diff --git a/CHANGES b/CHANGES index 24b2bb9eb8..a2c54d22c5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3339. [func] Allow the maximum supported rsa exponent size to be + specified: "max-rsa-exponent-size ;" [RT #29228] + 3338. [bug] Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100] diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 8e5bbbf249..90daddd156 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -33,7 +33,7 @@ dnssec\-keygen \- DNSSEC key generation tool .SH "SYNOPSIS" .HP 14 -\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name} +\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name} .SH "DESCRIPTION" .PP \fBdnssec\-keygen\fR @@ -103,11 +103,6 @@ Indicates that the DNS record containing the key should have the specified class Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine. .RE .PP -\-e -.RS 4 -If generating an RSAMD5/RSASHA1 key, use a large exponent. -.RE -.PP \-f \fIflag\fR .RS 4 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 83ad91f4f4..086d6d73c0 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -124,7 +124,6 @@ usage(void) { #else fprintf(stderr, " -E \n"); #endif - fprintf(stderr, " -e: use large exponent (RSAMD5/RSASHA1 only)\n"); fprintf(stderr, " -f : KSK | REVOKE\n"); fprintf(stderr, " -g : use specified generator " "(DH only)\n"); @@ -212,7 +211,7 @@ main(int argc, char **argv) { isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE; isc_boolean_t oldstyle = ISC_FALSE; isc_mem_t *mctx = NULL; - int ch, rsa_exp = 0, generator = 0, param = 0; + int ch, generator = 0, param = 0; int protocol = -1, size = -1, signatory = 0; isc_result_t ret; isc_textregion_t r; @@ -311,7 +310,9 @@ main(int argc, char **argv) { engine = isc_commandline_argument; break; case 'e': - rsa_exp = 1; + fprintf(stderr, + "phased-out option -e " + "(was 'use (RSA) large exponent)\n"); break; case 'f': c = (unsigned char)(isc_commandline_argument[0]); @@ -789,13 +790,6 @@ main(int argc, char **argv) { break; } - if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 || - alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 || - alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST || - alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) && - rsa_exp != 0) - fatal("specified RSA exponent for a non-RSA key"); - if (alg != DNS_KEYALG_DH && generator != 0) fatal("specified DH generator for a non-DH key"); @@ -855,7 +849,6 @@ main(int argc, char **argv) { case DNS_KEYALG_NSEC3RSASHA1: case DNS_KEYALG_RSASHA256: case DNS_KEYALG_RSASHA512: - param = rsa_exp; show_progress = ISC_TRUE; break; diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index df50b01adb..bc50c0226d 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -68,7 +68,6 @@ - @@ -233,15 +232,6 @@ - - -e - - - If generating an RSAMD5/RSASHA1 key, use a large exponent. - - - - -f flag diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index ad266da7c7..ecf512b165 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -29,10 +29,10 @@

Synopsis

-

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-z] {name}

+

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -46,7 +46,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -139,10 +139,6 @@ support it defaults to pkcs11; the empty name resets it to no engine.

-
-e
-

- If generating an RSAMD5/RSASHA1 key, use a large exponent. -

-f flag

Set the specified flag in the flag field of the KEY/DNSKEY record. @@ -260,7 +256,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -331,7 +327,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -377,7 +373,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -398,7 +394,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -407,7 +403,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/named/config.c b/bin/named/config.c index 79fc539d1f..bfd8c1c4e0 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -73,6 +73,7 @@ options {\n\ listen-on {any;};\n\ listen-on-v6 {none;};\n\ match-mapped-addresses no;\n\ + max-rsa-exponent-size 0; /* no limit */\n\ memstatistics-file \"named.memstats\";\n\ multiple-cnames no;\n\ # named-xfer ;\n\ diff --git a/bin/named/query.c b/bin/named/query.c index 31688cb166..b219ccfffb 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -2927,7 +2927,7 @@ get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, static isc_boolean_t verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, - dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired) + dns_rdata_t *rdata, ns_client_t *client) { isc_result_t result; dns_fixedname_t fixed; @@ -2936,9 +2936,10 @@ verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, dns_fixedname_init(&fixed); again: - result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx, + result = dns_dnssec_verify3(name, rdataset, key, ignore, + client->view->maxbits, client->mctx, rdata, NULL); - if (result == DNS_R_SIGEXPIRED && acceptexpired) { + if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) { ignore = ISC_TRUE; goto again; } @@ -2981,8 +2982,7 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, do { if (!get_key(client, db, &rrsig, &keyrdataset, &key)) break; - if (verify(key, name, rdataset, &rdata, client->mctx, - client->view->acceptexpired)) { + if (verify(key, name, rdataset, &rdata, client)) { dst_key_free(&key); dns_rdataset_disassociate(&keyrdataset); mark_secure(client, db, name, diff --git a/bin/named/server.c b/bin/named/server.c index de26986bd1..c2f1b07fa4 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1609,6 +1609,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, const char *cachename = NULL; dns_order_t *order = NULL; isc_uint32_t udpsize; + isc_uint32_t maxbits; unsigned int resopts = 0; dns_zone_t *zone = NULL; isc_uint32_t max_clients_per_query; @@ -2237,6 +2238,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, udpsize = 4096; view->maxudp = udpsize; + /* + * Set the maximum rsa exponent bits. + */ + obj = NULL; + result = ns_config_get(maps, "max-rsa-exponent-size", &obj); + INSIST(result == ISC_R_SUCCESS); + maxbits = cfg_obj_asuint32(obj); + if (maxbits != 0 && maxbits < 35) + maxbits = 35; + if (maxbits > 4096) + maxbits = 4096; + view->maxbits = maxbits; + /* * Set supported DNSSEC algorithms. */ diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index 8d46514380..6d9a93fa62 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -21,7 +21,7 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ -SUBDIRS = dlzexternal filter-aaaa lwresd rpz tkey tsiggss +SUBDIRS = dlzexternal filter-aaaa lwresd rpz rsabigexponent tkey tsiggss TARGETS = @BIND9_MAKE_RULES@ diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index e1e7470b28..e87de42190 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -57,8 +57,8 @@ SUBDIRS="acl allow_query addzone autosign builtin cacheclean checkconf dname dns64 dnssec ecdsa forward glue gost ixfr inline limits logfileconfig lwresd masterfile masterformat metadata notify nsupdate pending pkcs11 redirect resolver rndc rpz rrsetorder - sortlist smartsign staticstub statistics stub tkey tsig tsiggss - unknown upforwd views xfer xferquota zonechecks" + rsabigexponent sortlist smartsign staticstub statistics stub + tkey tsig tsiggss unknown upforwd views xfer xferquota zonechecks" # PERL will be an empty string if no perl interpreter was found. PERL=@PERL@ diff --git a/bin/tests/system/rsabigexponent/Makefile.in b/bin/tests/system/rsabigexponent/Makefile.in new file mode 100644 index 0000000000..d32eb15a86 --- /dev/null +++ b/bin/tests/system/rsabigexponent/Makefile.in @@ -0,0 +1,55 @@ +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ + +CDEFINES = @USE_OPENSSL@ +CWARNINGS = + +DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ + +DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ +ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ + +DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + +TARGETS = bigkey@EXEEXT@ + +OBJS = bigkey.@O@ + +SRCS = bigkey.c + +@BIND9_MAKE_RULES@ + +all: bigkey@EXEEXT@ + +bigkey@EXEEXT@: ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c new file mode 100644 index 0000000000..d7ccf379cf --- /dev/null +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -0,0 +1,185 @@ +/* + * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id$ */ + +#ifdef OPENSSL +#include + +#include +#include + +#include +#include +#include +#include +#include +#include + +#define DST_KEY_INTERNAL + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include + +#include +#include +#if OPENSSL_VERSION_NUMBER <= 0x00908000L +#error Require an OpenSSL version >= 9.8.0a +#endif +#include +#include + +dst_key_t *key; +dns_fixedname_t fname; +dns_name_t *name; +unsigned int bits = 1024U; +isc_entropy_t *ectx; +isc_entropysource_t *source; +isc_mem_t *mctx; +isc_log_t *log_; +isc_logconfig_t *logconfig; +int level = ISC_LOG_WARNING; +isc_logdestination_t destination; +char filename[255]; +isc_result_t result; +isc_buffer_t buf; +RSA *rsa; +BIGNUM *e; +EVP_PKEY *pkey; + +#define CHECK(op, msg) \ +do { result = (op); \ + if (result != ISC_R_SUCCESS) { \ + fprintf(stderr, \ + "fatal error: %s returns %s at file %s line %d\n", \ + msg, isc_result_totext(result), __FILE__, __LINE__); \ + exit(1); \ + } \ +} while (0) + +int +main(int argc, char **argv) { + UNUSED(argc); + UNUSED(argv); + + rsa = RSA_new(); + e = BN_new(); + pkey = EVP_PKEY_new(); + + if ((rsa == NULL) || (e == NULL) || (pkey == NULL) || + !EVP_PKEY_set1_RSA(pkey, rsa)) { + fprintf(stderr, "fatal error: basic OpenSSL failure\n"); + exit(1); + } + + /* e = 0x1000000000001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 48); + + if (RSA_generate_key_ex(rsa, bits, e, NULL)) { + BN_free(e); + RSA_free(rsa); + } else { + fprintf(stderr, + "fatal error: RSA_generate_key_ex() fails " + "at file %s line %d\n", + __FILE__, __LINE__); + exit(1); + } + + dns_result_register(); + + CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); + CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); + CHECK(isc_entropy_usebestsource(ectx, &source, + "random.data", ISC_ENTROPY_KEYBOARDNO), + "isc_entropy_usebestsource(\"random.data\")"); + CHECK(dst_lib_init2(mctx, ectx, NULL, 0), "dst_lib_init2()"); + CHECK(isc_log_create(mctx, &log_, &logconfig), "isc_log_create()"); + isc_log_setcontext(log_); + dns_log_init(log_); + dns_log_setcontext(log_); + CHECK(isc_log_settag(logconfig, "bigkey"), "isc_log_settag()"); + destination.file.stream = stderr; + destination.file.name = NULL; + destination.file.versions = ISC_LOG_ROLLNEVER; + destination.file.maximum_size = 0; + CHECK(isc_log_createchannel(logconfig, "stderr", + ISC_LOG_TOFILEDESC, + level, + &destination, + ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL), + "isc_log_createchannel()"); + CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL), + "isc_log_usechannel()"); + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + isc_buffer_init(&buf, "example.", strlen("example.")); + isc_buffer_add(&buf, strlen("example.")); + CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL), + "dns_name_fromtext(\"example.\")"); + + CHECK(dst_key_buildinternal(name, DNS_KEYALG_RSASHA1, + bits, DNS_KEYOWNER_ZONE, + DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, + pkey, mctx, &key), + "dst_key_buildinternal(...)"); + + CHECK(dst_key_tofile(key, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, NULL), + "dst_key_tofile()"); + isc_buffer_init(&buf, filename, sizeof(filename) - 1); + isc_buffer_clear(&buf); + CHECK(dst_key_buildfilename(key, 0, NULL, &buf), + "dst_key_buildfilename()"); + printf("%s\n", filename); + dst_key_free(&key); + + isc_log_destroy(&log_); + isc_log_setcontext(NULL); + dns_log_setcontext(NULL); + if (source != NULL) + isc_entropy_destroysource(&source); + isc_entropy_detach(&ectx); + dst_lib_destroy(); + dns_name_destroy(); + isc_mem_destroy(&mctx); + return (0); +} + +#else /* OPENSSL */ + +#include +#include + +int +main(int argc, char **argv) { + fprintf(stderr, "Compiled without OpenSSL\n"); + exit(1); +} + +#endif /* OPENSSL */ +/*! \file */ diff --git a/bin/tests/system/rsabigexponent/clean.sh b/bin/tests/system/rsabigexponent/clean.sh new file mode 100644 index 0000000000..0d84f75563 --- /dev/null +++ b/bin/tests/system/rsabigexponent/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +rm -f K* */K* */dsset-*. */*.signed */trusted.conf */tmp* +rm -f random.data +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns1/root.db +rm -f ns2/signer.err +rm -f dig.out.* diff --git a/bin/tests/system/rsabigexponent/conf/bad01.conf b/bin/tests/system/rsabigexponent/conf/bad01.conf new file mode 100644 index 0000000000..0a08e78b03 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad01.conf @@ -0,0 +1,3 @@ +options { + max-rsa-exponent-size 1; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad02.conf b/bin/tests/system/rsabigexponent/conf/bad02.conf new file mode 100644 index 0000000000..4604ddfe21 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad02.conf @@ -0,0 +1,3 @@ +options { + max-rsa-exponent-size 34; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad03.conf b/bin/tests/system/rsabigexponent/conf/bad03.conf new file mode 100644 index 0000000000..bc5d0ceb20 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad03.conf @@ -0,0 +1,3 @@ +options { + max-rsa-exponent-size 4097; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good01.conf b/bin/tests/system/rsabigexponent/conf/good01.conf new file mode 100644 index 0000000000..361ece1b14 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good01.conf @@ -0,0 +1,3 @@ +options { + max-rsa-exponent-size 0; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good02.conf b/bin/tests/system/rsabigexponent/conf/good02.conf new file mode 100644 index 0000000000..d44ebf6f16 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good02.conf @@ -0,0 +1,3 @@ +options { + max-rsa-exponent-size 35; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good03.conf b/bin/tests/system/rsabigexponent/conf/good03.conf new file mode 100644 index 0000000000..7825deec90 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good03.conf @@ -0,0 +1,3 @@ +options { + max-rsa-exponent-size 4096; +}; diff --git a/bin/tests/system/rsabigexponent/ns1/named.conf b/bin/tests/system/rsabigexponent/ns1/named.conf new file mode 100644 index 0000000000..3a3442d901 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/named.conf @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id$ */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns1/root.db.in b/bin/tests/system/rsabigexponent/ns1/root.db.in new file mode 100644 index 0000000000..bfd93baa53 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/root.db.in @@ -0,0 +1,29 @@ +; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2012050600 ; serial + 3600 ; refresh + 1200 ; retry + 604800 ; expire + 60 ; minimum + ) +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +; +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh new file mode 100755 index 0000000000..7e0854f18e --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/sign.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=. +infile=root.db.in +zonefile=root.db + +cp ../ns2/dsset-example.in dsset-example. + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +# Configure the resolving server with a trusted key. +cat $keyname.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < trusted.conf + +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf + +cd ../ns2 && sh -e ./sign.sh diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key new file mode 100644 index 0000000000..1030c21ecc --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key @@ -0,0 +1,2 @@ +; This is a key-signing key, keyid 5896, for example. +example. IN DNSKEY 257 3 5 AwEAAaLNbgMfH/XUwZC9DBVG4OpYVUVyCyZEBqhk3k6WziIAY+2f7MN3 L9CoZR9GqfqM+/c6g8gfkIaZZ2YP/YUUaN73xH/nxtHYkrP5Rqe/dw7q ONnsVwvf3HJ8HvURG3wjaOrPoe207+HpNTNhe/sT2usKhokSU8yKB0DK lnrKQvp9vScsIB/RsIxOXWmYgOMkSXtpI3lQ07l1i2Tv6UnecD9s8ruk fl/gPbRBketLYACrqpb2j/1f7ciQv+rz1GnN9ma8XK1Yw8173/hrVL1S /ZqTGczwdeA3AVyiHThOZ15EPhSuL7jaJusHOi43Aa8ZfCMCeimT73F5 epktGomAxFU= diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private new file mode 100644 index 0000000000..dbac3062d1 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private @@ -0,0 +1,10 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: os1uAx8f9dTBkL0MFUbg6lhVRXILJkQGqGTeTpbOIgBj7Z/sw3cv0KhlH0ap+oz79zqDyB+QhplnZg/9hRRo3vfEf+fG0diSs/lGp793Duo42exXC9/ccnwe9REbfCNo6s+h7bTv4ek1M2F7+xPa6wqGiRJTzIoHQMqWespC+n29JywgH9GwjE5daZiA4yRJe2kjeVDTuXWLZO/pSd5wP2zyu6R+X+A9tEGR60tgAKuqlvaP/V/tyJC/6vPUac32ZrxcrVjDzXvf+GtUvVL9mpMZzPB14DcBXKIdOE5nXkQ+FK4vuNom6wc6LjcBrxl8IwJ6KZPvcXl6mS0aiYDEVQ== +PublicExponent: AQAB +PrivateExponent: K9juX1LbtccmlwgDoBtl6lf+J2UO0bCSpnn8UehV/lxijZZ8Gy0XqLgh/Cl5EG02U6Dj61ts/oOEkL2Px272y86pktVm/A+7e1ORDw8HTvIQe8kmrKEPa5o4cEK6R1X2JP/lGfOYhBzeYkdIMBhp5tH/6B0Sis1GJNIrc0jUf0g+JvOH/j1SpLoKoDpHUwOWnAt92AZsYhyJgeDXgw+xTBcOVvRfmh3Zmoi6x58lmQsU3loloqQ2V2V3xw1qEhTwBtFiguqeUV/FZl+RerT+lld7v2KkuxchyxlCCavgq6bZSUpn3TxcmnK6pj42oTy11hG9PHvIS8VNpGLr0p6mpQ== +Prime1: 2KZlb2BXJHEJJv2iuJoddNuDlDStG77cA7FR84Dsarbc5rHj1BjwOPDec235LQOzNAAVMTh3B8/8kcAkx/U0F2FPfgAS/ZK2dOBKcJFU4bmUQDsLMXJn67Pf7d1HeDYfVPSFp1Ib/G91dXuo11+nRZJRfKUW19aFYXybSLVmifM= +Prime2: wF9HHnv17f1L3VLBJ+qndiPcp/l24fVk5xWrbZlivK+WFrZkHFbmN+WRIkjKbe1mBf4z2fMp1JZKt8wViJVG9Bkk2wSCQA74MrejPFlD9AEMC/TrV7F/l89DryG9YeLAk6td38opGiAmRHzSdrjstUF+iv7IAW+fghPQ3O4ogpc= +Exponent1: Nmtlo1phyUeTcvXW/+PGbmoNXRb2PLfucAcEfNPvjsasKk6Y2dgBz2vBlOEU7Be31eIHcLusOowl9z56fre7A/xviUjffE50AluslyYKWkDRWmj6YMtKC0y9fPROVYXSzPY29FaNrRUaPg531NG0JKeiTFrzp/e8vUYdg1/9h70= +Exponent2: r5+MNwlmaQJBG2psivuQLKvqy7NU1E8K8mj3G1TYLniCpnOXC8RN4yQDDvCzVg5QgRIk1kpHmxwmVIvN8OaPY1P9MLJ6Eu9Xqj26meLIxd+a1uOfY2zZloeTPDSqR84Sj/338tIGGiLVrNrj7Z1ABO4pD84wXBdC4SckHD6U3zs= +Coefficient: c1jE021ke1G/1+C/mqhVtXF9/+ivfw9Ae6na3PofQREs3wiBJH7kpbLmTqc1ovXrHA3BbD1CfWUBhrFK/n5MvsU59VGmz5mD+HGsHC1eoaS4JCG5EWFUP8MStiv+JJGyfuK8MUGsEXQorfQmzGXhe5N2S+4dEYDfksSVd9Wg9d0= diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key new file mode 100644 index 0000000000..53432675ac --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key @@ -0,0 +1,2 @@ +; This is a zone-signing key, keyid 51829, for example. +example. IN DNSKEY 256 3 5 BwEAAAAAAAGfDKVFak/2o446xOsi39QnfZmRidaRyg3LaCxDBM6kVqCH QKI3a2lEf4FWVSbp+dYjGavsqWJ/Z7poMRy9JJol2bMLhtsZhESK5EYR aR/2dLw5H10SR+wb/qRVVYovWlk67sql7XYc3x5cjc4XaMVziBBrQMiW qkQS2oGQLwKCLw== diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private new file mode 100644 index 0000000000..35acd10fcb --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private @@ -0,0 +1,10 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: nwylRWpP9qOOOsTrIt/UJ32ZkYnWkcoNy2gsQwTOpFagh0CiN2tpRH+BVlUm6fnWIxmr7Klif2e6aDEcvSSaJdmzC4bbGYREiuRGEWkf9nS8OR9dEkfsG/6kVVWKL1pZOu7Kpe12HN8eXI3OF2jFc4gQa0DIlqpEEtqBkC8Cgi8= +PublicExponent: AQAAAAAAAQ== +PrivateExponent: Aidz1Ah0WnUxdjZQ5J2bkXXOvP7ZhxtrmNvaQkQpEOjc5EW0mh+8f6rmp19CZHVwjk1nRfTgSnPk/y+xsyfroBRf5RH+6bjvB3mk+uSor6+xibdTy+HlEyd5YPdGzHmqFUe7pcL25kO0QSqdEVjvBP9SCgscDBhrTHURYsPxudE= +Prime1: 0nuP62sq8a1OyjGqmsqhf6XrpwRXSKYVjdJEdRzogi/fnU/AWDZdc2W8JOC1nxdbfVC68b8G+Vc+5GOsuUw56Q== +Prime2: wXG1f8INIsNLGtEhAuqw320onFrqBEgs+EkEZeUxHP5hUkchoUSnqTZrfRUA+UuOD2sI0NtA3OYCXaihgWu0Vw== +Exponent1: QooxjUxTEcn9N5ehnpK0VD3gKwoW3C2NIv/2GeKVpL+ZcsD6iMzmHou/WVOAt0oz+RdWDLxpEzakwUhslPN6+Q== +Exponent2: PP9JlJFaGEs3ckmvj53NXKz0fkbjtIOJvWwnkT7WrVpTgaUISjuSxLOfUDrrFC9JGAIAmoWDrI76QrTanbLiyw== +Coefficient: u4jEvCVMxzmDBCjw8MLuTZtuBqs0ScAT7NkceBrjhdpCV1DtzVGJgbwI2GEHqEcSlcVAQCM92vPz76lL4Q94zw== diff --git a/bin/tests/system/rsabigexponent/ns2/dsset-example.in b/bin/tests/system/rsabigexponent/ns2/dsset-example.in new file mode 100644 index 0000000000..06bc89aac6 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/dsset-example.in @@ -0,0 +1,2 @@ +example. IN DS 5896 5 1 07766192DA7BDE32F6DC719B9F5A3476686F8758 +example. IN DS 5896 5 2 CFBFD9C06EA15B0A984566573A18ACEC234FDC9C09103C0C53E75989 088A8FB4 diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.bad b/bin/tests/system/rsabigexponent/ns2/example.db.bad new file mode 100644 index 0000000000..ce60136868 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.bad @@ -0,0 +1,117 @@ +; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + +example. 300 IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh (1 hour) + 600 ; retry (10 minutes) + 604800 ; expire (1 week) + 3600 ; minimum (1 hour) + ) + 300 RRSIG SOA 5 1 300 ( + 20361231235959 20000101000000 51829 example. + HW8O/KHJEObWSYtQD14+3MRtD6rasy/AeIAo + 1HmtELxeUoMvVcQzm7z1RoeV6S7+r/SrUjAz + PwtlE4TpyTEj9sfTr4mJhU0DwrNW6dN6qHCw + vB3nuURVOKzU8V26PdFcjJB+/HnJT2LyLUqr + KAzHwU1tAXkgx0FOwfyOs2rxooo= ) + 300 NS ns2.example. + 300 RRSIG NS 5 1 300 ( + 20361231235959 20000101000000 51829 example. + EO8/KzfhppvhD2b0hGCdEN8/WTNexK6zkC1Z + oW3vu0cFVvac+wrV9Vox90lHI0jTce/R+bvT + T9RbpZiZcBKLVyBuHIdFPOdc3ogHMPwaPNkD + pvVvLfV6auHCvINiVw+jWinBpTjqoROH/yTC + 03BQ41vewKsz3fYZ03XUr2xga5Q= ) + 3600 NSEC a.example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 5 1 3600 ( + 20361231235959 20000101000000 51829 example. + FiUyrwO7MV9Lhg6yu0XN/hLZPOiDg/NqIIUc + HfA9Yix90Z9G/yzn8NBC92Yp5EPiI4HiE24T + t1p4YwHe6n/IJA4KZUIpCxEY5xhQL/mVMeuj + dlFA2LaiDwbOh//42zdocaeGPrcV+u6OmXoU + xkQIuWeJ1QCaD5FXJdN6zELZsnw= ) + 300 DNSKEY 256 3 5 ( + BwEAAAAAAAGfDKVFak/2o446xOsi39QnfZmR + idaRyg3LaCxDBM6kVqCHQKI3a2lEf4FWVSbp + +dYjGavsqWJ/Z7poMRy9JJol2bMLhtsZhESK + 5EYRaR/2dLw5H10SR+wb/qRVVYovWlk67sql + 7XYc3x5cjc4XaMVziBBrQMiWqkQS2oGQLwKC + Lw== + ) ; ZSK; alg = RSASHA1; key id = 51829 + 300 DNSKEY 257 3 5 ( + AwEAAaLNbgMfH/XUwZC9DBVG4OpYVUVyCyZE + Bqhk3k6WziIAY+2f7MN3L9CoZR9GqfqM+/c6 + g8gfkIaZZ2YP/YUUaN73xH/nxtHYkrP5Rqe/ + dw7qONnsVwvf3HJ8HvURG3wjaOrPoe207+Hp + NTNhe/sT2usKhokSU8yKB0DKlnrKQvp9vScs + IB/RsIxOXWmYgOMkSXtpI3lQ07l1i2Tv6Une + cD9s8rukfl/gPbRBketLYACrqpb2j/1f7ciQ + v+rz1GnN9ma8XK1Yw8173/hrVL1S/ZqTGczw + deA3AVyiHThOZ15EPhSuL7jaJusHOi43Aa8Z + fCMCeimT73F5epktGomAxFU= + ) ; KSK; alg = RSASHA1; key id = 5896 + 300 RRSIG DNSKEY 5 1 300 ( + 20361231235959 20000101000000 5896 example. + b07impYEH+uW8iPCVE0QXqYSs6Yyu7Nb8q1f + rXv+NgE5wbsIvdo4PDdSfScP41WgVKdLPipH + gaTyk4CKAuGSvIBMzlc3yib03zdvzBDgn3Yi + lONpl2yH47vhvn5iXYcVV4kbuYE9+SFVoVO8 + m6xvihm1D17m8emivnG6DuJSpJJM09v0toSd + 3yGI3bgUtki85ehOPU0ZkvA20InVgP5kKUgw + /M4vP4VkcwenNO7koMZOorI02KFOH3vvZSI4 + hzuwJVaQZ35IBBVmSSMAD+0LTBk6sMPSpcmP + Pff75NLhU+4+UflWie6mzWIvm3ovcG3fveq0 + W4G3TCriTIKSjY3Jqg== ) + 300 RRSIG DNSKEY 5 1 300 ( + 20361231235959 20000101000000 51829 example. + a7WU2WcHEpDfM5NBUzN7t4WXEwldn1EM/HkH + XEo9NnZhFV16414qbuwWMlUsc5MTii+T4OFZ + p2+XHj9M8glM1d98o+EDSYT7LdrrE7AqdtSO + gcXdeY6WRI9R5wkLP3cP6kADp5WIOcQ78IPb + pRJ4jhxqMPFV3cqCWH/Lp8JPghY= ) +a.example. 300 IN A 10.0.0.1 + 300 RRSIG A 5 2 300 ( + 20361231235959 20000101000000 51829 example. + h4WyY0hUkZobUbt2xWC4lJLEbGvzxGczH/mN + WHZBpgg+1tuoTAdVbt6a2TfQcJV/iPQGAHte + Vu/U6tD8KzP08krlqrcefwvR5LDAQygWRdjt + Rx105w9F0GiL6kpDH6S9T8xCw3aF5Rl1lu/u + 8eiUzDIMIBTijhXmM96Nde18RdA= ) + 3600 NSEC ns2.example. A RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 ( + 20361231235959 20000101000000 51829 example. + LbzeWbk9r119I95TVCebEPfnCCk9zBRq4nAR + swliQVQ84bCjwVJfakvlD4mgilSPtypxpyXC + DQaiOQWOz9LFzro5u71VuSS5fY7U4elp/lq6 + 5BJB6o/dmk5xASAHHbOO6e5dcoQ5vRxcnJaE + 0vE1jGppo2FiQzkVi7Zbrghoolg= ) +ns2.example. 300 IN A 10.53.0.2 + 300 RRSIG A 5 2 300 ( + 20361231235959 20000101000000 51829 example. + Jfp3xzrym5GksbZ+a2rjOXzV/Ct+eX2DCo8a + lSbriEhuK9OR3WUnXoDqp1X/d7adNL2lI9c+ + B3UVL+EOCyvNxt9kECcN8KgQdXKExZEQUwnN + UB51QESM9pW6akavhXJu98sjnhtpdTwrtKbg + nMJkfYe5Mw3e/8RFY+wpEq/8cHw= ) + 3600 NSEC example. A RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 ( + 20361231235959 20000101000000 51829 example. + Wxkz4nY5rty6O90QhFZguyqbaz9njnJKUs7m + qYF9u7dDk8vUf3yS97fw3e0N13X5zGZa7hTr + +65U4NKEOqYDBbvWaXSVFxrzVfSVXqY6l4jX + kWjA6q4q5TTgcjOUJ0MfvcjtgxcaKUiPGmPJ + RWdOV7t9YMWnf7QAbPI55QN9sfY= ) diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.in b/bin/tests/system/rsabigexponent/ns2/example.db.in new file mode 100644 index 0000000000..f69c23e677 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh + 600 ; retry + 604800 ; expire + 3600 ; minimum + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf b/bin/tests/system/rsabigexponent/ns2/named.conf new file mode 100644 index 0000000000..cae5da06fc --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/named.conf @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id$ */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db.bad"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh new file mode 100755 index 0000000000..e177b93f3c --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/sign.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.3 2011/05/26 23:47:28 tbox Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=example. +infile=example.db.in +outfile=example.db.bad + +for i in Xexample.+005+51829.key Xexample.+005+51829.private \ + Xexample.+005+05896.key Xexample.+005+05896.private +do + cp $i `echo $i | sed s/X/K/` +done + +$SIGNER -r $RANDFILE -g -s 20000101000000 -e 20361231235959 -o $zone \ + $infile Kexample.+005+51829 Kexample.+005+51829 \ + > /dev/null 2> signer.err diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf b/bin/tests/system/rsabigexponent/ns3/named.conf new file mode 100644 index 0000000000..e8e589c0f2 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns3/named.conf @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id$ */ + +// NS3 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + max-rsa-exponent-size 35; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/prereq.sh b/bin/tests/system/rsabigexponent/prereq.sh new file mode 100644 index 0000000000..9476730f6d --- /dev/null +++ b/bin/tests/system/rsabigexponent/prereq.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +../../../tools/genrandom 400 random.data + +if ./bigkey > /dev/null 2>&1 +then + rm -f Kexample.* +else + echo "I:This test requires that --with-openssl was used." >&2 + exit 1 +fi diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh new file mode 100644 index 0000000000..bf24be6c51 --- /dev/null +++ b/bin/tests/system/rsabigexponent/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +sh clean.sh + +../../../tools/genrandom 400 random.data + +cd ns1 && sh -e sign.sh diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh new file mode 100644 index 0000000000..ef7d18c789 --- /dev/null +++ b/bin/tests/system/rsabigexponent/tests.sh @@ -0,0 +1,62 @@ +#!/bin/sh +# +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" + +for f in conf/good*.conf +do + echo "I:checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +done + +for f in conf/bad*.conf +do + echo "I:checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null && ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +done + +echo "I:checking that RSA big exponent keys can't be loaded" +ret=0 +grep "out of range" ns2/signer.err > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that RSA big exponent signature can't validate" +ret=0 +$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1 +$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1 +grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:exit status: $status" +exit $status diff --git a/configure.in b/configure.in index a4e9e82c49..c0257703ab 100644 --- a/configure.in +++ b/configure.in @@ -3525,6 +3525,7 @@ AC_CONFIG_FILES([ bin/tests/system/gost/prereq.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile + bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 9233cd9f97..6b5144be95 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5315,6 +5315,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] preferred-glue ( A | AAAA | NONE ); edns-udp-size number; max-udp-size number; + max-rsa-exponent-size number; root-delegation-only exclude { namelist } ; querylog yes_or_no ; disable-algorithms domain { algorithm; @@ -9016,6 +9017,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; + + + max-rsa-exponent-size + + + The maximum RSA exponent size, in bits, that will + be accepted when validating. Valid values are 35 + to 4096 bits. The default zero (0) is also accepted + and is equivalent to 4096. + + + diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 762039df21..651dcc73d0 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -760,6 +760,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } } + obj = NULL; + cfg_map_get(options, "max-rsa-exponent-size", &obj); + if (obj != NULL) { + isc_uint32_t val; + + val = cfg_obj_asuint32(obj); + if (val != 0 && (val < 35 || val > 4096)) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "max-rsa-exponent-size '%u' is out of " + "range (35..4096)", val); + result = ISC_R_RANGE; + } + } + obj = NULL; cfg_map_get(options, "sig-validity-interval", &obj); if (obj != NULL) { diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 56cfb22798..1a8ab1a401 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -373,6 +373,15 @@ isc_result_t dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild) +{ + return (dns_dnssec_verify3(name, set, key, ignoretime, 0, mctx, + sigrdata, wild)); +} + +isc_result_t +dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, + isc_boolean_t ignoretime, unsigned int maxbits, + isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild) { dns_rdata_rrsig_t sig; dns_fixedname_t fnewname; @@ -547,7 +556,7 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, r.base = sig.signature; r.length = sig.siglen; - ret = dst_context_verify(ctx, &r); + ret = dst_context_verify2(ctx, maxbits, &r); if (ret == ISC_R_SUCCESS && downcase) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(&sig.signer, namebuf, sizeof(namebuf)); diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index dc2fc4aa24..fab0edc05f 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -57,6 +57,8 @@ #include #include +#define DST_KEY_INTERNAL + #include #include #include @@ -362,6 +364,25 @@ dst_context_verify(dst_context_t *dctx, isc_region_t *sig) { return (dctx->key->func->verify(dctx, sig)); } +isc_result_t +dst_context_verify2(dst_context_t *dctx, unsigned int maxbits, + isc_region_t *sig) +{ + REQUIRE(VALID_CTX(dctx)); + REQUIRE(sig != NULL); + + CHECKALG(dctx->key->key_alg); + if (dctx->key->keydata.generic == NULL) + return (DST_R_NULLKEY); + if (dctx->key->func->verify == NULL && + dctx->key->func->verify2 == NULL) + return (DST_R_NOTPUBLICKEY); + + return (dctx->key->func->verify2 != NULL ? + dctx->key->func->verify2(dctx, maxbits, sig) : + dctx->key->func->verify(dctx, sig)); +} + isc_result_t dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv, isc_buffer_t *secret) @@ -739,6 +760,40 @@ out: return result; } +isc_result_t +dst_key_buildinternal(dns_name_t *name, unsigned int alg, + unsigned int bits, unsigned int flags, + unsigned int protocol, dns_rdataclass_t rdclass, + void *data, isc_mem_t *mctx, dst_key_t **keyp) +{ + dst_key_t *key; + isc_result_t result; + + REQUIRE(dst_initialized == ISC_TRUE); + REQUIRE(dns_name_isabsolute(name)); + REQUIRE(mctx != NULL); + REQUIRE(keyp != NULL && *keyp == NULL); + REQUIRE(data != NULL); + + CHECKALG(alg); + + key = get_key_struct(name, alg, flags, protocol, bits, rdclass, + 0, mctx); + if (key == NULL) + return (ISC_R_NOMEMORY); + + key->keydata.generic = data; + + result = computeid(key); + if (result != ISC_R_SUCCESS) { + dst_key_free(&key); + return (result); + } + + *keyp = key; + return (ISC_R_SUCCESS); +} + isc_result_t dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index a2f1615af4..d4b1f7a486 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -170,6 +170,8 @@ struct dst_func { */ isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig); isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig); + isc_result_t (*verify2)(dst_context_t *dctx, unsigned int maxbits, + const isc_region_t *sig); isc_result_t (*computesecret)(const dst_key_t *pub, const dst_key_t *priv, isc_buffer_t *secret); diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c index 381ba10206..675fbd697a 100644 --- a/lib/dns/gssapi_link.c +++ b/lib/dns/gssapi_link.c @@ -362,6 +362,7 @@ static dst_func_t gssapi_functions = { gssapi_adddata, gssapi_sign, gssapi_verify, + NULL, /*%< verify2 */ NULL, /*%< computesecret */ gssapi_compare, NULL, /*%< paramcompare */ diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index bc0e9a04ed..69285b10f2 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -313,6 +313,7 @@ static dst_func_t hmacmd5_functions = { hmacmd5_adddata, hmacmd5_sign, hmacmd5_verify, + NULL, /*%< verify2 */ NULL, /*%< computesecret */ hmacmd5_compare, NULL, /*%< paramcompare */ @@ -589,6 +590,7 @@ static dst_func_t hmacsha1_functions = { hmacsha1_adddata, hmacsha1_sign, hmacsha1_verify, + NULL, /* verify2 */ NULL, /* computesecret */ hmacsha1_compare, NULL, /* paramcompare */ @@ -867,6 +869,7 @@ static dst_func_t hmacsha224_functions = { hmacsha224_adddata, hmacsha224_sign, hmacsha224_verify, + NULL, /* verify2 */ NULL, /* computesecret */ hmacsha224_compare, NULL, /* paramcompare */ @@ -1145,6 +1148,7 @@ static dst_func_t hmacsha256_functions = { hmacsha256_adddata, hmacsha256_sign, hmacsha256_verify, + NULL, /* verify2 */ NULL, /* computesecret */ hmacsha256_compare, NULL, /* paramcompare */ @@ -1423,6 +1427,7 @@ static dst_func_t hmacsha384_functions = { hmacsha384_adddata, hmacsha384_sign, hmacsha384_verify, + NULL, /* verify2 */ NULL, /* computesecret */ hmacsha384_compare, NULL, /* paramcompare */ @@ -1701,6 +1706,7 @@ static dst_func_t hmacsha512_functions = { hmacsha512_adddata, hmacsha512_sign, hmacsha512_verify, + NULL, /* verify2 */ NULL, /* computesecret */ hmacsha512_compare, NULL, /* paramcompare */ diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index c8a5e6fddc..e443f91b63 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -132,12 +132,19 @@ isc_result_t dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild); + +isc_result_t +dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, + isc_boolean_t ignoretime, unsigned int maxbits, + isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild); /*%< * Verifies the RRSIG record covering this rdataset signed by a specific * key. This does not determine if the key's owner is authorized to sign * this record, as this requires a resolver or database. * If 'ignoretime' is ISC_TRUE, temporal validity will not be checked. * + * 'maxbits' specifies the maximum number of rsa exponent bits accepted. + * * Requires: *\li 'name' (the owner name of the record) is a valid name *\li 'set' is a valid rdataset diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 00127d1a07..0d8fe3a1ff 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -158,6 +158,7 @@ struct dns_view { dns_name_t * dlv; dns_fixedname_t dlv_fixed; isc_uint16_t maxudp; + unsigned int maxbits; dns_aaaa_t v4_aaaa; dns_aaaa_t v6_aaaa; dns_acl_t * aaaa_acl; diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 1a6e4e4b58..66501df4fc 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -233,9 +233,16 @@ dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig); isc_result_t dst_context_verify(dst_context_t *dctx, isc_region_t *sig); + +isc_result_t +dst_context_verify2(dst_context_t *dctx, unsigned int maxbits, + isc_region_t *sig); /*%< * Verifies the signature using the data and key stored in the context. * + * 'maxbits' specifies the maximum number of bits permitted in the RSA + * exponent. + * * Requires: * \li "dctx" is a valid context. * \li "sig" is a valid region. @@ -492,6 +499,14 @@ dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx, * the context id. */ +#ifdef DST_KEY_INTERNAL +isc_result_t +dst_key_buildinternal(dns_name_t *name, unsigned int alg, + unsigned int bits, unsigned int flags, + unsigned int protocol, dns_rdataclass_t rdclass, + void *data, isc_mem_t *mctx, dst_key_t **keyp); +#endif + isc_result_t dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, @@ -512,6 +527,7 @@ dst_key_generate2(dns_name_t *name, unsigned int alg, dns_rdataclass_t rdclass, isc_mem_t *mctx, dst_key_t **keyp, void (*callback)(int)); + /*%< * Generate a DST key (or keypair) with the supplied parameters. The * interpretation of the "param" field depends on the algorithm: diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 71b4b1229c..ea2bbe77d5 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -628,6 +628,7 @@ static dst_func_t openssldh_functions = { NULL, /*%< adddata */ NULL, /*%< openssldh_sign */ NULL, /*%< openssldh_verify */ + NULL, /*%< openssldh_verify2 */ openssldh_computesecret, openssldh_compare, openssldh_paramcompare, diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c index 39c061599d..b7ee60c1bf 100644 --- a/lib/dns/openssldsa_link.c +++ b/lib/dns/openssldsa_link.c @@ -605,6 +605,7 @@ static dst_func_t openssldsa_functions = { openssldsa_adddata, openssldsa_sign, openssldsa_verify, + NULL, /*%< verify2 */ NULL, /*%< computesecret */ openssldsa_compare, NULL, /*%< paramcompare */ diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 929c39a06e..eec51a2e00 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -546,6 +546,7 @@ static dst_func_t opensslecdsa_functions = { opensslecdsa_adddata, opensslecdsa_sign, opensslecdsa_verify, + NULL, /*%< verify2 */ NULL, /*%< computesecret */ opensslecdsa_compare, NULL, /*%< paramcompare */ diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c index e92d50f952..0327c81033 100644 --- a/lib/dns/opensslgost_link.c +++ b/lib/dns/opensslgost_link.c @@ -359,6 +359,7 @@ static dst_func_t opensslgost_functions = { opensslgost_adddata, opensslgost_sign, opensslgost_verify, + NULL, /*%< verify2 */ NULL, /*%< computesecret */ opensslgost_compare, NULL, /*%< paramcompare */ diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index a2456188d3..0e3b0c9c7a 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -55,6 +55,13 @@ #include #endif +/* + * Limit the size of public exponents. + */ +#ifndef RSA_MAX_PUBEXP_BITS +#define RSA_MAX_PUBEXP_BITS 35 +#endif + /* * We don't use configure for windows so enforce the OpenSSL version * here. Unlike with configure we don't support overriding this test. @@ -504,12 +511,14 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { } static isc_result_t -opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { +opensslrsa_verify2(dst_context_t *dctx, unsigned int maxbits, const isc_region_t *sig) { dst_key_t *key = dctx->key; int status = 0; #if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; + RSA *rsa; + int bits; #else /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */ unsigned char digest[ISC_SHA512_DIGESTLENGTH]; @@ -529,8 +538,19 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { dctx->key->key_alg == DST_ALG_RSASHA512); #if USE_EVP + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + bits = BN_num_bits(rsa->e); + RSA_free(rsa); + if (bits > maxbits && maxbits != 0) + return (DST_R_VERIFYFAILURE); + status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey); #else + if (BN_num_bits(rsa->e) > maxbits && maxbits != 0) + return (DST_R_VERIFYFAILURE); + switch (dctx->key->key_alg) { case DST_ALG_RSAMD5: { @@ -641,6 +661,11 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { return (ISC_R_SUCCESS); } +static isc_result_t +opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + return (opensslrsa_verify2(dctx, 0, sig)); +} + static isc_boolean_t opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { int status; @@ -752,7 +777,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { BN_set_bit(e, 0); BN_set_bit(e, 16); } else { - /* F5 0x100000001 */ + /* (phased-out) F5 0x100000001 */ BN_set_bit(e, 0); BN_set_bit(e, 32); } @@ -1203,6 +1228,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) DST_RET(DST_R_INVALIDPRIVATEKEY); + if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) + DST_RET(ISC_R_RANGE); if (pubrsa != NULL) RSA_free(pubrsa); key->key_size = EVP_PKEY_bits(pkey); @@ -1285,6 +1312,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) DST_RET(DST_R_INVALIDPRIVATEKEY); + if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) + DST_RET(ISC_R_RANGE); key->key_size = BN_num_bits(rsa->n); if (pubrsa != NULL) RSA_free(pubrsa); @@ -1303,7 +1332,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { RSA_free(rsa); if (pubrsa != NULL) RSA_free(pubrsa); - opensslrsa_destroy(key); + key->keydata.generic = NULL; dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); return (ret); @@ -1357,6 +1386,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) DST_RET(DST_R_INVALIDPRIVATEKEY); + if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) + DST_RET(ISC_R_RANGE); if (pubrsa != NULL) RSA_free(pubrsa); key->key_size = EVP_PKEY_bits(pkey); @@ -1392,6 +1423,7 @@ static dst_func_t opensslrsa_functions = { opensslrsa_adddata, opensslrsa_sign, opensslrsa_verify, + opensslrsa_verify2, NULL, /*%< computesecret */ opensslrsa_compare, NULL, /*%< paramcompare */ diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 3f9aae7f39..292d1f6188 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1890,8 +1890,10 @@ isselfsigned(dns_validator_t *val) { if (result != ISC_R_SUCCESS) continue; - result = dns_dnssec_verify2(name, rdataset, dstkey, - ISC_TRUE, mctx, &sigrdata, + result = dns_dnssec_verify3(name, rdataset, dstkey, + ISC_TRUE, + val->view->maxbits, + mctx, &sigrdata, dns_fixedname_name(&fixed)); dst_key_free(&dstkey); if (result != ISC_R_SUCCESS) @@ -1928,8 +1930,9 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, dns_fixedname_init(&fixed); wild = dns_fixedname_name(&fixed); again: - result = dns_dnssec_verify2(val->event->name, val->event->rdataset, - key, ignore, val->view->mctx, rdata, wild); + result = dns_dnssec_verify3(val->event->name, val->event->rdataset, + key, ignore, val->view->maxbits, + val->view->mctx, rdata, wild); if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) && val->view->acceptexpired) { diff --git a/lib/dns/view.c b/lib/dns/view.c index c048e1967a..4b1367361a 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -191,6 +191,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->flush = ISC_FALSE; view->dlv = NULL; view->maxudp = 0; + view->maxbits = 0; view->v4_aaaa = dns_aaaa_ok; view->v6_aaaa = dns_aaaa_ok; view->aaaa_acl = NULL; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 95fa294e60..287e8e1832 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -917,6 +917,7 @@ options_clauses[] = { { "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI }, { "managed-keys-directory", &cfg_type_qstring, 0 }, { "match-mapped-addresses", &cfg_type_boolean, 0 }, + { "max-rsa-exponent-size", &cfg_type_uint32, 0 }, { "memstatistics-file", &cfg_type_qstring, 0 }, { "memstatistics", &cfg_type_boolean, 0 }, { "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },