mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

2726. [func] Added support for SHA-2 DNSSEC algorithms,

Browse Source 
RSASHA256 and RSASHA512. [RT #20023]
This commit is contained in:
Evan Hunt
2009-10-22 02:21:31 +00:00
parent 8d307467b7
commit cc6cddfd94
15 changed files with 520 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
2726. [func] Added support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512. [RT #20023]
2725. [doc] Added information about the file "managed-keys.bind" 2725. [doc] Added information about the file "managed-keys.bind"
to the ARM. [RT #20235] to the ARM. [RT #20235]

5
bin/dnssec/dnssec-keyfromlabel.c
View File

@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-keyfromlabel.c,v 1.22 2009/10/14 22:07:13 marka Exp $ */ /* $Id: dnssec-keyfromlabel.c,v 1.23 2009/10/22 02:21:30 each Exp $ */
/*! \file */ /*! \file */
@@ -53,7 +53,8 @@ int verbose;
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1" #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1"; " NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512";
ISC_PLATFORM_NORETURN_PRE static void ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST; usage(void) ISC_PLATFORM_NORETURN_POST;

14
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.13 2009/10/16 15:37:01 jreed Exp $ --> <!-- $Id: dnssec-keyfromlabel.docbook,v 1.14 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel"> <refentry id="man.dnssec-keyfromlabel">
<refentryinfo> <refentryinfo>
<date>February 8, 2008</date> <date>February 8, 2008</date>
@@ -90,14 +90,16 @@
<listitem> <listitem>
<para> <para>
Selects the cryptographic algorithm. The value of Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 (RSA), <option>algorithm</option> must be one of RSAMD5, RSASHA1,
RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
These values are case insensitive. These values are case insensitive.
</para> </para>
<para> <para>
If no algorithm is specified, then RSASHA1 will be used by If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified, default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para> </para>
<para> <para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -394,9 +396,7 @@
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>, </citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>, <citetitle>RFC 4034</citetitle>.
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4033</citetitle>.
</para> </para>
</refsect1> </refsect1>

24
bin/dnssec/dnssec-keygen.c
View File

@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-keygen.c,v 1.101 2009/10/12 20:48:10 each Exp $ */ /* $Id: dnssec-keygen.c,v 1.102 2009/10/22 02:21:30 each Exp $ */
/*! \file */ /*! \file */
@@ -83,8 +83,9 @@ usage(void) {
fprintf(stderr, "Options:\n"); fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n"); fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n"); fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | " fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
"NSEC3RSASHA1 | NSEC3DSA |\n"); " | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | " fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n"); "HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n"); fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
@@ -95,6 +96,8 @@ usage(void) {
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA); fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA); fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible " fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
@@ -469,7 +472,8 @@ main(int argc, char **argv) {
} }
if (use_nsec3 && if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) { alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
fatal("%s is incompatible with NSEC3; " fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname); "do not use the -3 option", algname);
} }
@@ -505,9 +509,14 @@ main(int argc, char **argv) {
case DNS_KEYALG_RSAMD5: case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1: case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1: case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
if (size != 0 && (size < 512 || size > MAX_RSA)) if (size != 0 && (size < 512 || size > MAX_RSA))
fatal("RSA key size %d out of range", size); fatal("RSA key size %d out of range", size);
break; break;
case DNS_KEYALG_RSASHA512:
if (size != 0 && (size < 1024 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
case DNS_KEYALG_DH: case DNS_KEYALG_DH:
if (size != 0 && (size < 128 || size > 4096)) if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size); fatal("DH key size %d out of range", size);
@@ -574,7 +583,8 @@ main(int argc, char **argv) {
} }
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 || if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0) alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key"); fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0) if (alg != DNS_KEYALG_DH && generator != 0)
@@ -643,12 +653,16 @@ main(int argc, char **argv) {
switch(alg) { switch(alg) {
case DNS_KEYALG_RSAMD5: case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1: case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
param = rsa_exp; param = rsa_exp;
break; break;
case DNS_KEYALG_DH: case DNS_KEYALG_DH:
param = generator; param = generator;
break; break;
case DNS_KEYALG_DSA: case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
case DST_ALG_HMACMD5: case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA224:

18
bin/dnssec/dnssec-keygen.docbook
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- $Id: dnssec-keygen.docbook,v 1.30 2009/10/16 15:37:01 jreed Exp $ --> <!-- $Id: dnssec-keygen.docbook,v 1.31 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keygen"> <refentry id="man.dnssec-keygen">
<refentryinfo> <refentryinfo>
<date>June 30, 2000</date> <date>June 30, 2000</date>
@@ -110,7 +110,8 @@
<para> <para>
Selects the cryptographic algorithm. For DNSSEC keys, the value Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1, of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive. case insensitive.
@@ -118,7 +119,9 @@
<para> <para>
If no algorithm is specified, then RSASHA1 will be used by If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified, default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para> </para>
<para> <para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -137,10 +140,10 @@
<listitem> <listitem>
<para> <para>
Specifies the number of bits in the key. The choice of key Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024 128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. between 1 and 512 bits.
</para> </para>
<para> <para>
@@ -177,7 +180,8 @@
Use an NSEC3-capable algorithm to generate a DNSSEC key. Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by set on the command line, NSEC3RSASHA1 will be used by
default. default. Note that RSASHA256 and RSASHA512 algorithms
are NSEC3-capable.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -526,7 +530,7 @@
<citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>, <citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>, <citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4033</citetitle>. <citetitle>RFC 4034</citetitle>.
</para> </para>
</refsect1> </refsect1>

146
doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt → doc/draft/draft-ietf-dnsext-dnssec-rsasha256-14.txt
View File

@@ -3,13 +3,13 @@
DNS Extensions working group J. Jansen DNS Extensions working group J. Jansen
Internet-Draft NLnet Labs Internet-Draft NLnet Labs
Intended status: Standards Track April 24, 2009 Intended status: Standards Track June 04, 2009
Expires: October 26, 2009 Expires: December 6, 2009
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
for DNSSEC for DNSSEC
draft-ietf-dnsext-dnssec-rsasha256-13 draft-ietf-dnsext-dnssec-rsasha256-14
Status of this Memo Status of this Memo
@@ -32,7 +32,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 26, 2009. This Internet-Draft will expire on December 6, 2009.
Copyright Notice Copyright Notice
@@ -52,9 +52,9 @@ Abstract
Jansen Expires October 26, 2009 [Page 1] Jansen Expires December 6, 2009 [Page 1]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
@@ -77,7 +77,7 @@ Table of Contents
5.2. Support for NSEC3 Denial of Existence . . . . . . . . . . 5 5.2. Support for NSEC3 Denial of Existence . . . . . . . . . . 5
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. RSA/SHA-256 Key and Signature . . . . . . . . . . . . . . 6 6.1. RSA/SHA-256 Key and Signature . . . . . . . . . . . . . . 6
6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 6 6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource 8.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource
@@ -108,9 +108,9 @@ Table of Contents
Jansen Expires October 26, 2009 [Page 2] Jansen Expires December 6, 2009 [Page 2]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
1. Introduction 1. Introduction
@@ -164,9 +164,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 3] Jansen Expires December 6, 2009 [Page 3]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
2.2. RSA/SHA-512 DNSKEY Resource Records 2.2. RSA/SHA-512 DNSKEY Resource Records
@@ -220,9 +220,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 4] Jansen Expires December 6, 2009 [Page 4]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
3.2. RSA/SHA-512 RRSIG Resource Records 3.2. RSA/SHA-512 RRSIG Resource Records
@@ -276,14 +276,15 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 5] Jansen Expires December 6, 2009 [Page 5]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
both NSEC and NSEC3 [RFC5155] negative answers. An authoritative negative answers in the form of both NSEC and NSEC3 with hash
server that does not implement NSEC3 MAY still serve zones that use algorithm 1, as defined in [RFC5155]. An authoritative server that
RSA/SHA-2 with NSEC denial of existence. does not implement NSEC3 MAY still serve zones that use RSA/SHA-2
with NSEC denial of existence.
6. Examples 6. Examples
@@ -313,84 +314,83 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
With this key, sign the following RRSet, consisting of 1 A record: With this key, sign the following RRSet, consisting of 1 A record:
www.example.net. 3600 IN A 123.123.123.123 www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created: following signature should be created:
www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000 www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000
20000101000000 9033 example.net. KWgSIg3khRfyrHmtJU 20000101000000 9033 example.net. kRCOH6u7l0QGy9qpC9
5pzpsANyy27+HOZ6waMQ5kV690ljVmbHmGc8ULOfXw3aWmP0wJB l1sLncJcOKFLJ7GhiUOibu4teYp5VE9RncriShZNz85mwlMgNEa
ND/TQhjCvrb3T9ffQ== );{id = 9033} cFYK/lPtPiVYP4bwg== ;{id = 9033}
Jansen Expires December 6, 2009 [Page 6]
Internet-Draft DNSSEC RSA/SHA-2 June 2009
6.2. RSA/SHA-512 Key and Signature 6.2. RSA/SHA-512 Key and Signature
Given a private key with the following values (in Base64): Given a private key with the following values (in Base64):
Jansen Expires October 26, 2009 [Page 6]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Private-key-format: v1.2 Private-key-format: v1.2
Algorithm: 9 (RSASHA512) Algorithm: 10 (RSASHA512)
Modulus: 8Du9YHEwFNjO5iG9jrrNyKwRs5mAzJgXBrjbA49R/ESWJKw6eHH Modulus: 0eg1M5b563zoq4k5ZEOnWmd2/BvpjzedJVdfIsDcMuuhE5SQ3pf
XfZaxnP+gVhZBDmqwND/SFwrEkN5LyH3HZ+/d/ECW+vT8Lxprqf Q7qmdaeMlC6Nf8DKGoUPGPXe06cP27/WRODtxXquSUytkO0kJDk
haTfxQkV4OFjw/ikuTcBMoUIYfhO1NVPBcH1mWh34DWmu6eedzH 8KX8PtA0+yBWwy7UnZDyCkynO00Uuk8HPVtZeMO1pHtlAGVnc8V
IbdeNZnIkWSv4muchs= jXZlNKdyit99waaE4s=
PublicExponent: AQAB PublicExponent: AQAB
PrivateExponent: sRm5YLHQ2m2DCdDx55j7P+bqHdcaRroQr5nzi8pKjIkbjumRKV3 PrivateExponent: rFS1IPbJllFFgFc33B5DDlC1egO8e81P4fFadODbp56V7sphKa6
zmNhRFAa3cv9w8mnggIRUIzyC8LGQeLuRFjbv6uXDzoPX2O321j AZQCx8NYAew6VXFFPAKTw41QdHnK5kIYOwxvfFDjDcUGza88qbj
PlTUOwCYMTVnbkZUem6c+7iRd2v5zNNe9uiXex6T8CDXyhQhqYb yrDPSJenkeZbISMUSSqy7AMFzEolkk6WSn6k3thUVRgSlqDoOV3
8q2AajPrTlRzv6uW8E= SEIAsrB043XzGrKIVE=
Prime1: +DPVg2OlfYqcNlm67T42608gjyqWFdVc0UtDDDBo+ABWavqp+Yk Prime1: 8mbtsu9Tl9v7tKSHdCIeprLIQXQLzxlSZun5T1n/OjvXSUtvD7x
Fb/z/Ig+iBE901Q8RWdqVLND3PtGwWipIyw== nZJ+LHqaBj1dIgMbCq2U8O04QVcK3TS9GiQ==
Prime2: 98fQbOaWH3D/WFhnu47f1qOgaob/ss3FQ12QbUdRDpgfmdryHH7 Prime2: 3a6gkfs74d0Jb7yL4j4adAif4fcp7ZrGt7G5NRVDDY/Mv4TERAK
j1UGR2Xs0aRPwBASXYhgtamXtxLorXIFh8Q== Ma0TKN3okKE0A7X+Rv2K84mhT4QLDlllEcw==
Exponent1: j0UsbGlqr6sBPQZStnuBLBdCziFg/T1qFI4DJ9gR34YiXCJRV29 Exponent1: v3D5A9uuCn5rgVR7wgV8ba0/KSpsdSiLgsoA42GxiB1gvvs7gJM
Wqiw6AalQdnh/EjVeaKWaEoKVFbfoukNKPQ== MmVTDu/ZG1p1ZnpLbhh/S/Qd/MSwyNlxC+Q==
Exponent2: 4YTy9ftVjd5p+f3UxEgBATnCatLebd6NeYfySRQM+YyJzp4RmNA Exponent2: m+ezf9dsDvYQK+gzjOLWYeKq5xWYBEYFGa3BLocMiF4oxkzOZ3J
BC/t3BQv3IuBrpyyKoFTDGUEWjOSpTLPR8Q== PZSWU/h1Fjp5RV7aPP0Vmx+hNjYMPIQ8Y5w==
Coefficient: BpIAEwh5rlw9M8FpGHjpF5TxSdhCjnA8NT0tB+MB/k0msceyBbx Coefficient: Je5YhYpUron/WdOXjxNAxDubAp3i5X7UOUfhJcyIggqwY86IE0Q
avjzJXTi/QPk9PIO8Wv6eCzMQEM0QDZO53Q== /Bk0Dw4SC9zxnsimmdBXW2Izd8Lwuk8FQcQ==
The DNSKEY record for this key would be: The DNSKEY record for this key would be:
example.net. 3600 IN DNSKEY (256 3 9 AwEAAfA7vWBxMBTYzuYhvY66z example.net. 3600 IN DNSKEY (256 3 10 AwEAAdHoNTOW+et86KuJOWRD
cisEbOZgMyYFwa42wOPUfxEliSsOnhx132WsZz/oFYWQQ5qsDQ/0 p1pndvwb6Y83nSVXXyLA3DLroROUkN6X0O6pnWnjJQujX/AyhqFD
hcKxJDeS8h9x2fv3fxAlvr0/C8aa6n4Wk38UJFeDhY8P4pLk3ATK xj13tOnD9u/1kTg7cV6rklMrZDtJCQ5PCl/D7QNPsgVsMu1J2Q8g
FCGH4TtTVTwXB9Zlod+A1prunnncxyG3XjWZyJFkr+JrnIb pMpztNFLpPBz1bWXjDtaR7ZQBlZ3PFY12ZTSncorffcGmhOL
);{id = 28237 (zsk), size = 1024b} );{id = 3740 (zsk), size = 1024b}
With this key, sign the following RRSet, consisting of 1 A record: With this key, sign the following RRSet, consisting of 1 A record:
www.example.net. 3600 IN A 123.123.123.123 www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created: following signature should be created:
www.example.net. 3600 IN RRSIG (A 9 3 3600 20300101000000 www.example.net. 3600 IN RRSIG (A 10 3 3600 20300101000000
20000101000000 28237 example.net. mCanSdkQztEUOmslG 20000101000000 3740 example.net. tsb4wnjRUDnB1BUi+t
z7VvfkKPMp4ftz3K1PTf2jdla4vUu/tRE585xymurMB+wXhrFcK 6TMTXThjVnG+eCkWqjvvjhzQL1d0YRoOe0CbxrVDYd0xDtsuJRa
dhm0egnPq8X/gmm0cmui/GQwFT5hmP5bL1ETuQsM3HOu3j9E3tq eUw1ep94PzEWzr0iGYgZBWm/zpq+9fOuagYJRfDqfReKBzMweOL
4sFWIsUv3N6ohpYEbhj5jk0b/01EMUPM9y5rLzFHmYYujzKQwqu DiNa8iP5g9vMhpuv6OPlvpXwm9Sa9ZXIbNl1MBGk0fthPgxdDLw
M= );{id = 28237} =);{id = 3740}
Jansen Expires December 6, 2009 [Page 7]
Jansen Expires October 26, 2009 [Page 7]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
7. IANA Considerations 7. IANA Considerations
@@ -444,9 +444,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 8] Jansen Expires December 6, 2009 [Page 8]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
9. Acknowledgments 9. Acknowledgments
@@ -500,9 +500,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 9] Jansen Expires December 6, 2009 [Page 9]
Internet-Draft DNSSEC RSA/SHA-2 April 2009 Internet-Draft DNSSEC RSA/SHA-2 June 2009
Version 2.1", RFC 3447, February 2003. Version 2.1", RFC 3447, February 2003.
@@ -556,5 +556,5 @@ Author's Address
Jansen Expires October 26, 2009 [Page 10] Jansen Expires December 6, 2009 [Page 10]

11
lib/dns/dst_api.c
View File

@@ -31,7 +31,7 @@
/* /*
* Principal Author: Brian Wellington * Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.42 2009/10/20 04:39:48 marka Exp $ * $Id: dst_api.c,v 1.43 2009/10/22 02:21:30 each Exp $
*/ */
/*! \file */ /*! \file */
@@ -204,6 +204,8 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512]));
#ifdef HAVE_OPENSSL_DSA #ifdef HAVE_OPENSSL_DSA
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA])); RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
@@ -1045,6 +1047,8 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_RSAMD5: case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1: case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1: case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8; *n = (key->key_size + 7) / 8;
break; break;
case DST_ALG_DSA: case DST_ALG_DSA:
@@ -1300,6 +1304,8 @@ issymmetric(const dst_key_t *key) {
case DST_ALG_RSAMD5: case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1: case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1: case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_DSA: case DST_ALG_DSA:
case DST_ALG_NSEC3DSA: case DST_ALG_NSEC3DSA:
case DST_ALG_DH: case DST_ALG_DH:
@@ -1545,7 +1551,8 @@ algorithm_status(unsigned int alg) {
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 || if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA || alg == DST_ALG_DH || alg == DST_ALG_DSA || alg == DST_ALG_DH ||
alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA || alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
alg == DST_ALG_NSEC3RSASHA1) alg == DST_ALG_NSEC3RSASHA1 ||
alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512)
return (DST_R_NOCRYPTO); return (DST_R_NOCRYPTO);
#endif #endif
return (DST_R_UNSUPPORTEDALG); return (DST_R_UNSUPPORTEDALG);

5
lib/dns/dst_internal.h
View File

@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dst_internal.h,v 1.20 2009/10/09 06:09:21 each Exp $ */ /* $Id: dst_internal.h,v 1.21 2009/10/22 02:21:30 each Exp $ */
#ifndef DST_DST_INTERNAL_H #ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1 #define DST_DST_INTERNAL_H 1
@@ -42,6 +42,7 @@
#include <isc/types.h> #include <isc/types.h>
#include <isc/md5.h> #include <isc/md5.h>
#include <isc/sha1.h> #include <isc/sha1.h>
#include <isc/sha2.h>
#include <isc/stdtime.h> #include <isc/stdtime.h>
#include <isc/hmacmd5.h> #include <isc/hmacmd5.h>
#include <isc/hmacsha.h> #include <isc/hmacsha.h>
@@ -136,6 +137,8 @@ struct dst_context {
dst_gssapi_signverifyctx_t *gssctx; dst_gssapi_signverifyctx_t *gssctx;
isc_md5_t *md5ctx; isc_md5_t *md5ctx;
isc_sha1_t *sha1ctx; isc_sha1_t *sha1ctx;
isc_sha256_t *sha256ctx;
isc_sha512_t *sha512ctx;
isc_hmacmd5_t *hmacmd5ctx; isc_hmacmd5_t *hmacmd5ctx;
isc_hmacsha1_t *hmacsha1ctx; isc_hmacsha1_t *hmacsha1ctx;
isc_hmacsha224_t *hmacsha224ctx; isc_hmacsha224_t *hmacsha224ctx;

8
lib/dns/dst_parse.c
View File

@@ -31,7 +31,7 @@
/*% /*%
* Principal Author: Brian Wellington * Principal Author: Brian Wellington
* $Id: dst_parse.c,v 1.21 2009/10/09 06:09:21 each Exp $ * $Id: dst_parse.c,v 1.22 2009/10/22 02:21:30 each Exp $
*/ */
#include <config.h> #include <config.h>
@@ -579,6 +579,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
case DST_ALG_NSEC3DSA: case DST_ALG_NSEC3DSA:
fprintf(fp, "(NSEC3DSA)\n"); fprintf(fp, "(NSEC3DSA)\n");
break; break;
case DST_ALG_RSASHA256:
fprintf(fp, "(RSASHA256)\n");
break;
case DST_ALG_RSASHA512:
fprintf(fp, "(RSASHA512)\n");
break;
case DST_ALG_HMACMD5: case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n"); fprintf(fp, "(HMAC_MD5)\n");
break; break;

4
lib/dns/include/dns/keyvalues.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: keyvalues.h,v 1.26 2009/06/30 02:52:32 each Exp $ */ /* $Id: keyvalues.h,v 1.27 2009/10/22 02:21:31 each Exp $ */
#ifndef DNS_KEYVALUES_H #ifndef DNS_KEYVALUES_H
#define DNS_KEYVALUES_H 1 #define DNS_KEYVALUES_H 1
@@ -68,6 +68,8 @@
#define DNS_KEYALG_ECC 4 #define DNS_KEYALG_ECC 4
#define DNS_KEYALG_RSASHA1 5 #define DNS_KEYALG_RSASHA1 5
#define DNS_KEYALG_NSEC3RSASHA1 7 #define DNS_KEYALG_NSEC3RSASHA1 7
#define DNS_KEYALG_RSASHA256 8
#define DNS_KEYALG_RSASHA512 10
#define DNS_KEYALG_INDIRECT 252 #define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253 #define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */ #define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */

4
lib/dns/include/dst/dst.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dst.h,v 1.22 2009/10/12 20:48:12 each Exp $ */ /* $Id: dst.h,v 1.23 2009/10/22 02:21:31 each Exp $ */
#ifndef DST_DST_H #ifndef DST_DST_H
#define DST_DST_H 1 #define DST_DST_H 1
@@ -56,6 +56,8 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_RSASHA1 5 #define DST_ALG_RSASHA1 5
#define DST_ALG_NSEC3DSA 6 #define DST_ALG_NSEC3DSA 6
#define DST_ALG_NSEC3RSASHA1 7 #define DST_ALG_NSEC3RSASHA1 7
#define DST_ALG_RSASHA256 8
#define DST_ALG_RSASHA512 10
#define DST_ALG_HMACMD5 157 #define DST_ALG_HMACMD5 157
#define DST_ALG_GSSAPI 160 #define DST_ALG_GSSAPI 160
#define DST_ALG_HMACSHA1 161 /* XXXMPA */ #define DST_ALG_HMACSHA1 161 /* XXXMPA */

398
lib/dns/opensslrsa_link.c
View File

@@ -17,7 +17,7 @@
/* /*
* Principal Author: Brian Wellington * Principal Author: Brian Wellington
* $Id: opensslrsa_link.c,v 1.30 2009/10/20 02:59:19 marka Exp $ * $Id: opensslrsa_link.c,v 1.31 2009/10/22 02:21:30 each Exp $
*/ */
#ifdef OPENSSL #ifdef OPENSSL
#ifndef USE_EVP #ifndef USE_EVP
@@ -29,6 +29,7 @@
#include <isc/entropy.h> #include <isc/entropy.h>
#include <isc/md5.h> #include <isc/md5.h>
#include <isc/sha1.h> #include <isc/sha1.h>
#include <isc/sha2.h>
#include <isc/mem.h> #include <isc/mem.h>
#include <isc/string.h> #include <isc/string.h>
#include <isc/util.h> #include <isc/util.h>
@@ -105,27 +106,122 @@
static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
#if defined(USE_EVP) && OPENSSL_VERSION_NUMBER < 0x00908000L
/*
* OpenSSL 0.9.7 doesn't support SHA2.
* Provide the method functions we need.
*/
/*
* Use our namespace, not OpenSSL's.
*/
#define EVP_sha256 ISC_EVP_sha256
#define EVP_sha512 ISC_EVP_sha512
/*
* OpensSSL 0.9.8 defines these.
*/
#if 0
#define NID_sha256WithRSAEncryption 668
#define NID_sha256 672
#define NID_sha512WithRSAEncryption 670
#define NID_sha512 674
#else
#define NID_sha256WithRSAEncryption 0
#define NID_sha256 0
#define NID_sha512WithRSAEncryption 0
#define NID_sha512 0
#endif
static int init256(EVP_MD_CTX *ctx)
{ isc_sha256_init(ctx->md_data); return 1; }
static int update256(EVP_MD_CTX *ctx,const void *data, unsigned long count)
{ isc_sha256_update(ctx->md_data,data,count); return 1; }
static int final256(EVP_MD_CTX *ctx,unsigned char *md)
{ isc_sha256_final(md,ctx->md_data); return 1; }
static const EVP_MD sha256_md=
{
NID_sha256,
NID_sha256WithRSAEncryption,
ISC_SHA256_DIGESTLENGTH,
0,
init256,
update256,
final256,
NULL,
NULL,
EVP_PKEY_RSA_method,
ISC_SHA256_BLOCK_LENGTH,
sizeof(EVP_MD *)+sizeof(isc_sha256_t),
};
static const EVP_MD *EVP_sha256(void)
{ return(&sha256_md); }
static int init512(EVP_MD_CTX *ctx)
{ isc_sha512_init(ctx->md_data); return 1; }
static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
{ isc_sha512_update(ctx->md_data,data,count); return 1; }
static int final512(EVP_MD_CTX *ctx,unsigned char *md)
{ isc_sha512_final(md,ctx->md_data); return 1; }
static const EVP_MD sha512_md=
{
NID_sha512,
NID_sha512WithRSAEncryption,
ISC_SHA512_DIGESTLENGTH,
0,
init512,
update512,
final512,
NULL,
NULL,
EVP_PKEY_RSA_method,
ISC_SHA512_BLOCK_LENGTH,
sizeof(EVP_MD *)+sizeof(isc_sha512_t),
};
static const EVP_MD *EVP_sha512(void)
{ return(&sha512_md); }
#endif
static isc_result_t static isc_result_t
opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
#if USE_EVP #if USE_EVP
EVP_MD_CTX *evp_md_ctx; EVP_MD_CTX *evp_md_ctx;
const EVP_MD *type; const EVP_MD *type = NULL;
#endif #endif
UNUSED(key); UNUSED(key);
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1); dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP #if USE_EVP
evp_md_ctx = EVP_MD_CTX_create(); evp_md_ctx = EVP_MD_CTX_create();
if (evp_md_ctx == NULL) if (evp_md_ctx == NULL)
return (ISC_R_NOMEMORY); return (ISC_R_NOMEMORY);
if (dctx->key->key_alg == DST_ALG_RSAMD5) switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
type = EVP_md5(); /* MD5 + RSA */ type = EVP_md5(); /* MD5 + RSA */
else break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */ type = EVP_sha1(); /* SHA1 + RSA */
break;
case DST_ALG_RSASHA256:
type = EVP_sha256(); /* SHA256 + RSA */
break;
case DST_ALG_RSASHA512:
type = EVP_sha512();
break;
default:
INSIST(0);
}
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) { if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx); EVP_MD_CTX_destroy(evp_md_ctx);
@@ -133,22 +229,56 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
} }
dctx->ctxdata.evp_md_ctx = evp_md_ctx; dctx->ctxdata.evp_md_ctx = evp_md_ctx;
#else #else
if (dctx->key->key_alg == DST_ALG_RSAMD5) { switch (dctx->key->key_alg) {
isc_md5_t *md5ctx; case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx;
md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t)); md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
if (md5ctx == NULL) if (md5ctx == NULL)
return (ISC_R_NOMEMORY); return (ISC_R_NOMEMORY);
isc_md5_init(md5ctx); isc_md5_init(md5ctx);
dctx->ctxdata.md5ctx = md5ctx; dctx->ctxdata.md5ctx = md5ctx;
} else { }
isc_sha1_t *sha1ctx; break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx;
sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t)); sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
if (sha1ctx == NULL) if (sha1ctx == NULL)
return (ISC_R_NOMEMORY); return (ISC_R_NOMEMORY);
isc_sha1_init(sha1ctx); isc_sha1_init(sha1ctx);
dctx->ctxdata.sha1ctx = sha1ctx; dctx->ctxdata.sha1ctx = sha1ctx;
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx;
sha256ctx = isc_mem_get(dctx->mctx,
sizeof(isc_sha256_t));
if (sha256ctx == NULL)
return (ISC_R_NOMEMORY);
isc_sha256_init(sha256ctx);
dctx->ctxdata.sha256ctx = sha256ctx;
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx;
sha512ctx = isc_mem_get(dctx->mctx,
sizeof(isc_sha512_t));
if (sha512ctx == NULL)
return (ISC_R_NOMEMORY);
isc_sha512_init(sha512ctx);
dctx->ctxdata.sha512ctx = sha512ctx;
}
break;
default:
INSIST(0);
} }
#endif #endif
@@ -163,7 +293,9 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1); dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP #if USE_EVP
if (evp_md_ctx != NULL) { if (evp_md_ctx != NULL) {
@@ -171,22 +303,58 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
dctx->ctxdata.evp_md_ctx = NULL; dctx->ctxdata.evp_md_ctx = NULL;
} }
#else #else
if (dctx->key->key_alg == DST_ALG_RSAMD5) { switch (dctx->key->key_alg) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
if (md5ctx != NULL) { if (md5ctx != NULL) {
isc_md5_invalidate(md5ctx); isc_md5_invalidate(md5ctx);
isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t)); isc_mem_put(dctx->mctx, md5ctx,
dctx->ctxdata.md5ctx = NULL; sizeof(isc_md5_t));
dctx->ctxdata.md5ctx = NULL;
}
} }
} else { break;
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
if (sha1ctx != NULL) { if (sha1ctx != NULL) {
isc_sha1_invalidate(sha1ctx); isc_sha1_invalidate(sha1ctx);
isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t)); isc_mem_put(dctx->mctx, sha1ctx,
dctx->ctxdata.sha1ctx = NULL; sizeof(isc_sha1_t));
dctx->ctxdata.sha1ctx = NULL;
}
} }
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
if (sha256ctx != NULL) {
isc_sha256_invalidate(sha256ctx);
isc_mem_put(dctx->mctx, sha256ctx,
sizeof(isc_sha256_t));
dctx->ctxdata.sha256ctx = NULL;
}
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
if (sha512ctx != NULL) {
isc_sha512_invalidate(sha512ctx);
isc_mem_put(dctx->mctx, sha512ctx,
sizeof(isc_sha512_t));
dctx->ctxdata.sha512ctx = NULL;
}
}
break;
default:
INSIST(0);
} }
#endif #endif
} }
@@ -199,19 +367,47 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1); dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP #if USE_EVP
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
return (ISC_R_FAILURE); return (ISC_R_FAILURE);
} }
#else #else
if (dctx->key->key_alg == DST_ALG_RSAMD5) { switch (dctx->key->key_alg) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; case DST_ALG_RSAMD5:
isc_md5_update(md5ctx, data->base, data->length); {
} else { isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_update(sha1ctx, data->base, data->length); isc_md5_update(md5ctx, data->base, data->length);
}
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_update(sha1ctx, data->base, data->length);
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_update(sha256ctx, data->base, data->length);
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_update(sha512ctx, data->base, data->length);
}
break;
default:
INSIST(0);
} }
#endif #endif
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
@@ -227,11 +423,11 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
EVP_PKEY *pkey = key->keydata.pkey; EVP_PKEY *pkey = key->keydata.pkey;
#else #else
RSA *rsa = key->keydata.rsa; RSA *rsa = key->keydata.rsa;
/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */ /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
unsigned char digest[ISC_SHA1_DIGESTLENGTH]; unsigned char digest[ISC_SHA512_DIGESTLENGTH];
int status; int status;
int type; int type = 0;
unsigned int digestlen; unsigned int digestlen = 0;
char *message; char *message;
unsigned long err; unsigned long err;
const char* file; const char* file;
@@ -240,7 +436,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1); dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
isc_buffer_availableregion(sig, &r); isc_buffer_availableregion(sig, &r);
@@ -255,16 +453,46 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
if (r.length < (unsigned int) RSA_size(rsa)) if (r.length < (unsigned int) RSA_size(rsa))
return (ISC_R_NOSPACE); return (ISC_R_NOSPACE);
if (dctx->key->key_alg == DST_ALG_RSAMD5) { switch (dctx->key->key_alg) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; case DST_ALG_RSAMD5:
isc_md5_final(md5ctx, digest); {
type = NID_md5; isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
digestlen = ISC_MD5_DIGESTLENGTH;
} else { isc_md5_final(md5ctx, digest);
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; type = NID_md5;
isc_sha1_final(sha1ctx, digest); digestlen = ISC_MD5_DIGESTLENGTH;
type = NID_sha1; }
digestlen = ISC_SHA1_DIGESTLENGTH; break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_final(sha1ctx, digest);
type = NID_sha1;
digestlen = ISC_SHA1_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_final(digest, sha256ctx);
type = NID_sha256;
digestlen = ISC_SHA256_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_final(digest, sha512ctx);
type = NID_sha512;
digestlen = ISC_SHA512_DIGESTLENGTH;
}
break;
default:
INSIST(0);
} }
status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa); status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
@@ -290,30 +518,62 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey; EVP_PKEY *pkey = key->keydata.pkey;
#else #else
/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */ /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
unsigned char digest[ISC_SHA1_DIGESTLENGTH]; unsigned char digest[ISC_SHA512_DIGESTLENGTH];
int type; int type = 0;
unsigned int digestlen; unsigned int digestlen = 0;
RSA *rsa = key->keydata.rsa; RSA *rsa = key->keydata.rsa;
#endif #endif
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1); dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#if USE_EVP #if USE_EVP
status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey); status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
#else #else
if (dctx->key->key_alg == DST_ALG_RSAMD5) { switch (dctx->key->key_alg) {
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; case DST_ALG_RSAMD5:
isc_md5_final(md5ctx, digest); {
type = NID_md5; isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
digestlen = ISC_MD5_DIGESTLENGTH;
} else { isc_md5_final(md5ctx, digest);
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; type = NID_md5;
isc_sha1_final(sha1ctx, digest); digestlen = ISC_MD5_DIGESTLENGTH;
type = NID_sha1; }
digestlen = ISC_SHA1_DIGESTLENGTH; break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
isc_sha1_final(sha1ctx, digest);
type = NID_sha1;
digestlen = ISC_SHA1_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA256:
{
isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
isc_sha256_final(digest, sha256ctx);
type = NID_sha256;
digestlen = ISC_SHA256_DIGESTLENGTH;
}
break;
case DST_ALG_RSASHA512:
{
isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
isc_sha512_final(digest, sha512ctx);
type = NID_sha512;
digestlen = ISC_SHA512_DIGESTLENGTH;
}
break;
default:
INSIST(0);
} }
if (sig->length < (unsigned int) RSA_size(rsa)) if (sig->length < (unsigned int) RSA_size(rsa))

4
lib/dns/rcode.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: rcode.c,v 1.11 2009/10/12 23:48:01 tbox Exp $ */ /* $Id: rcode.c,v 1.12 2009/10/22 02:21:30 each Exp $ */
#include <config.h> #include <config.h>
#include <ctype.h> #include <ctype.h>
@@ -105,6 +105,8 @@
{ DNS_KEYALG_ECC, "ECC", 0 }, \ { DNS_KEYALG_ECC, "ECC", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \ { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \

6
lib/isc/include/isc/sha2.h
View File

@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: sha2.h,v 1.11 2009/02/06 23:47:42 tbox Exp $ */ /* $Id: sha2.h,v 1.12 2009/10/22 02:21:31 each Exp $ */
/* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */ /* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */
/* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */ /* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */
@@ -113,24 +113,28 @@ ISC_LANG_BEGINDECLS
/*** SHA-224/256/384/512 Function Prototypes ******************************/ /*** SHA-224/256/384/512 Function Prototypes ******************************/
void isc_sha224_init (isc_sha224_t *); void isc_sha224_init (isc_sha224_t *);
void isc_sha224_invalidate (isc_sha224_t *);
void isc_sha224_update (isc_sha224_t *, const isc_uint8_t *, size_t); void isc_sha224_update (isc_sha224_t *, const isc_uint8_t *, size_t);
void isc_sha224_final (isc_uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *); void isc_sha224_final (isc_uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]); char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
char *isc_sha224_data (const isc_uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]); char *isc_sha224_data (const isc_uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
void isc_sha256_init (isc_sha256_t *); void isc_sha256_init (isc_sha256_t *);
void isc_sha256_invalidate (isc_sha256_t *);
void isc_sha256_update (isc_sha256_t *, const isc_uint8_t *, size_t); void isc_sha256_update (isc_sha256_t *, const isc_uint8_t *, size_t);
void isc_sha256_final (isc_uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *); void isc_sha256_final (isc_uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]); char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
char *isc_sha256_data (const isc_uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]); char *isc_sha256_data (const isc_uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
void isc_sha384_init (isc_sha384_t *); void isc_sha384_init (isc_sha384_t *);
void isc_sha384_invalidate (isc_sha384_t *);
void isc_sha384_update (isc_sha384_t *, const isc_uint8_t *, size_t); void isc_sha384_update (isc_sha384_t *, const isc_uint8_t *, size_t);
void isc_sha384_final (isc_uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *); void isc_sha384_final (isc_uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]); char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
char *isc_sha384_data (const isc_uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]); char *isc_sha384_data (const isc_uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
void isc_sha512_init (isc_sha512_t *); void isc_sha512_init (isc_sha512_t *);
void isc_sha512_invalidate (isc_sha512_t *);
void isc_sha512_update (isc_sha512_t *, const isc_uint8_t *, size_t); void isc_sha512_update (isc_sha512_t *, const isc_uint8_t *, size_t);
void isc_sha512_final (isc_uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *); void isc_sha512_final (isc_uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]); char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]);

42
lib/isc/sha2.c
View File

@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: sha2.c,v 1.17 2009/02/06 23:47:42 tbox Exp $ */ /* $Id: sha2.c,v 1.18 2009/10/22 02:21:31 each Exp $ */
/* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */ /* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */
/* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */ /* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */
@@ -73,6 +73,11 @@ isc_sha224_init(isc_sha224_t *context) {
EVP_DigestInit(context, EVP_sha224()); EVP_DigestInit(context, EVP_sha224());
} }
void
isc_sha224_invalidate(isc_sha224_t *context) {
EVP_MD_CTX_cleanup(context);
}
void void
isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
if (len == 0U) { if (len == 0U) {
@@ -107,6 +112,11 @@ isc_sha256_init(isc_sha256_t *context) {
EVP_DigestInit(context, EVP_sha256()); EVP_DigestInit(context, EVP_sha256());
} }
void
isc_sha256_invalidate(isc_sha256_t *context) {
EVP_MD_CTX_cleanup(context);
}
void void
isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) { isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
if (len == 0U) { if (len == 0U) {
@@ -141,6 +151,11 @@ isc_sha512_init(isc_sha512_t *context) {
EVP_DigestInit(context, EVP_sha512()); EVP_DigestInit(context, EVP_sha512());
} }
void
isc_sha512_invalidate(isc_sha512_t *context) {
EVP_MD_CTX_cleanup(context);
}
void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) { void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
if (len == 0U) { if (len == 0U) {
/* Calling with no data is valid - we do nothing */ /* Calling with no data is valid - we do nothing */
@@ -173,6 +188,11 @@ isc_sha384_init(isc_sha384_t *context) {
EVP_DigestInit(context, EVP_sha384()); EVP_DigestInit(context, EVP_sha384());
} }
void
isc_sha384_invalidate(isc_sha384_t *context) {
EVP_MD_CTX_cleanup(context);
}
void void
isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
if (len == 0U) { if (len == 0U) {
@@ -546,6 +566,11 @@ isc_sha224_init(isc_sha224_t *context) {
context->bitcount = 0; context->bitcount = 0;
} }
void
isc_sha224_invalidate(isc_sha224_t *context) {
memset(context, 0, sizeof(isc_sha224_t));
}
void void
isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
isc_sha256_update((isc_sha256_t *)context, data, len); isc_sha256_update((isc_sha256_t *)context, data, len);
@@ -571,6 +596,11 @@ isc_sha256_init(isc_sha256_t *context) {
context->bitcount = 0; context->bitcount = 0;
} }
void
isc_sha256_invalidate(isc_sha256_t *context) {
memset(context, 0, sizeof(isc_sha256_t));
}
#ifdef ISC_SHA2_UNROLL_TRANSFORM #ifdef ISC_SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-256 round macros: */ /* Unrolled SHA-256 round macros: */
@@ -881,6 +911,11 @@ isc_sha512_init(isc_sha512_t *context) {
context->bitcount[0] = context->bitcount[1] = 0; context->bitcount[0] = context->bitcount[1] = 0;
} }
void
isc_sha512_invalidate(isc_sha512_t *context) {
memset(context, 0, sizeof(isc_sha512_t));
}
#ifdef ISC_SHA2_UNROLL_TRANSFORM #ifdef ISC_SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-512 round macros: */ /* Unrolled SHA-512 round macros: */
@@ -1189,6 +1224,11 @@ isc_sha384_init(isc_sha384_t *context) {
context->bitcount[0] = context->bitcount[1] = 0; context->bitcount[0] = context->bitcount[1] = 0;
} }
void
isc_sha384_invalidate(isc_sha384_t *context) {
memset(context, 0, sizeof(isc_sha384_t));
}
void void
isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
isc_sha512_update((isc_sha512_t *)context, data, len); isc_sha512_update((isc_sha512_t *)context, data, len);