From 36e37042c6c9252cdf6eb99bd71ccb6e6c43ba6d Mon Sep 17 00:00:00 2001 From: Brian Wellington Date: Sat, 15 Sep 2001 00:01:58 +0000 Subject: [PATCH] 997. [func] Add support for RSA-SHA1 keys. --- CHANGES | 2 ++ bin/dnssec/dnssec-keygen.c | 7 ++++--- lib/dns/rdata.c | 5 +++-- lib/dns/sec/dst/dst_api.c | 5 ++++- lib/dns/sec/dst/dst_parse.c | 20 +++++++++++++------- lib/dns/sec/dst/dst_parse.h | 7 ++++--- lib/dns/sec/dst/hmac_link.c | 5 +++-- lib/dns/sec/dst/include/dst/dst.h | 4 +++- lib/dns/sec/dst/openssldh_link.c | 5 +++-- lib/dns/sec/dst/openssldsa_link.c | 5 +++-- lib/dns/sec/dst/opensslrsa_link.c | 19 +++++++++++++++++-- 11 files changed, 59 insertions(+), 25 deletions(-) diff --git a/CHANGES b/CHANGES index dc7a08621b..a22ccf9b44 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + 997. [func] Add support for RSA-SHA1 keys. + 996. [func] Issue warning if the configuration filename contains the chroot path. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index cb5abd517e..954ce14402 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -17,7 +17,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.49 2001/09/05 23:15:35 bwelling Exp $ */ +/* $Id: dnssec-keygen.c,v 1.50 2001/09/15 00:01:44 bwelling Exp $ */ #include @@ -49,6 +49,8 @@ const char *program = "dnssec-keygen"; int verbose; +static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5"; + static isc_boolean_t dsa_size_ok(int size) { return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0)); @@ -60,8 +62,7 @@ usage(void) { fprintf(stderr, " %s -a alg -b bits -n type [options] name\n\n", program); fprintf(stderr, "Required options:\n"); - fprintf(stderr, " -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5" - "\n"); + fprintf(stderr, " -a algorithm: %s\n", algs); fprintf(stderr, " -b key size, in bits:\n"); fprintf(stderr, " RSA:\t\t[512..%d]\n", MAX_RSA); fprintf(stderr, " DH:\t\t[128..4096]\n"); diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index 4e272e37f1..f2e85145c9 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.147 2001/08/08 22:54:41 gson Exp $ */ +/* $Id: rdata.c,v 1.148 2001/09/15 00:01:46 bwelling Exp $ */ #include #include @@ -269,13 +269,14 @@ static const char decdigits[] = "0123456789"; { 254, "OID", 0}, \ { 0, NULL, 0} -/* RFC2535 section 7 */ +/* RFC2535 section 7, RFC3110 */ #define SECALGNAMES \ { 1, "RSAMD5", 0 }, \ { 2, "DH", 0 }, \ { 3, "DSA", 0 }, \ { 4, "ECC", 0 }, \ + { 5, "RSASHA1", 0 }, \ { 252, "INDIRECT", 0 }, \ { 253, "PRIVATEDNS", 0 }, \ { 254, "PRIVATEOID", 0 }, \ diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c index 70527d8dd5..7cfb45c312 100644 --- a/lib/dns/sec/dst/dst_api.c +++ b/lib/dns/sec/dst/dst_api.c @@ -19,7 +19,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.88 2001/07/10 21:27:59 bwelling Exp $ + * $Id: dst_api.c,v 1.89 2001/09/15 00:01:48 bwelling Exp $ */ #include @@ -138,6 +138,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) { #ifdef OPENSSL RETERR(dst__openssl_init()); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5])); + RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1])); RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA])); RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); #endif @@ -697,6 +698,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { switch (key->key_alg) { case DST_ALG_RSAMD5: + case DST_ALG_RSASHA1: *n = (key->key_size + 7) / 8; break; case DST_ALG_DSA: @@ -726,6 +728,7 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) { *n = (key->key_size + 7) / 8; break; case DST_ALG_RSAMD5: + case DST_ALG_RSASHA1: case DST_ALG_DSA: case DST_ALG_HMACMD5: default: diff --git a/lib/dns/sec/dst/dst_parse.c b/lib/dns/sec/dst/dst_parse.c index 0256826881..b34abe1d29 100644 --- a/lib/dns/sec/dst/dst_parse.c +++ b/lib/dns/sec/dst/dst_parse.c @@ -19,7 +19,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_parse.c,v 1.31 2001/05/31 00:38:07 bwelling Exp $ + * $Id: dst_parse.c,v 1.32 2001/09/15 00:01:49 bwelling Exp $ */ #include @@ -39,9 +39,10 @@ #define PRIVATE_KEY_STR "Private-key-format:" #define ALGORITHM_STR "Algorithm:" -#define RSA_STR "RSA" +#define RSAMD5_STR "RSAMD5" #define DH_STR "DH" #define DSA_STR "DSA" +#define RSASHA1_STR "RSASHA1" #define HMACMD5_STR "HMAC_MD5" struct parse_map { @@ -157,6 +158,7 @@ static int check_data(const dst_private_t *priv, const unsigned int alg) { switch (alg) { case DST_ALG_RSAMD5: + case DST_ALG_RSASHA1: return (check_rsa(priv)); case DST_ALG_DH: return (check_dh(priv)); @@ -185,8 +187,9 @@ dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) { } int -dst__privstruct_parsefile(dst_key_t *key, const char *filename, - isc_mem_t *mctx, dst_private_t *priv) +dst__privstruct_parsefile(dst_key_t *key, unsigned int alg, + const char *filename, isc_mem_t *mctx, + dst_private_t *priv) { int n = 0, major, minor; isc_buffer_t b; @@ -305,9 +308,11 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename, } memset(&priv->elements[n], 0, sizeof(dst_private_element_t)); - tag = find_value(token.value.as_pointer, dst_key_alg(key)); - if (tag < 0 || TAG_ALG(tag) != dst_key_alg(key)) + tag = find_value(token.value.as_pointer, alg); + if (tag < 0 || TAG_ALG(tag) != alg) { + ret = DST_R_INVALIDPRIVATEKEY; goto fail; + } priv->elements[n].tag = tag; data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE); @@ -327,7 +332,7 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename, done: priv->nelements = n; - if (check_data(priv, dst_key_alg(key)) < 0) + if (check_data(priv, alg) < 0) goto fail; isc_lex_close(lex); @@ -388,6 +393,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, case DST_ALG_RSAMD5: fprintf(fp, "(RSA)\n"); break; case DST_ALG_DH: fprintf(fp, "(DH)\n"); break; case DST_ALG_DSA: fprintf(fp, "(DSA)\n"); break; + case DST_ALG_RSASHA1: fprintf(fp, "(RSASHA1)\n"); break; case DST_ALG_HMACMD5: fprintf(fp, "(HMAC_MD5)\n"); break; default : fprintf(fp, "(?)\n"); break; } diff --git a/lib/dns/sec/dst/dst_parse.h b/lib/dns/sec/dst/dst_parse.h index 6e2fe6eba0..6e30131db7 100644 --- a/lib/dns/sec/dst/dst_parse.h +++ b/lib/dns/sec/dst/dst_parse.h @@ -17,7 +17,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_parse.h,v 1.19 2001/05/10 19:07:13 bwelling Exp $ */ +/* $Id: dst_parse.h,v 1.20 2001/09/15 00:01:50 bwelling Exp $ */ #ifndef DST_DST_PARSE_H #define DST_DST_PARSE_H 1 @@ -84,8 +84,9 @@ void dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx); int -dst__privstruct_parsefile(dst_key_t *key, const char *filename, - isc_mem_t *mctx, dst_private_t *priv); +dst__privstruct_parsefile(dst_key_t *key, unsigned int alg, + const char *filename, isc_mem_t *mctx, + dst_private_t *priv); int dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, diff --git a/lib/dns/sec/dst/hmac_link.c b/lib/dns/sec/dst/hmac_link.c index d803cfc612..f328d36e2c 100644 --- a/lib/dns/sec/dst/hmac_link.c +++ b/lib/dns/sec/dst/hmac_link.c @@ -19,7 +19,7 @@ /* * Principal Author: Brian Wellington - * $Id: hmac_link.c,v 1.53 2001/05/31 18:34:50 tale Exp $ + * $Id: hmac_link.c,v 1.54 2001/09/15 00:01:52 bwelling Exp $ */ #include @@ -248,7 +248,8 @@ hmacmd5_fromfile(dst_key_t *key, const char *filename) { isc_mem_t *mctx = key->mctx; /* read private key file */ - ret = dst__privstruct_parsefile(key, filename, mctx, &priv); + ret = dst__privstruct_parsefile(key, DST_ALG_HMACMD5, filename, mctx, + &priv); if (ret != ISC_R_SUCCESS) return (ret); diff --git a/lib/dns/sec/dst/include/dst/dst.h b/lib/dns/sec/dst/include/dst/dst.h index cbb9e53106..a759b84875 100644 --- a/lib/dns/sec/dst/include/dst/dst.h +++ b/lib/dns/sec/dst/include/dst/dst.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst.h,v 1.42 2001/05/31 18:34:51 tale Exp $ */ +/* $Id: dst.h,v 1.43 2001/09/15 00:01:58 bwelling Exp $ */ #ifndef DST_DST_H #define DST_DST_H 1 @@ -45,6 +45,8 @@ typedef struct dst_context dst_context_t; #define DST_ALG_RSA DST_ALG_RSAMD5 /* backwards compatibility */ #define DST_ALG_DH 2 #define DST_ALG_DSA 3 +#define DST_ALG_ECC 4 +#define DST_ALG_RSASHA1 5 #define DST_ALG_HMACMD5 157 #define DST_ALG_GSSAPI 160 #define DST_ALG_PRIVATE 254 diff --git a/lib/dns/sec/dst/openssldh_link.c b/lib/dns/sec/dst/openssldh_link.c index 88e4081eb3..41b95471ca 100644 --- a/lib/dns/sec/dst/openssldh_link.c +++ b/lib/dns/sec/dst/openssldh_link.c @@ -19,7 +19,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssldh_link.c,v 1.38 2001/07/10 04:01:16 bwelling Exp $ + * $Id: openssldh_link.c,v 1.39 2001/09/15 00:01:53 bwelling Exp $ */ #ifdef OPENSSL @@ -424,7 +424,8 @@ openssldh_fromfile(dst_key_t *key, const char *filename) { mctx = key->mctx; /* read private key file */ - ret = dst__privstruct_parsefile(key, filename, mctx, &priv); + ret = dst__privstruct_parsefile(key, DST_ALG_DH, filename, mctx, + &priv); if (ret != ISC_R_SUCCESS) return (ret); diff --git a/lib/dns/sec/dst/openssldsa_link.c b/lib/dns/sec/dst/openssldsa_link.c index d136c92811..75035e6001 100644 --- a/lib/dns/sec/dst/openssldsa_link.c +++ b/lib/dns/sec/dst/openssldsa_link.c @@ -17,7 +17,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: openssldsa_link.c,v 1.4 2001/07/10 04:01:17 bwelling Exp $ */ +/* $Id: openssldsa_link.c,v 1.5 2001/09/15 00:01:54 bwelling Exp $ */ #ifdef OPENSSL @@ -364,7 +364,8 @@ openssldsa_fromfile(dst_key_t *key, const char *filename) { #define DST_RET(a) {ret = a; goto err;} /* read private key file */ - ret = dst__privstruct_parsefile(key, filename, mctx, &priv); + ret = dst__privstruct_parsefile(key, DST_ALG_DSA, filename, mctx, + &priv); if (ret != ISC_R_SUCCESS) return (ret); diff --git a/lib/dns/sec/dst/opensslrsa_link.c b/lib/dns/sec/dst/opensslrsa_link.c index 1ec23eaa95..822fe67901 100644 --- a/lib/dns/sec/dst/opensslrsa_link.c +++ b/lib/dns/sec/dst/opensslrsa_link.c @@ -17,7 +17,7 @@ /* * Principal Author: Brian Wellington - * $Id: opensslrsa_link.c,v 1.12 2001/07/10 04:01:19 bwelling Exp $ + * $Id: opensslrsa_link.c,v 1.13 2001/09/15 00:01:56 bwelling Exp $ */ #ifdef OPENSSL @@ -44,6 +44,8 @@ static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); static isc_result_t opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { UNUSED(key); + REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || + dctx->key->key_alg == DST_ALG_RSASHA1); if (dctx->key->key_alg == DST_ALG_RSAMD5) { isc_md5_t *md5ctx; @@ -64,6 +66,9 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { static void opensslrsa_destroyctx(dst_context_t *dctx) { + REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || + dctx->key->key_alg == DST_ALG_RSASHA1); + if (dctx->key->key_alg == DST_ALG_RSAMD5) { isc_md5_t *md5ctx = dctx->opaque; @@ -84,6 +89,9 @@ opensslrsa_destroyctx(dst_context_t *dctx) { static isc_result_t opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { + REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || + dctx->key->key_alg == DST_ALG_RSASHA1); + if (dctx->key->key_alg == DST_ALG_RSAMD5) { isc_md5_t *md5ctx = dctx->opaque; isc_md5_update(md5ctx, data->base, data->length); @@ -106,6 +114,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { int type; unsigned int digestlen; + REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || + dctx->key->key_alg == DST_ALG_RSASHA1); + isc_buffer_availableregion(sig, &r); if (r.length < (unsigned int) RSA_size(rsa)) @@ -144,6 +155,9 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { int type; unsigned int digestlen; + REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || + dctx->key->key_alg == DST_ALG_RSASHA1); + if (dctx->key->key_alg == DST_ALG_RSAMD5) { isc_md5_t *md5ctx = dctx->opaque; isc_md5_final(md5ctx, digest); @@ -418,7 +432,8 @@ opensslrsa_fromfile(dst_key_t *key, const char *filename) { #define DST_RET(a) {ret = a; goto err;} /* read private key file */ - ret = dst__privstruct_parsefile(key, filename, mctx, &priv); + ret = dst__privstruct_parsefile(key, DST_ALG_RSA, filename, mctx, + &priv); if (ret != ISC_R_SUCCESS) return (ret);