include/pk11/README.site index 6c49891c35..4c0700d2c1 100644 --- a/lib/isc/include/pk11/README.site +++ b/lib/isc/include/pk11/README.site @@ -15,7 +15,6 @@ selected tokens per algorithm: - DH (secret derivation) - digest (hash) - EC (ECDSA, sign/verify) - - GOST (Russian hash and sign/verify) - AES (encrypt/decrypt) ...and a summary of PKCS#11 tokens that have been found. @@ -56,15 +55,12 @@ may be taken, depending on which algorithms indicate failures: - EC: you may wish to configure BIND9 without ECDSA support by adding --without-ecdsa to the "configure" arguments. - - GOST: you SHOULD configure BIND9 without GOST support by adding - --without-gost to the "configure" arguments. - - AES: you MUST reconfigure bind9 without AES support by adding --without-aes to configure arguments. You can disable some algorithms (e.g. DSA, DH and MD5) using the "disable-algorithms" option in named.conf, and some other algorithms can be -disabled at compile time (ECDSA, GOST, AES). Note, however, that disabling +disabled at compile time (ECDSA, AES). Note, however, that disabling algorithms can have unwanted side effects; for instance, disabling DH breaks TKEY support. diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h index 0abbf7ee37..4b263f00d1 100644 --- a/lib/isc/include/pk11/constants.h +++ b/lib/isc/include/pk11/constants.h @@ -95,13 +95,4 @@ static CK_BYTE pk11_dh_bn1536[] = { }; #endif -#ifdef WANT_GOST_PARAMS -static CK_BYTE pk11_gost_a_paramset[] = { - 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01 -}; -static CK_BYTE pk11_gost_paramset[] = { - 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01 -}; -#endif - #endif /* PK11_CONSTANTS_H */ diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index 9377b7220b..77d6abda58 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -84,7 +84,6 @@ static pk11_token_t *best_dsa_token; static pk11_token_t *best_dh_token; static pk11_token_t *digest_token; static pk11_token_t *best_ec_token; -static pk11_token_t *best_gost_token; static pk11_token_t *aes_token; static isc_result_t free_all_sessions(void); @@ -266,8 +265,6 @@ pk11_finalize(void) { digest_token = NULL; if (token == best_ec_token) best_ec_token = NULL; - if (token == best_gost_token) - best_gost_token = NULL; if (token == aes_token) aes_token = NULL; pk11_mem_put(token, sizeof(*token)); @@ -852,41 +849,11 @@ scan_slots(void) { PK11_TRACEM(CKM_ECDSA); } if (bad) - goto try_gost; + goto try_eddsa; token->operations |= 1 << OP_EC; if (best_ec_token == NULL) best_ec_token = token; - try_gost: - bad = ISC_FALSE; - /* does GOST require digest too? */ - rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_GOSTR3411); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_GOSTR3410_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, - CKM_GOSTR3410_WITH_GOSTR3411, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411); - } - if (bad) - goto try_eddsa; - token->operations |= 1 << OP_GOST; - if (best_gost_token == NULL) - best_gost_token = token; - try_eddsa: #if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA) bad = ISC_FALSE; @@ -949,9 +916,6 @@ pk11_get_best_token(pk11_optype_t optype) { case OP_EC: token = best_ec_token; break; - case OP_GOST: - token = best_gost_token; - break; case OP_AES: token = aes_token; break; @@ -1340,7 +1304,6 @@ pk11_dump_tokens(void) { printf("\tbest_dh_token=%p\n", best_dh_token); printf("\tdigest_token=%p\n", digest_token); printf("\tbest_ec_token=%p\n", best_ec_token); - printf("\tbest_gost_token=%p\n", best_gost_token); printf("\taes_token=%p\n", aes_token); for (token = ISC_LIST_HEAD(tokens); diff --git a/util/copyrights b/util/copyrights index 961b457cb7..48443d8476 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1383,14 +1383,6 @@ ./bin/tests/system/glue/tests.sh SH 2000,2001,2003,2004,2007,2012,2013,2016,2017,2018 ./bin/tests/system/glue/xx.good X 2000,2001,2018 ./bin/tests/system/glue/yy.good X 2000,2001,2003,2018 -./bin/tests/system/gost/clean.sh SH 2010,2012,2014,2016,2018 -./bin/tests/system/gost/ns1/named.conf CONF-C 2010,2016,2018 -./bin/tests/system/gost/ns1/root.db.in ZONE 2010,2016,2018 -./bin/tests/system/gost/ns1/sign.sh SH 2010,2012,2014,2016,2018 -./bin/tests/system/gost/ns2/named.conf CONF-C 2010,2016,2018 -./bin/tests/system/gost/prereq.sh SH 2010,2012,2014,2016,2018 -./bin/tests/system/gost/setup.sh SH 2010,2012,2014,2016,2017,2018 -./bin/tests/system/gost/tests.sh SH 2010,2012,2013,2016,2018 ./bin/tests/system/idna/clean.sh SH 2018 ./bin/tests/system/idna/ns1/named.conf.in CONF-C 2018 ./bin/tests/system/idna/ns1/root.db ZONE 2018 @@ -2950,7 +2942,6 @@ ./lib/dns/dnstap.proto X 2015,2018 ./lib/dns/ds.c C 2002,2003,2004,2005,2006,2007,2010,2012,2014,2016,2018 ./lib/dns/dst_api.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018 -./lib/dns/dst_gost.h C 2014,2016,2018 ./lib/dns/dst_internal.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018 ./lib/dns/dst_lib.c C 1999,2000,2001,2004,2005,2007,2016,2018 ./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012,2015,2016,2018 @@ -3096,7 +3087,6 @@ ./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018 ./lib/dns/opensslecdsa_link.c C 2012,2013,2014,2015,2016,2017,2018 ./lib/dns/openssleddsa_link.c C 2017,2018 -./lib/dns/opensslgost_link.c C 2010,2011,2012,2013,2014,2015,2016,2017,2018 ./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018 ./lib/dns/order.c C 2002,2004,2005,2007,2015,2016,2017,2018 ./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018 @@ -3105,7 +3095,6 @@ ./lib/dns/pkcs11dsa_link.c C 2014,2015,2016,2017,2018 ./lib/dns/pkcs11ecdsa_link.c C 2014,2015,2016,2017,2018 ./lib/dns/pkcs11eddsa_link.c C 2017,2018 -./lib/dns/pkcs11gost_link.c C 2014,2015,2016,2017,2018 ./lib/dns/pkcs11rsa_link.c C 2014,2015,2016,2017,2018 ./lib/dns/portlist.c C 2003,2004,2005,2006,2007,2014,2016,2018 ./lib/dns/private.c C 2009,2011,2012,2015,2016,2017,2018 @@ -3313,7 +3302,6 @@ ./lib/dns/tests/dnstest.h C 2011,2012,2014,2015,2016,2017,2018 ./lib/dns/tests/dst_test.c C 2018 ./lib/dns/tests/geoip_test.c C 2013,2014,2015,2016,2017,2018 -./lib/dns/tests/gost_test.c C 2014,2015,2016,2017,2018 ./lib/dns/tests/keytable_test.c C 2014,2015,2016,2017,2018 ./lib/dns/tests/master_test.c C 2011,2012,2013,2015,2016,2017,2018 ./lib/dns/tests/mkraw.pl PERL 2011,2012,2016,2018 diff --git a/win32utils/Configure b/win32utils/Configure index 4f77d26941..0266929dbc 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -208,7 +208,6 @@ my @substdefh = ("AES_CC", "HAVE_OPENSSL_ED25519", "HAVE_OPENSSL_ED448", "HAVE_OPENSSL_EVP_AES", - "HAVE_OPENSSL_GOST", "HAVE_DH_GET0_KEY", "HAVE_DSA_GET0_PQG", "HAVE_ECDSA_SIG_GET0", @@ -217,13 +216,11 @@ my @substdefh = ("AES_CC", "HAVE_PKCS11_ECDSA", "HAVE_PKCS11_ED25519", "HAVE_PKCS11_ED448", - "HAVE_PKCS11_GOST", "HAVE_READLINE", "HAVE_ZLIB", "HMAC_SHA1_CC", "HMAC_SHA256_CC", "ISC_LIST_CHECKINIT", - "PREFER_GOSTASN1", "TUNE_LARGE", "WANT_QUERYTRACE", "WITH_IDN"); @@ -383,7 +380,6 @@ my @withlist = ("aes", "extra-tests", "gssapi", "geoip", - "gost", "iconv", "idn", "openssl", @@ -440,7 +436,6 @@ my @help = ( " with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n", " with-ecdsa crypto ECDSA\n", " with-eddsa crypto EDDSA yes|all|no\n", -" with-gost[=ENC] crypto GOST yes|no|raw|ans1\n", " with-aes crypto AES\n", " with-cc-alg choose the algorithm for cookies aes|sha1|sha256\n", " with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n", @@ -488,8 +483,6 @@ my $pkcs11_path = "unknown"; my $use_ecdsa = "auto"; my $use_eddsa = "auto"; my $use_ed448 = "auto"; -my $use_gost = "auto"; -my $gost_encoding = "raw"; my $use_aes = "auto"; my $cookie_algorithm = "aes"; my $use_gssapi = "no"; @@ -787,13 +780,6 @@ sub mywith { $use_ed448 = "yes"; } } - } elsif ($key =~ /^gost$/i) { - if ($val =~ /^no$/i) { - $use_gost = "no"; - } elsif ($val !~ /^no$/i) { - $use_gost = "yes"; - $gost_encoding = $val; - } } elsif ($key =~ /^aes$/i) { if ($val =~ /^no$/i) { $use_aes = "no"; @@ -1038,12 +1024,6 @@ if ($verbose) { print "ed448: enabled\n"; } } - if ($use_gost eq "no") { - print "gost: disabled\n"; - } else { - print "gost: enabled\n"; - print "gost private key encoding: $gost_encoding\n"; - } if ($use_aes eq "no") { print "aes: disabled\n"; } else { @@ -1363,16 +1343,6 @@ if ($enable_native_pkcs11 eq "yes") { $configdefh{"HAVE_PKCS11_ED448"} = 1; } } - if ($use_gost eq "no") { - if ($verbose) { - print "no GOST support in native PKCS#11\n"; - } - } else { - if ($verbose) { - print "enabled GOST support in native PKCS#11\n"; - } - $configdefh{"HAVE_PKCS11_GOST"} = 1; - } if ($use_aes eq "no") { if ($verbose) { print "no AES support in native PKCS#11\n"; @@ -1814,72 +1784,6 @@ if ($use_ed448 ne "no") { $configdefh{"HAVE_OPENSSL_ED448"} = 1; } -# with-gost -if ($use_openssl eq "no") { - $use_gost = "no"; -} -if ($use_gost eq "auto") { - if ($verbose) { - print "checking for OpenSSL GOST support\n"; - } - open F, ">testgost.c" || die $!; - print F << 'EOF'; -#include -#include - -int -main(void) -{ -#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) - ENGINE *e; - EC_KEY *ek; - - ek = NULL; - OPENSSL_config(NULL); - - e = ENGINE_by_id("gost"); - if (e == NULL) - return (1); - if (ENGINE_init(e) <= 0) - return (1); - return (0); -#else - return (1); -#endif -} -EOF - close F; - my $include = $configinc{"OPENSSL_INC"}; - my $library = $configlib{"OPENSSL_LIB"}; - $compret = `cl /nologo /MD /I "$include" testgost.c "$library"`; - if (grep { -f and -x } ".\\testgost.exe") { - `.\\testgost.exe`; - if ($? != 0) { - if ($verbose) { - print "GOST test failed: disabling GOST\n"; - } - $use_gost = "no"; - } - } else { - if ($verbose) { - print "can't compile GOST test: $compret\n"; - print "disabling GOST\n"; - } - $use_gost = "no"; - } -} - -if ($use_gost ne "no") { - $use_gost = "yes"; - $configdefh{"HAVE_OPENSSL_GOST"} = 1; -} - -if ($gost_encoding eq "ans1") { - $configdefh{"PREFER_GOSTASN1"} = 1; -} elsif ($gost_encoding ne "raw") { - die "Unrecognized GOST private key encoding: $gost_encoding\n"; -} - # with-aes if ($use_openssl eq "no") { if ($use_aes ne "pkcs11") { @@ -3350,7 +3254,6 @@ exit 0; # --with-pkcs11 supported # --with-ecdsa supported # --with-eddsa supported -# --with-gost supported # --with-aes supported # --with-cc-alg supported # --with-randomdev not supported on WIN32 (makes no sense) diff --git a/win32utils/build.txt b/win32utils/build.txt index 5e0305dd6d..522f0fafc1 100644 --- a/win32utils/build.txt +++ b/win32utils/build.txt @@ -73,8 +73,7 @@ Step 1: Download and build OpenSSL nmake /f ms\ntdll.mak The "enable-static-engine" option is needed when an OpenSSL engine - will be used -- for example, when using the GOST signing algorithm or - OpenSSL-based PKCS#11 support. + will be used -- for example, when using OpenSSL-based PKCS#11 support. If you wish to use OpenSSL-based PKCS#11 to control a cryptographic hardware service module, please see "PKCS#11 (Cryptoki) support" in