mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

2726. [func] Added support for SHA-2 DNSSEC algorithms,

Browse Source 
RSASHA256 and RSASHA512. [RT #20023]
This commit is contained in:
Evan Hunt 2009-10-22 02:21:31 +00:00
parent 8d307467b7
commit cc6cddfd94
15 changed files with 520 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
2726. [func] Added support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512. [RT #20023]
2725. [doc] Added information about the file "managed-keys.bind"
to the ARM. [RT #20235]

5
bin/dnssec/dnssec-keyfromlabel.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.22 2009/10/14 22:07:13 marka Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.23 2009/10/22 02:21:30 each Exp $ */
/*! \file */
@ -53,7 +53,8 @@ int verbose;
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1";
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;

14
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.13 2009/10/16 15:37:01 jreed Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.14 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
@ -90,14 +90,16 @@
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 (RSA),
RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
These values are case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead.
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@ -394,9 +396,7 @@
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4033</citetitle>.
<citetitle>RFC 4034</citetitle>.
</para>
</refsect1>

24
bin/dnssec/dnssec-keygen.c
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.101 2009/10/12 20:48:10 each Exp $ */
/* $Id: dnssec-keygen.c,v 1.102 2009/10/22 02:21:30 each Exp $ */
/*! \file */
@ -83,8 +83,9 @@ usage(void) {
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | "
"NSEC3RSASHA1 | NSEC3DSA |\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
@ -95,6 +96,8 @@ usage(void) {
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
@ -469,7 +472,8 @@ main(int argc, char **argv) {
}
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
@ -505,9 +509,14 @@ main(int argc, char **argv) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
if (size != 0 && (size < 512 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
case DNS_KEYALG_RSASHA512:
if (size != 0 && (size < 1024 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
case DNS_KEYALG_DH:
if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size);
@ -574,7 +583,8 @@ main(int argc, char **argv) {
}
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
@ -643,12 +653,16 @@ main(int argc, char **argv) {
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
param = rsa_exp;
break;
case DNS_KEYALG_DH:
param = generator;
break;
case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:

18
bin/dnssec/dnssec-keygen.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.30 2009/10/16 15:37:01 jreed Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.31 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@ -110,7 +110,8 @@
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
@ -118,7 +119,9 @@
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead.
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@ -137,10 +140,10 @@
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
</para>
<para>
@ -177,7 +180,8 @@
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
default. Note that RSASHA256 and RSASHA512 algorithms
are NSEC3-capable.
</para>
</listitem>
</varlistentry>
@ -526,7 +530,7 @@
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4033</citetitle>.
<citetitle>RFC 4034</citetitle>.
</para>
</refsect1>

146
doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt → doc/draft/draft-ietf-dnsext-dnssec-rsasha256-14.txt
View File

@ -3,13 +3,13 @@
DNS Extensions working group J. Jansen
Internet-Draft NLnet Labs
Intended status: Standards Track April 24, 2009
Expires: October 26, 2009
Intended status: Standards Track June 04, 2009
Expires: December 6, 2009
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
for DNSSEC
draft-ietf-dnsext-dnssec-rsasha256-13
draft-ietf-dnsext-dnssec-rsasha256-14
Status of this Memo
@ -32,7 +32,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 26, 2009.
This Internet-Draft will expire on December 6, 2009.
Copyright Notice
@ -52,9 +52,9 @@ Abstract
Jansen Expires October 26, 2009 [Page 1]
Jansen Expires December 6, 2009 [Page 1]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
@ -77,7 +77,7 @@ Table of Contents
5.2. Support for NSEC3 Denial of Existence . . . . . . . . . . 5
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. RSA/SHA-256 Key and Signature . . . . . . . . . . . . . . 6
6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 6
6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource
@ -108,9 +108,9 @@ Table of Contents
Jansen Expires October 26, 2009 [Page 2]
Jansen Expires December 6, 2009 [Page 2]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
1. Introduction
@ -164,9 +164,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 3]
Jansen Expires December 6, 2009 [Page 3]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
2.2. RSA/SHA-512 DNSKEY Resource Records
@ -220,9 +220,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 4]
Jansen Expires December 6, 2009 [Page 4]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
3.2. RSA/SHA-512 RRSIG Resource Records
@ -276,14 +276,15 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 5]
Jansen Expires December 6, 2009 [Page 5]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
both NSEC and NSEC3 [RFC5155] negative answers. An authoritative
server that does not implement NSEC3 MAY still serve zones that use
RSA/SHA-2 with NSEC denial of existence.
negative answers in the form of both NSEC and NSEC3 with hash
algorithm 1, as defined in [RFC5155]. An authoritative server that
does not implement NSEC3 MAY still serve zones that use RSA/SHA-2
with NSEC denial of existence.
6. Examples
@ -313,84 +314,83 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
With this key, sign the following RRSet, consisting of 1 A record:
www.example.net. 3600 IN A 123.123.123.123
www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created:
www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000
20000101000000 9033 example.net. KWgSIg3khRfyrHmtJU
5pzpsANyy27+HOZ6waMQ5kV690ljVmbHmGc8ULOfXw3aWmP0wJB
ND/TQhjCvrb3T9ffQ== );{id = 9033}
20000101000000 9033 example.net. kRCOH6u7l0QGy9qpC9
l1sLncJcOKFLJ7GhiUOibu4teYp5VE9RncriShZNz85mwlMgNEa
cFYK/lPtPiVYP4bwg== ;{id = 9033}
Jansen Expires December 6, 2009 [Page 6]
Internet-Draft DNSSEC RSA/SHA-2 June 2009
6.2. RSA/SHA-512 Key and Signature
Given a private key with the following values (in Base64):
Jansen Expires October 26, 2009 [Page 6]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Private-key-format: v1.2
Algorithm: 9 (RSASHA512)
Modulus: 8Du9YHEwFNjO5iG9jrrNyKwRs5mAzJgXBrjbA49R/ESWJKw6eHH
XfZaxnP+gVhZBDmqwND/SFwrEkN5LyH3HZ+/d/ECW+vT8Lxprqf
haTfxQkV4OFjw/ikuTcBMoUIYfhO1NVPBcH1mWh34DWmu6eedzH
IbdeNZnIkWSv4muchs=
Algorithm: 10 (RSASHA512)
Modulus: 0eg1M5b563zoq4k5ZEOnWmd2/BvpjzedJVdfIsDcMuuhE5SQ3pf
Q7qmdaeMlC6Nf8DKGoUPGPXe06cP27/WRODtxXquSUytkO0kJDk
8KX8PtA0+yBWwy7UnZDyCkynO00Uuk8HPVtZeMO1pHtlAGVnc8V
jXZlNKdyit99waaE4s=
PublicExponent: AQAB
PrivateExponent: sRm5YLHQ2m2DCdDx55j7P+bqHdcaRroQr5nzi8pKjIkbjumRKV3
zmNhRFAa3cv9w8mnggIRUIzyC8LGQeLuRFjbv6uXDzoPX2O321j
PlTUOwCYMTVnbkZUem6c+7iRd2v5zNNe9uiXex6T8CDXyhQhqYb
8q2AajPrTlRzv6uW8E=
Prime1: +DPVg2OlfYqcNlm67T42608gjyqWFdVc0UtDDDBo+ABWavqp+Yk
Fb/z/Ig+iBE901Q8RWdqVLND3PtGwWipIyw==
Prime2: 98fQbOaWH3D/WFhnu47f1qOgaob/ss3FQ12QbUdRDpgfmdryHH7
j1UGR2Xs0aRPwBASXYhgtamXtxLorXIFh8Q==
Exponent1: j0UsbGlqr6sBPQZStnuBLBdCziFg/T1qFI4DJ9gR34YiXCJRV29
Wqiw6AalQdnh/EjVeaKWaEoKVFbfoukNKPQ==
Exponent2: 4YTy9ftVjd5p+f3UxEgBATnCatLebd6NeYfySRQM+YyJzp4RmNA
BC/t3BQv3IuBrpyyKoFTDGUEWjOSpTLPR8Q==
Coefficient: BpIAEwh5rlw9M8FpGHjpF5TxSdhCjnA8NT0tB+MB/k0msceyBbx
avjzJXTi/QPk9PIO8Wv6eCzMQEM0QDZO53Q==
PrivateExponent: rFS1IPbJllFFgFc33B5DDlC1egO8e81P4fFadODbp56V7sphKa6
AZQCx8NYAew6VXFFPAKTw41QdHnK5kIYOwxvfFDjDcUGza88qbj
yrDPSJenkeZbISMUSSqy7AMFzEolkk6WSn6k3thUVRgSlqDoOV3
SEIAsrB043XzGrKIVE=
Prime1: 8mbtsu9Tl9v7tKSHdCIeprLIQXQLzxlSZun5T1n/OjvXSUtvD7x
nZJ+LHqaBj1dIgMbCq2U8O04QVcK3TS9GiQ==
Prime2: 3a6gkfs74d0Jb7yL4j4adAif4fcp7ZrGt7G5NRVDDY/Mv4TERAK
Ma0TKN3okKE0A7X+Rv2K84mhT4QLDlllEcw==
Exponent1: v3D5A9uuCn5rgVR7wgV8ba0/KSpsdSiLgsoA42GxiB1gvvs7gJM
MmVTDu/ZG1p1ZnpLbhh/S/Qd/MSwyNlxC+Q==
Exponent2: m+ezf9dsDvYQK+gzjOLWYeKq5xWYBEYFGa3BLocMiF4oxkzOZ3J
PZSWU/h1Fjp5RV7aPP0Vmx+hNjYMPIQ8Y5w==
Coefficient: Je5YhYpUron/WdOXjxNAxDubAp3i5X7UOUfhJcyIggqwY86IE0Q
/Bk0Dw4SC9zxnsimmdBXW2Izd8Lwuk8FQcQ==
The DNSKEY record for this key would be:
example.net. 3600 IN DNSKEY (256 3 9 AwEAAfA7vWBxMBTYzuYhvY66z
cisEbOZgMyYFwa42wOPUfxEliSsOnhx132WsZz/oFYWQQ5qsDQ/0
hcKxJDeS8h9x2fv3fxAlvr0/C8aa6n4Wk38UJFeDhY8P4pLk3ATK
FCGH4TtTVTwXB9Zlod+A1prunnncxyG3XjWZyJFkr+JrnIb
);{id = 28237 (zsk), size = 1024b}
example.net. 3600 IN DNSKEY (256 3 10 AwEAAdHoNTOW+et86KuJOWRD
p1pndvwb6Y83nSVXXyLA3DLroROUkN6X0O6pnWnjJQujX/AyhqFD
xj13tOnD9u/1kTg7cV6rklMrZDtJCQ5PCl/D7QNPsgVsMu1J2Q8g
pMpztNFLpPBz1bWXjDtaR7ZQBlZ3PFY12ZTSncorffcGmhOL
);{id = 3740 (zsk), size = 1024b}
With this key, sign the following RRSet, consisting of 1 A record:
www.example.net. 3600 IN A 123.123.123.123
www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created:
www.example.net. 3600 IN RRSIG (A 9 3 3600 20300101000000
20000101000000 28237 example.net. mCanSdkQztEUOmslG
z7VvfkKPMp4ftz3K1PTf2jdla4vUu/tRE585xymurMB+wXhrFcK
dhm0egnPq8X/gmm0cmui/GQwFT5hmP5bL1ETuQsM3HOu3j9E3tq
4sFWIsUv3N6ohpYEbhj5jk0b/01EMUPM9y5rLzFHmYYujzKQwqu
M= );{id = 28237}
www.example.net. 3600 IN RRSIG (A 10 3 3600 20300101000000
20000101000000 3740 example.net. tsb4wnjRUDnB1BUi+t
6TMTXThjVnG+eCkWqjvvjhzQL1d0YRoOe0CbxrVDYd0xDtsuJRa
eUw1ep94PzEWzr0iGYgZBWm/zpq+9fOuagYJRfDqfReKBzMweOL
DiNa8iP5g9vMhpuv6OPlvpXwm9Sa9ZXIbNl1MBGk0fthPgxdDLw
=);{id = 3740}
Jansen Expires October 26, 2009 [Page 7]
Jansen Expires December 6, 2009 [Page 7]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
7. IANA Considerations
@ -444,9 +444,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 8]
Jansen Expires December 6, 2009 [Page 8]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
9. Acknowledgments
@ -500,9 +500,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 9]
Jansen Expires December 6, 2009 [Page 9]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
Version 2.1", RFC 3447, February 2003.
@ -556,5 +556,5 @@ Author's Address
Jansen Expires October 26, 2009 [Page 10]
Jansen Expires December 6, 2009 [Page 10]

11
lib/dns/dst_api.c
View File

@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.42 2009/10/20 04:39:48 marka Exp $
* $Id: dst_api.c,v 1.43 2009/10/22 02:21:30 each Exp $
*/
/*! \file */
@ -204,6 +204,8 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512]));
#ifdef HAVE_OPENSSL_DSA
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
@ -1045,6 +1047,8 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8;
break;
case DST_ALG_DSA:
@ -1300,6 +1304,8 @@ issymmetric(const dst_key_t *key) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
case DST_ALG_DH:
@ -1545,7 +1551,8 @@ algorithm_status(unsigned int alg) {
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA || alg == DST_ALG_DH ||
alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
alg == DST_ALG_NSEC3RSASHA1)
alg == DST_ALG_NSEC3RSASHA1 ||
alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512)
return (DST_R_NOCRYPTO);
#endif
return (DST_R_UNSUPPORTEDALG);

5
lib/dns/dst_internal.h
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_internal.h,v 1.20 2009/10/09 06:09:21 each Exp $ */
/* $Id: dst_internal.h,v 1.21 2009/10/22 02:21:30 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
@ -42,6 +42,7 @@
#include <isc/types.h>
#include <isc/md5.h>
#include <isc/sha1.h>
#include <isc/sha2.h>
#include <isc/stdtime.h>
#include <isc/hmacmd5.h>
#include <isc/hmacsha.h>
@ -136,6 +137,8 @@ struct dst_context {
dst_gssapi_signverifyctx_t *gssctx;
isc_md5_t *md5ctx;
isc_sha1_t *sha1ctx;
isc_sha256_t *sha256ctx;
isc_sha512_t *sha512ctx;
isc_hmacmd5_t *hmacmd5ctx;
isc_hmacsha1_t *hmacsha1ctx;
isc_hmacsha224_t *hmacsha224ctx;

8
lib/dns/dst_parse.c
View File

@ -31,7 +31,7 @@
/*%
* Principal Author: Brian Wellington
* $Id: dst_parse.c,v 1.21 2009/10/09 06:09:21 each Exp $
* $Id: dst_parse.c,v 1.22 2009/10/22 02:21:30 each Exp $
*/
#include <config.h>
@ -579,6 +579,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
case DST_ALG_NSEC3DSA:
fprintf(fp, "(NSEC3DSA)\n");
break;
case DST_ALG_RSASHA256:
fprintf(fp, "(RSASHA256)\n");
break;
case DST_ALG_RSASHA512:
fprintf(fp, "(RSASHA512)\n");
break;
case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n");
break;

4
lib/dns/include/dns/keyvalues.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keyvalues.h,v 1.26 2009/06/30 02:52:32 each Exp $ */
/* $Id: keyvalues.h,v 1.27 2009/10/22 02:21:31 each Exp $ */
#ifndef DNS_KEYVALUES_H
#define DNS_KEYVALUES_H 1
@ -68,6 +68,8 @@
#define DNS_KEYALG_ECC 4
#define DNS_KEYALG_RSASHA1 5
#define DNS_KEYALG_NSEC3RSASHA1 7
#define DNS_KEYALG_RSASHA256 8
#define DNS_KEYALG_RSASHA512 10
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */

4
lib/dns/include/dst/dst.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst.h,v 1.22 2009/10/12 20:48:12 each Exp $ */
/* $Id: dst.h,v 1.23 2009/10/22 02:21:31 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
@ -56,6 +56,8 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_RSASHA1 5
#define DST_ALG_NSEC3DSA 6
#define DST_ALG_NSEC3RSASHA1 7
#define DST_ALG_RSASHA256 8
#define DST_ALG_RSASHA512 10
#define DST_ALG_HMACMD5 157
#define DST_ALG_GSSAPI 160
#define DST_ALG_HMACSHA1 161 /* XXXMPA */

398
lib/dns/opensslrsa_link.c
View File

@ -17,7 +17,7 @@
/*
* Principal Author: Brian Wellington
* $Id: opensslrsa_link.c,v 1.30 2009/10/20 02:59:19 marka Exp $
* $Id: opensslrsa_link.c,v 1.31 2009/10/22 02:21:30 each Exp $
*/
#ifdef OPENSSL
#ifndef USE_EVP
@ -29,6 +29,7 @@
#include <isc/entropy.h>
#include <isc/md5.h>
#include <isc/sha1.h>
#include <isc/sha2.h>
#include <isc/mem.h>
#include <isc/string.h>
#include <isc/util.h>
@ -105,27 +106,122 @@
static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
#if defined(USE_EVP) && OPENSSL_VERSION_NUMBER < 0x00908000L
/*
* OpenSSL 0.9.7 doesn't support SHA2.
* Provide the method functions we need.
*/
/*
* Use our namespace, not OpenSSL's.
*/
#define EVP_sha256 ISC_EVP_sha256
#define EVP_sha512 ISC_EVP_sha512
/*
* OpensSSL 0.9.8 defines these.
*/
#if 0
#define NID_sha256WithRSAEncryption 668
#define NID_sha256 672
#define NID_sha512WithRSAEncryption 670
#define NID_sha512 674
#else
#define NID_sha256WithRSAEncryption 0
#define NID_sha256 0
#define NID_sha512WithRSAEncryption 0
#define NID_sha512 0
#endif
static int init256(EVP_MD_CTX *ctx)
{ isc_sha256_init(ctx->md_data); return 1; }
static int update256(EVP_MD_CTX *ctx,const void *data, unsigned long count)
{ isc_sha256_update(ctx->md_data,data,count); return 1; }
static int final256(EVP_MD_CTX *ctx,unsigned char *md)
{ isc_sha256_final(md,ctx->md_data); return 1; }
static const EVP_MD sha256_md=
{
NID_sha256,
NID_sha256WithRSAEncryption,
ISC_SHA256_DIGESTLENGTH,
0,
init256,
update256,
final256,
NULL,
NULL,
EVP_PKEY_RSA_method,
ISC_SHA256_BLOCK_LENGTH,
sizeof(EVP_MD *)+sizeof(isc_sha256_t),
};
static const EVP_MD *EVP_sha256(void)
{ return(&sha256_md); }
static int init512(EVP_MD_CTX *ctx)
{ isc_sha512_init(ctx->md_data); return 1; }
static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
{ isc_sha512_update(ctx->md_data,data,count); return 1; }
static int final512(EVP_MD_CTX *ctx,unsigned char *md)
{ isc_sha512_final(md,ctx->md_data); return 1; }
static const EVP_MD sha512_md=
{
NID_sha512,
NID_sha512WithRSAEncryption,
ISC_SHA512_DIGESTLENGTH,
0,
init512,
update512,
final512,
NULL,
NULL,
EVP_PKEY_RSA_method,
ISC_SHA512_BLOCK_LENGTH,
sizeof(EVP_MD *)+sizeof(isc_sha512_t),
};
static const EVP_MD *EVP_sha512(void)
{ return(&sha512_md); }
#endif
static isc_result_t
opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
#if USE_EVP
EVP_MD_CTX *evp_md_ctx;
const EVP_MD *type;
const EVP_MD *type = NULL;
#endif
UNUSED(key);
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
evp_md_ctx = EVP_MD_CTX_create();
if (evp_md_ctx == NULL)
return (ISC_R_NOMEMORY);
if (dctx->key->key_alg == DST_ALG_RSAMD5)
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
type = EVP_md5(); /* MD5 + RSA */
else
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
break;
case DST_ALG_RSASHA256:
type = EVP_sha256(); /* SHA256 + RSA */
break;
case DST_ALG_RSASHA512:
type = EVP_sha512();
break;
default:
INSIST(0);
}
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx);
@ -133,22 +229,56 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
}
dctx->ctxdata.evp_md_ctx = evp_md_ctx;
#else
if (dctx->key->key_alg == DST_ALG_RSAMD5) {
isc_md5_t *md5ctx;
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx;
md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
if (md5ctx == NULL)
return (ISC_R_NOMEMORY);
isc_md5_init(md5ctx);
dctx->ctxdata.md5ctx = md5ctx;
} else {
isc_sha1_t *sha1ctx;
md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
if (md5ctx == NULL)
return (ISC_R_NOMEMORY);
isc_md5_init(md5ctx);
dctx->ctxdata.md5ctx = md5ctx;
}
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx;
sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
if (sha1ctx == NULL)
return (ISC_R_NOMEMORY);
isc_sha1_init(sha1ctx);
dctx->ctxdata.sha1ctx = sha1ctx;
sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
if (sha1ctx == NULL)
return (ISC_R_NOMEMORY);
isc_sha1_init(sha1ctx);
dctx->ctxdata.sha1ctx = sha1ctx;
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx;
sha256ctx = isc_mem_get(dctx->mctx,
sizeof(isc_sha256_t));
if (sha256ctx == NULL)
return (ISC_R_NOMEMORY);
isc_sha256_init(sha256ctx);
dctx->ctxdata.sha256ctx = sha256ctx;
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx;
sha512ctx = isc_mem_get(dctx->mctx,
sizeof(isc_sha512_t));
if (sha512ctx == NULL)
return (ISC_R_NOMEMORY);
isc_sha512_init(sha512ctx);
dctx->ctxdata.sha512ctx = sha512ctx;
}
break;
default:
INSIST(0);
}
#endif
@ -163,7 +293,9 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
if (evp_md_ctx != NULL) {
@ -171,22 +303,58 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
dctx->ctxdata.evp_md_ctx = NULL;
}
#else
if (dctx->key->key_alg == DST_ALG_RSAMD5) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
if (md5ctx != NULL) {
isc_md5_invalidate(md5ctx);
isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t));
dctx->ctxdata.md5ctx = NULL;
if (md5ctx != NULL) {
isc_md5_invalidate(md5ctx);
isc_mem_put(dctx->mctx, md5ctx,
sizeof(isc_md5_t));
dctx->ctxdata.md5ctx = NULL;
}
}
} else {
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
if (sha1ctx != NULL) {
isc_sha1_invalidate(sha1ctx);
isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
dctx->ctxdata.sha1ctx = NULL;
if (sha1ctx != NULL) {
isc_sha1_invalidate(sha1ctx);
isc_mem_put(dctx->mctx, sha1ctx,
sizeof(isc_sha1_t));
dctx->ctxdata.sha1ctx = NULL;
}
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
if (sha256ctx != NULL) {
isc_sha256_invalidate(sha256ctx);
isc_mem_put(dctx->mctx, sha256ctx,
sizeof(isc_sha256_t));
dctx->ctxdata.sha256ctx = NULL;
}
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
if (sha512ctx != NULL) {
isc_sha512_invalidate(sha512ctx);
isc_mem_put(dctx->mctx, sha512ctx,
sizeof(isc_sha512_t));
dctx->ctxdata.sha512ctx = NULL;
}
}
break;
default:
INSIST(0);
}
#endif
}
@ -199,19 +367,47 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
return (ISC_R_FAILURE);
}
#else
if (dctx->key->key_alg == DST_ALG_RSAMD5) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_md5_update(md5ctx, data->base, data->length);
} else {
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_update(sha1ctx, data->base, data->length);
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_md5_update(md5ctx, data->base, data->length);
}
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_update(sha1ctx, data->base, data->length);
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_update(sha256ctx, data->base, data->length);
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_update(sha512ctx, data->base, data->length);
}
break;
default:
INSIST(0);
}
#endif
return (ISC_R_SUCCESS);
@ -227,11 +423,11 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
EVP_PKEY *pkey = key->keydata.pkey;
#else
RSA *rsa = key->keydata.rsa;
/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
unsigned char digest[ISC_SHA1_DIGESTLENGTH];
/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
unsigned char digest[ISC_SHA512_DIGESTLENGTH];
int status;
int type;
unsigned int digestlen;
int type = 0;
unsigned int digestlen = 0;
char *message;
unsigned long err;
const char* file;
@ -240,7 +436,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
isc_buffer_availableregion(sig, &r);
@ -255,16 +453,46 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
if (r.length < (unsigned int) RSA_size(rsa))
return (ISC_R_NOSPACE);
if (dctx->key->key_alg == DST_ALG_RSAMD5) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_md5_final(md5ctx, digest);
type = NID_md5;
digestlen = ISC_MD5_DIGESTLENGTH;
} else {
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_final(sha1ctx, digest);
type = NID_sha1;
digestlen = ISC_SHA1_DIGESTLENGTH;
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_md5_final(md5ctx, digest);
type = NID_md5;
digestlen = ISC_MD5_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_final(sha1ctx, digest);
type = NID_sha1;
digestlen = ISC_SHA1_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_final(digest, sha256ctx);
type = NID_sha256;
digestlen = ISC_SHA256_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_final(digest, sha512ctx);
type = NID_sha512;
digestlen = ISC_SHA512_DIGESTLENGTH;
}
break;
default:
INSIST(0);
}
status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
@ -290,30 +518,62 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
#else
/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
unsigned char digest[ISC_SHA1_DIGESTLENGTH];
int type;
unsigned int digestlen;
/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
unsigned char digest[ISC_SHA512_DIGESTLENGTH];
int type = 0;
unsigned int digestlen = 0;
RSA *rsa = key->keydata.rsa;
#endif
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP
status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
#else
if (dctx->key->key_alg == DST_ALG_RSAMD5) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_md5_final(md5ctx, digest);
type = NID_md5;
digestlen = ISC_MD5_DIGESTLENGTH;
} else {
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_final(sha1ctx, digest);
type = NID_sha1;
digestlen = ISC_SHA1_DIGESTLENGTH;
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_md5_final(md5ctx, digest);
type = NID_md5;
digestlen = ISC_MD5_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_final(sha1ctx, digest);
type = NID_sha1;
digestlen = ISC_SHA1_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_final(digest, sha256ctx);
type = NID_sha256;
digestlen = ISC_SHA256_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_final(digest, sha512ctx);
type = NID_sha512;
digestlen = ISC_SHA512_DIGESTLENGTH;
}
break;
default:
INSIST(0);
}
if (sig->length < (unsigned int) RSA_size(rsa))

4
lib/dns/rcode.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rcode.c,v 1.11 2009/10/12 23:48:01 tbox Exp $ */
/* $Id: rcode.c,v 1.12 2009/10/22 02:21:30 each Exp $ */
#include <config.h>
#include <ctype.h>
@ -105,6 +105,8 @@
{ DNS_KEYALG_ECC, "ECC", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \

6
lib/isc/include/isc/sha2.h
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: sha2.h,v 1.11 2009/02/06 23:47:42 tbox Exp $ */
/* $Id: sha2.h,v 1.12 2009/10/22 02:21:31 each Exp $ */
/* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */
/* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */
@ -113,24 +113,28 @@ ISC_LANG_BEGINDECLS
/*** SHA-224/256/384/512 Function Prototypes ******************************/
void isc_sha224_init (isc_sha224_t *);
void isc_sha224_invalidate (isc_sha224_t *);
void isc_sha224_update (isc_sha224_t *, const isc_uint8_t *, size_t);
void isc_sha224_final (isc_uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
char *isc_sha224_data (const isc_uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
void isc_sha256_init (isc_sha256_t *);
void isc_sha256_invalidate (isc_sha256_t *);
void isc_sha256_update (isc_sha256_t *, const isc_uint8_t *, size_t);
void isc_sha256_final (isc_uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
char *isc_sha256_data (const isc_uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
void isc_sha384_init (isc_sha384_t *);
void isc_sha384_invalidate (isc_sha384_t *);
void isc_sha384_update (isc_sha384_t *, const isc_uint8_t *, size_t);
void isc_sha384_final (isc_uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
char *isc_sha384_data (const isc_uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
void isc_sha512_init (isc_sha512_t *);
void isc_sha512_invalidate (isc_sha512_t *);
void isc_sha512_update (isc_sha512_t *, const isc_uint8_t *, size_t);
void isc_sha512_final (isc_uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]);

42
lib/isc/sha2.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: sha2.c,v 1.17 2009/02/06 23:47:42 tbox Exp $ */
/* $Id: sha2.c,v 1.18 2009/10/22 02:21:31 each Exp $ */
/* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */
/* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */
@ -73,6 +73,11 @@ isc_sha224_init(isc_sha224_t *context) {
EVP_DigestInit(context, EVP_sha224());
}
void
isc_sha224_invalidate(isc_sha224_t *context) {
EVP_MD_CTX_cleanup(context);
}
void
isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
if (len == 0U) {
@ -107,6 +112,11 @@ isc_sha256_init(isc_sha256_t *context) {
EVP_DigestInit(context, EVP_sha256());
}
void
isc_sha256_invalidate(isc_sha256_t *context) {
EVP_MD_CTX_cleanup(context);
}
void
isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
if (len == 0U) {
@ -141,6 +151,11 @@ isc_sha512_init(isc_sha512_t *context) {
EVP_DigestInit(context, EVP_sha512());
}
void
isc_sha512_invalidate(isc_sha512_t *context) {
EVP_MD_CTX_cleanup(context);
}
void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
if (len == 0U) {
/* Calling with no data is valid - we do nothing */
@ -173,6 +188,11 @@ isc_sha384_init(isc_sha384_t *context) {
EVP_DigestInit(context, EVP_sha384());
}
void
isc_sha384_invalidate(isc_sha384_t *context) {
EVP_MD_CTX_cleanup(context);
}
void
isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
if (len == 0U) {
@ -546,6 +566,11 @@ isc_sha224_init(isc_sha224_t *context) {
context->bitcount = 0;
}
void
isc_sha224_invalidate(isc_sha224_t *context) {
memset(context, 0, sizeof(isc_sha224_t));
}
void
isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
isc_sha256_update((isc_sha256_t *)context, data, len);
@ -571,6 +596,11 @@ isc_sha256_init(isc_sha256_t *context) {
context->bitcount = 0;
}
void
isc_sha256_invalidate(isc_sha256_t *context) {
memset(context, 0, sizeof(isc_sha256_t));
}
#ifdef ISC_SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-256 round macros: */
@ -881,6 +911,11 @@ isc_sha512_init(isc_sha512_t *context) {
context->bitcount[0] = context->bitcount[1] = 0;
}
void
isc_sha512_invalidate(isc_sha512_t *context) {
memset(context, 0, sizeof(isc_sha512_t));
}
#ifdef ISC_SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-512 round macros: */
@ -1189,6 +1224,11 @@ isc_sha384_init(isc_sha384_t *context) {
context->bitcount[0] = context->bitcount[1] = 0;
}
void
isc_sha384_invalidate(isc_sha384_t *context) {
memset(context, 0, sizeof(isc_sha384_t));
}
void
isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
isc_sha512_update((isc_sha512_t *)context, data, len);