From e69dc0dbc783818ea7062166e130d56869ffe65d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 25 Oct 2018 10:27:49 +0200 Subject: [PATCH] Remove RSAMD5 support --- bin/dnssec/dnssec-cds.c | 2 +- bin/dnssec/dnssec-keyfromlabel.c | 26 ++++-------- bin/dnssec/dnssec-keyfromlabel.docbook | 2 +- bin/dnssec/dnssec-keygen.c | 31 ++++---------- bin/dnssec/dnssec-keygen.docbook | 2 +- bin/dnssec/dnssec-revoke.c | 2 +- bin/named/server.c | 5 +-- bin/python/isc/policy.py.in | 9 +--- lib/bind9/check.c | 2 +- lib/dns/ds.c | 2 +- lib/dns/dst_api.c | 15 ++----- lib/dns/dst_parse.c | 7 +--- lib/dns/dst_parse.h | 22 +++++----- lib/dns/include/dns/keyvalues.h | 2 +- lib/dns/include/dst/dst.h | 8 ++-- lib/dns/key.c | 10 +---- lib/dns/opensslrsa_link.c | 20 +++------ lib/dns/pkcs11rsa_link.c | 39 +++--------------- lib/dns/rcode.c | 1 - lib/dns/rdata/generic/key_25.c | 16 +------- lib/dns/rdata/generic/keydata_65533.c | 6 +-- lib/dns/tests/.gitignore | 1 + lib/dns/tests/dst_test.c | 1 - lib/dns/tests/rsa_test.c | 57 +------------------------- lib/dns/validator.c | 8 ++-- lib/dns/zone.c | 38 ++++++++++------- lib/ns/update.c | 6 +-- 27 files changed, 98 insertions(+), 242 deletions(-) create mode 100644 lib/dns/tests/.gitignore diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index 8f680db3a8..979b141916 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -573,7 +573,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset, ki->algo = dnskey.algorithm; dns_rdata_toregion(keyrdata, &r); - ki->tag = dst_region_computeid(&r, ki->algo); + ki->tag = dst_region_computeid(&r); ki->dst = NULL; if (!match_key_dsset(ki, dsset, strictness)) { diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index b6d1bbf3d3..cea62acb6e 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -64,7 +64,7 @@ usage(void) { fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -a algorithm: \n" - " RSA | RSAMD5 | DH | RSASHA1 |\n" + " DH | RSASHA1 |\n" " NSEC3RSASHA1 |\n" " RSASHA256 | RSASHA512 |\n" " ECDSAP256SHA256 | ECDSAP384SHA384\n"); @@ -382,22 +382,14 @@ main(int argc, char **argv) { fatal("no algorithm specified"); } - if (strcasecmp(algname, "RSA") == 0) { - fprintf(stderr, "The use of RSA (RSAMD5) is not " - "recommended.\nIf you still wish to " - "use RSA (RSAMD5) please specify " - "\"-a RSAMD5\"\n"); - if (freeit != NULL) - free(freeit); - return (1); - } else { - r.base = algname; - r.length = strlen(algname); - ret = dns_secalg_fromtext(&alg, &r); - if (ret != ISC_R_SUCCESS) - fatal("unknown algorithm %s", algname); - if (alg == DST_ALG_DH) - options |= DST_TYPE_KEY; + r.base = algname; + r.length = strlen(algname); + ret = dns_secalg_fromtext(&alg, &r); + if (ret != ISC_R_SUCCESS) { + fatal("unknown algorithm %s", algname); + } + if (alg == DST_ALG_DH) { + options |= DST_TYPE_KEY; } if (use_nsec3) { diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index 02f8c50569..a00251d339 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -105,7 +105,7 @@ Selects the cryptographic algorithm. The value of - must be one of RSAMD5, RSASHA1, + must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 63e8b9cb49..c534f9b90f 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -79,14 +79,12 @@ usage(void) { fprintf(stderr, "Options:\n"); fprintf(stderr, " -K : write keys into directory\n"); fprintf(stderr, " -a :\n"); - fprintf(stderr, " RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1" - " |\n"); + fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n"); fprintf(stderr, " RSASHA256 | RSASHA512 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); fprintf(stderr, " ED25519 | ED448 | DH\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); - fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA); @@ -508,23 +506,14 @@ main(int argc, char **argv) { fatal("no algorithm specified"); } - if (strcasecmp(algname, "RSA") == 0) { - fprintf(stderr, "The use of RSA (RSAMD5) is not " - "recommended.\nIf you still wish to " - "use RSA (RSAMD5) please specify " - "\"-a RSAMD5\"\n"); - INSIST(freeit == NULL); - return (1); - } else { - r.base = algname; - r.length = strlen(algname); - ret = dns_secalg_fromtext(&alg, &r); - if (ret != ISC_R_SUCCESS) { - fatal("unknown algorithm %s", algname); - } - if (alg == DST_ALG_DH) { - options |= DST_TYPE_KEY; - } + r.base = algname; + r.length = strlen(algname); + ret = dns_secalg_fromtext(&alg, &r); + if (ret != ISC_R_SUCCESS) { + fatal("unknown algorithm %s", algname); + } + if (alg == DST_ALG_DH) { + options |= DST_TYPE_KEY; } if (!dst_algorithm_supported(alg)) { @@ -698,7 +687,6 @@ main(int argc, char **argv) { } switch (alg) { - case DNS_KEYALG_RSAMD5: case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: case DNS_KEYALG_RSASHA256: @@ -780,7 +768,6 @@ main(int argc, char **argv) { } switch(alg) { - case DNS_KEYALG_RSAMD5: case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: case DNS_KEYALG_RSASHA256: diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 539b1f0954..d8c3b492f5 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -122,7 +122,7 @@ Selects the cryptographic algorithm. For DNSSEC keys, the value - of must be one of RSAMD5, RSASHA1, + of must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For TKEY, the value must be DH (Diffie Hellman); specifying diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 0a208e0316..595af31231 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -239,7 +239,7 @@ main(int argc, char **argv) { * Remove old key file, if told to (and if * it isn't the same as the new file) */ - if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) { + if (removefile) { isc_buffer_init(&buf, oldname, sizeof(oldname)); dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE); dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf); diff --git a/bin/named/server.c b/bin/named/server.c index b44fd1e281..6c96fee6cf 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -777,8 +777,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, keystruct.datalen = r.length; keystruct.data = r.base; - if ((keystruct.algorithm == DST_ALG_RSASHA1 || - keystruct.algorithm == DST_ALG_RSAMD5) && + if ((keystruct.algorithm == DST_ALG_RSASHA1) && r.length > 1 && r.base[0] == 1 && r.base[1] == 3) cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING, "%s key '%s' has a weak exponent", @@ -14911,7 +14910,7 @@ mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) { dns_rdata_toregion(&rdata, &r); isc_region_consume(&r, 12); - keyid = dst_region_computeid(&r, kd.algorithm); + keyid = dst_region_computeid(&r); snprintf(buf, sizeof(buf), "\n keyid: %u", keyid); CHECK(putstr(text, buf)); diff --git a/bin/python/isc/policy.py.in b/bin/python/isc/policy.py.in index 8af8a2517d..f2f0354267 100644 --- a/bin/python/isc/policy.py.in +++ b/bin/python/isc/policy.py.in @@ -71,7 +71,7 @@ class PolicyLex: return t def t_ALGNAME(self, t): - r'(?i)\b(RSAMD5|DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b' + r'(?i)\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b' t.value = t.value.upper() return t @@ -132,8 +132,7 @@ class Policy: keyttl = None coverage = None directory = None - valid_key_sz_per_algo = {'RSAMD5': [1024, 4096], - 'RSASHA1': [1024, 4096], + valid_key_sz_per_algo = {'RSASHA1': [1024, 4096], 'NSEC3RSASHA1': [512, 4096], 'RSASHA256': [1024, 4096], 'RSASHA512': [1024, 4096], @@ -322,10 +321,6 @@ class dnssec_policy: # set default algorithm policies # these can use default settings - self.alg_policy['RSAMD5'] = copy(p) - self.alg_policy['RSAMD5'].algorithm = "RSAMD5" - self.alg_policy['RSAMD5'].name = "RSAMD5" - self.alg_policy['RSASHA1'] = copy(p) self.alg_policy['RSASHA1'].algorithm = "RSASHA1" self.alg_policy['RSASHA1'].name = "RSASHA1" diff --git a/lib/bind9/check.c b/lib/bind9/check.c index e07c3d0d0c..d03c33954c 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -3132,7 +3132,7 @@ check_trusted_key(const cfg_obj_t *key, bool managed, } else { isc_buffer_usedregion(&b, &r); - if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) && + if ((alg == DST_ALG_RSASHA1) && r.length > 1 && r.base[0] == 1 && r.base[1] == 3) cfg_obj_log(key, logctx, ISC_LOG_WARNING, "%s key '%s' has a weak exponent", diff --git a/lib/dns/ds.c b/lib/dns/ds.c index 2c8d543fd0..02d62c4f36 100644 --- a/lib/dns/ds.c +++ b/lib/dns/ds.c @@ -108,7 +108,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, ds.common.rdclass = key->rdclass; ds.common.rdtype = dns_rdatatype_ds; ds.algorithm = r.base[3]; - ds.key_tag = dst_region_computeid(&r, ds.algorithm); + ds.key_tag = dst_region_computeid(&r); ds.digest_type = digest_type; ds.digest = digest; ds.length = digestlen; diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 4e54af0f63..948697358f 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -143,8 +143,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__openssl_init(mctx, engine)); RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); #if USE_OPENSSL - RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], - DST_ALG_RSAMD5)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], @@ -165,7 +163,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { #if USE_PKCS11 RETERR(dst__pkcs11_init(mctx, engine)); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); @@ -643,8 +640,8 @@ dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass, proto = isc_buffer_getuint8(source); alg = isc_buffer_getuint8(source); - id = dst_region_computeid(&r, alg); - rid = dst_region_computerid(&r, alg); + id = dst_region_computeid(&r); + rid = dst_region_computerid(&r); if ((flags & DNS_KEYFLAG_EXTENDED) != 0) { if (isc_buffer_remaininglength(source) < 2) @@ -986,8 +983,6 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2, if (key1->key_id != key2->key_id) { if (!match_revoked_key) return (false); - if (key1->key_alg == DST_ALG_RSAMD5) - return (false); if ((key1->key_flags & DNS_KEYFLAG_REVOKE) == (key2->key_flags & DNS_KEYFLAG_REVOKE)) return (false); @@ -1143,7 +1138,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: @@ -1473,7 +1467,6 @@ issymmetric(const dst_key_t *key) { /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: @@ -1697,8 +1690,8 @@ computeid(dst_key_t *key) { return (ret); isc_buffer_usedregion(&dnsbuf, &r); - key->key_id = dst_region_computeid(&r, key->key_alg); - key->key_rid = dst_region_computerid(&r, key->key_alg); + key->key_id = dst_region_computeid(&r); + key->key_rid = dst_region_computerid(&r); return (ISC_R_SUCCESS); } diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index 8778f994f9..a7e9de39bc 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -186,7 +186,7 @@ check_rsa(const dst_private_t *priv, bool external) { for (j = 0; j < priv->nelements; j++) { for (i = 0; i < RSA_NTAGS; i++) - if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i)) + if (priv->elements[j].tag == TAG(DST_ALG_RSA, i)) break; if (i == RSA_NTAGS) return (-1); @@ -336,7 +336,7 @@ check_data(const dst_private_t *priv, const unsigned int alg, { /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (alg) { - case DST_ALG_RSAMD5: + case DST_ALG_RSA: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: @@ -661,9 +661,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (dst_key_alg(key)) { - case DST_ALG_RSAMD5: - fprintf(fp, "(RSA)\n"); - break; case DST_ALG_DH: fprintf(fp, "(DH)\n"); break; diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h index f8964b9da8..bc43eb99eb 100644 --- a/lib/dns/dst_parse.h +++ b/lib/dns/dst_parse.h @@ -44,18 +44,18 @@ #define TAG_ALG(tag) ((unsigned int)(tag) >> TAG_SHIFT) #define TAG(alg, off) (((alg) << TAG_SHIFT) + (off)) -/* These are used by both RSA-MD5 and RSA-SHA1 */ +/* These are used by RSA-SHA1, RSASHA256 and RSASHA512 */ #define RSA_NTAGS 11 -#define TAG_RSA_MODULUS ((DST_ALG_RSAMD5 << TAG_SHIFT) + 0) -#define TAG_RSA_PUBLICEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 1) -#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 2) -#define TAG_RSA_PRIME1 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 3) -#define TAG_RSA_PRIME2 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 4) -#define TAG_RSA_EXPONENT1 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 5) -#define TAG_RSA_EXPONENT2 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 6) -#define TAG_RSA_COEFFICIENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 7) -#define TAG_RSA_ENGINE ((DST_ALG_RSAMD5 << TAG_SHIFT) + 8) -#define TAG_RSA_LABEL ((DST_ALG_RSAMD5 << TAG_SHIFT) + 9) +#define TAG_RSA_MODULUS ((DST_ALG_RSA << TAG_SHIFT) + 0) +#define TAG_RSA_PUBLICEXPONENT ((DST_ALG_RSA << TAG_SHIFT) + 1) +#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSA << TAG_SHIFT) + 2) +#define TAG_RSA_PRIME1 ((DST_ALG_RSA << TAG_SHIFT) + 3) +#define TAG_RSA_PRIME2 ((DST_ALG_RSA << TAG_SHIFT) + 4) +#define TAG_RSA_EXPONENT1 ((DST_ALG_RSA << TAG_SHIFT) + 5) +#define TAG_RSA_EXPONENT2 ((DST_ALG_RSA << TAG_SHIFT) + 6) +#define TAG_RSA_COEFFICIENT ((DST_ALG_RSA << TAG_SHIFT) + 7) +#define TAG_RSA_ENGINE ((DST_ALG_RSA << TAG_SHIFT) + 8) +#define TAG_RSA_LABEL ((DST_ALG_RSA << TAG_SHIFT) + 9) #define DH_NTAGS 4 #define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0) diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h index bf895696a4..642814d13d 100644 --- a/lib/dns/include/dns/keyvalues.h +++ b/lib/dns/include/dns/keyvalues.h @@ -53,7 +53,7 @@ /* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */ #define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */ -#define DNS_KEYALG_RSA DNS_KEYALG_RSAMD5 +#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */ #define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */ #define DNS_KEYALG_DSA 3 /*%< DSA KEY */ #define DNS_KEYALG_NSEC3DSA 6 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 7d2476d2a2..2e7f643c28 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -46,8 +46,8 @@ typedef struct dst_context dst_context_t; /* DST algorithm codes */ #define DST_ALG_UNKNOWN 0 +#define DST_ALG_RSA 1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ #define DST_ALG_RSAMD5 1 -#define DST_ALG_RSA DST_ALG_RSAMD5 /*%< backwards compatibility */ #define DST_ALG_DH 2 #define DST_ALG_DSA 3 #define DST_ALG_ECC 4 @@ -751,12 +751,12 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n); */ uint16_t -dst_region_computeid(const isc_region_t *source, unsigned int alg); +dst_region_computeid(const isc_region_t *source); uint16_t -dst_region_computerid(const isc_region_t *source, unsigned int alg); +dst_region_computerid(const isc_region_t *source); /*%< * Computes the (revoked) key id of the key stored in the provided - * region with the given algorithm. + * region. * * Requires: *\li "source" contains a valid, non-NULL region. diff --git a/lib/dns/key.c b/lib/dns/key.c index 96129c30d6..df4aab4a6f 100644 --- a/lib/dns/key.c +++ b/lib/dns/key.c @@ -27,7 +27,7 @@ #include "dst_internal.h" uint16_t -dst_region_computeid(const isc_region_t *source, unsigned int alg) { +dst_region_computeid(const isc_region_t *source) { uint32_t ac; const unsigned char *p; int size; @@ -38,9 +38,6 @@ dst_region_computeid(const isc_region_t *source, unsigned int alg) { p = source->base; size = source->length; - if (alg == DST_ALG_RSAMD5) - return ((p[size - 3] << 8) + p[size - 2]); - for (ac = 0; size > 1; size -= 2, p += 2) ac += ((*p) << 8) + *(p + 1); @@ -52,7 +49,7 @@ dst_region_computeid(const isc_region_t *source, unsigned int alg) { } uint16_t -dst_region_computerid(const isc_region_t *source, unsigned int alg) { +dst_region_computerid(const isc_region_t *source) { uint32_t ac; const unsigned char *p; int size; @@ -63,9 +60,6 @@ dst_region_computerid(const isc_region_t *source, unsigned int alg) { p = source->base; size = source->length; - if (alg == DST_ALG_RSAMD5) - return ((p[size - 3] << 8) + p[size - 2]); - ac = ((*p) << 8) + *(p + 1); ac |= DNS_KEYFLAG_REVOKE; for (size -= 2, p +=2; size > 1; size -= 2, p += 2) diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 4ae80c37d4..8425b86dfd 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -191,8 +191,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { const EVP_MD *type = NULL; UNUSED(key); - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); @@ -201,7 +200,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { * Reject incorrect RSA key lengths. */ switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ @@ -230,9 +228,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { return (ISC_R_NOMEMORY); switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: - type = EVP_md5(); /* MD5 + RSA */ - break; case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: type = EVP_sha1(); /* SHA1 + RSA */ @@ -263,8 +258,7 @@ static void opensslrsa_destroyctx(dst_context_t *dctx) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); @@ -279,8 +273,7 @@ static isc_result_t opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); @@ -301,8 +294,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); @@ -333,8 +325,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { RSA *rsa; int bits; - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); @@ -462,7 +453,6 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { * Reject incorrect RSA key lengths. */ switch (key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c index 133c4a0594..25b3897448 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c @@ -81,8 +81,7 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { isc_result_t ret; unsigned int i; - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); @@ -91,7 +90,6 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { * Reject incorrect RSA key lengths. */ switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ @@ -233,9 +231,6 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { token_key: switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: - mech.mechanism = CKM_MD5_RSA_PKCS; - break; case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: mech.mechanism = CKM_SHA1_RSA_PKCS; @@ -310,8 +305,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, isc_result_t ret; unsigned int i; - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); @@ -320,7 +314,6 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, * Reject incorrect RSA key lengths. */ switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ @@ -394,9 +387,6 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, ISC_R_FAILURE); switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: - mech.mechanism = CKM_MD5_RSA_PKCS; - break; case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: mech.mechanism = CKM_SHA1_RSA_PKCS; @@ -577,8 +567,7 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { pk11_context_t *pk11_ctx; isc_result_t ret; - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); @@ -588,7 +577,6 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { * Reject incorrect RSA key lengths. */ switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ @@ -613,9 +601,6 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { } switch (key->key_alg) { - case DST_ALG_RSAMD5: - mech.mechanism = CKM_MD5; - break; case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: mech.mechanism = CKM_SHA_1; @@ -726,8 +711,7 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { isc_result_t ret = ISC_R_SUCCESS; unsigned int i; - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); @@ -737,7 +721,6 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { * Reject incorrect RSA key lengths. */ switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ @@ -762,11 +745,6 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { } switch (key->key_alg) { - case DST_ALG_RSAMD5: - der = md5_der; - derlen = sizeof(md5_der); - hashlen = ISC_MD5_DIGESTLENGTH; - break; case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: der = sha1_der; @@ -970,19 +948,13 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { isc_result_t ret = ISC_R_SUCCESS; unsigned int i; - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || + REQUIRE(key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); REQUIRE(rsa != NULL); switch (key->key_alg) { - case DST_ALG_RSAMD5: - der = md5_der; - derlen = sizeof(md5_der); - hashlen = ISC_MD5_DIGESTLENGTH; - break; case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: der = sha1_der; @@ -1172,7 +1144,6 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { * Reject incorrect RSA key lengths. */ switch (key->key_alg) { - case DST_ALG_RSAMD5: case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index 546c82904c..c06b26500f 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -106,7 +106,6 @@ #define SECALGNAMES \ { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ - { DNS_KEYALG_RSAMD5, "RSA", 0 }, \ { DNS_KEYALG_DH, "DH", 0 }, \ { DNS_KEYALG_DSA, "DSA", 0 }, \ { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c index 6dd2eab0f2..34c0cea017 100644 --- a/lib/dns/rdata/generic/key_25.c +++ b/lib/dns/rdata/generic/key_25.c @@ -58,10 +58,6 @@ generic_fromtext_key(ARGS_FROMTEXT) { if (result != ISC_R_SUCCESS) return (result); - /* Ensure there's at least enough data to compute a key ID for MD5 */ - if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 7) - return (ISC_R_UNEXPECTEDEND); - return (ISC_R_SUCCESS); } @@ -135,7 +131,7 @@ generic_totext_key(ARGS_TOTEXT) { } else { dns_rdata_toregion(rdata, &tmpr); snprintf(buf, sizeof(buf), "[key id = %u]", - dst_region_computeid(&tmpr, algorithm)); + dst_region_computeid(&tmpr)); RETERR(str_totext(buf, target)); } @@ -159,7 +155,7 @@ generic_totext_key(ARGS_TOTEXT) { RETERR(str_totext(" ; key id = ", target)); dns_rdata_toregion(rdata, &tmpr); snprintf(buf, sizeof(buf), "%u", - dst_region_computeid(&tmpr, algorithm)); + dst_region_computeid(&tmpr)); RETERR(str_totext(buf, target)); } return (ISC_R_SUCCESS); @@ -191,14 +187,6 @@ generic_fromwire_key(ARGS_FROMWIRE) { RETERR(dns_name_fromwire(&name, source, dctx, options, target)); } - /* - * RSAMD5 computes key ID differently from other - * algorithms: we need to ensure there's enough data - * present for the computation - */ - if (algorithm == DST_ALG_RSAMD5 && sr.length < 3) - return (ISC_R_UNEXPECTEDEND); - isc_buffer_activeregion(source, &sr); isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); diff --git a/lib/dns/rdata/generic/keydata_65533.c b/lib/dns/rdata/generic/keydata_65533.c index 30ba9676e7..8cb3012579 100644 --- a/lib/dns/rdata/generic/keydata_65533.c +++ b/lib/dns/rdata/generic/keydata_65533.c @@ -80,10 +80,6 @@ fromtext_keydata(ARGS_FROMTEXT) { if (result != ISC_R_SUCCESS) return (result); - /* Ensure there's at least enough data to compute a key ID for MD5 */ - if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 19) - return (ISC_R_UNEXPECTEDEND); - return (ISC_R_SUCCESS); } @@ -190,7 +186,7 @@ totext_keydata(ARGS_TOTEXT) { /* Skip over refresh, addhd, and removehd */ isc_region_consume(&tmpr, 12); snprintf(buf, sizeof(buf), "%u", - dst_region_computeid(&tmpr, algorithm)); + dst_region_computeid(&tmpr)); RETERR(str_totext(buf, target)); if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) { diff --git a/lib/dns/tests/.gitignore b/lib/dns/tests/.gitignore new file mode 100644 index 0000000000..959b43e402 --- /dev/null +++ b/lib/dns/tests/.gitignore @@ -0,0 +1 @@ +/zone.data diff --git a/lib/dns/tests/dst_test.c b/lib/dns/tests/dst_test.c index 1bbf1ecbfa..819c8898d7 100644 --- a/lib/dns/tests/dst_test.c +++ b/lib/dns/tests/dst_test.c @@ -261,7 +261,6 @@ sig_test(void **state) { dns_secalg_t alg; bool expect; } testcases[] = { - /* XXXOND: Why isn't this failing? */ { "testdata/dst/test1.data", "testdata/dst/test1.ecdsa256sig", diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c index f1adb0eee2..32b916d3e3 100644 --- a/lib/dns/tests/rsa_test.c +++ b/lib/dns/tests/rsa_test.c @@ -95,41 +95,6 @@ static unsigned char sigsha1[256] = { 0x27, 0x7f, 0xb6, 0xe0, 0x04, 0x12, 0xd2, 0x81 }; -static unsigned char sigmd5[256] = { - 0xc0, 0x99, 0x90, 0xd6, 0xea, 0xc1, 0x5f, 0xc7, - 0x23, 0x60, 0xfc, 0x13, 0x3d, 0xcc, 0xda, 0x93, - 0x19, 0xf7, 0x22, 0xa9, 0x55, 0xbe, 0x70, 0x3c, - 0x87, 0x24, 0x8a, 0x7e, 0xa7, 0x59, 0x58, 0xd3, - 0x0e, 0x7c, 0x50, 0x3c, 0x81, 0x0f, 0x7a, 0x2b, - 0xb1, 0x94, 0x21, 0x87, 0xe4, 0x87, 0xcd, 0x2b, - 0xb9, 0xf1, 0xb8, 0x26, 0xc1, 0x02, 0xf4, 0x30, - 0x83, 0x41, 0x89, 0x61, 0xcc, 0x3d, 0xe3, 0x0f, - 0xec, 0x4a, 0x74, 0x95, 0x10, 0x65, 0xac, 0xd1, - 0xf5, 0x95, 0xe9, 0x99, 0xa8, 0x45, 0x98, 0x99, - 0xb5, 0xfd, 0x7a, 0x78, 0x80, 0xe5, 0x00, 0x33, - 0xa5, 0x54, 0xe5, 0xa3, 0xc0, 0x1b, 0x6c, 0xb9, - 0x77, 0x52, 0x6f, 0xe5, 0x85, 0xa8, 0xfa, 0x45, - 0x78, 0x49, 0x14, 0xa0, 0x10, 0x58, 0x40, 0x80, - 0x90, 0xc6, 0x55, 0x52, 0x6d, 0x46, 0x58, 0x50, - 0x3d, 0x5e, 0x40, 0x25, 0x51, 0x7c, 0xc4, 0x12, - 0x87, 0x2d, 0x7b, 0x10, 0xcd, 0x80, 0xec, 0x5d, - 0x27, 0x15, 0x09, 0x37, 0x1f, 0xa7, 0x86, 0x15, - 0xd1, 0xdd, 0xf1, 0x86, 0x1e, 0x42, 0x3a, 0xf9, - 0x5a, 0xed, 0x33, 0x07, 0xa9, 0x98, 0x08, 0x79, - 0xc5, 0xa4, 0x09, 0x95, 0x6e, 0x12, 0xfe, 0xee, - 0x49, 0x61, 0xe0, 0x99, 0xaa, 0x34, 0xa5, 0xca, - 0x82, 0xd3, 0x9b, 0x1c, 0x5b, 0x79, 0xf5, 0x0e, - 0x2c, 0x6c, 0x3b, 0x48, 0xd1, 0xbc, 0xd0, 0xda, - 0x73, 0xba, 0xe1, 0x81, 0x48, 0x27, 0x39, 0x2f, - 0x98, 0x77, 0x08, 0xb3, 0xf7, 0x38, 0x28, 0x6d, - 0x02, 0x56, 0xfa, 0x31, 0xbb, 0x14, 0x81, 0x6b, - 0x3c, 0x24, 0xa2, 0x68, 0x7a, 0x0a, 0x53, 0xbd, - 0x9d, 0x57, 0xd0, 0x99, 0x10, 0x28, 0x78, 0x69, - 0x31, 0x93, 0xa4, 0x73, 0x8d, 0x1a, 0xe4, 0xdc, - 0x0c, 0x15, 0xb8, 0x51, 0xd8, 0x66, 0x6a, 0x95, - 0x56, 0x17, 0x0a, 0x45, 0x72, 0xb5, 0xb8, 0xc4 -}; - static unsigned char sigsha256[256] = { 0x83, 0x53, 0x15, 0xfc, 0xca, 0xdb, 0xf6, 0x0d, 0x53, 0x24, 0x5b, 0x5a, 0x8e, 0xd0, 0xbe, 0x5e, @@ -241,26 +206,6 @@ isc_rsa_verify_test(void **state) { dst_context_destroy(&ctx); - /* RSAMD5 */ - - key->key_alg = DST_ALG_RSAMD5; - - ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, - false, 0, &ctx); - assert_int_equal(ret, ISC_R_SUCCESS); - - r.base = d; - r.length = 10; - ret = dst_context_adddata(ctx, &r); - assert_int_equal(ret, ISC_R_SUCCESS); - - r.base = sigmd5; - r.length = 256; - ret = dst_context_verify(ctx, &r); - assert_int_equal(ret, ISC_R_SUCCESS); - - dst_context_destroy(&ctx); - /* RSASHA256 */ key->key_alg = DST_ALG_RSASHA256; @@ -325,4 +270,4 @@ main(void) { return (0); } -#endif +#endif /* HAVE_CMOCKA */ diff --git a/lib/dns/validator.c b/lib/dns/validator.c index fe046a3c2b..32f5fd6fc5 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1409,11 +1409,11 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { } static dns_keytag_t -compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) { +compute_keytag(dns_rdata_t *rdata) { isc_region_t r; dns_rdata_toregion(rdata, &r); - return (dst_region_computeid(&r, key->algorithm)); + return (dst_region_computeid(&r)); } /*% @@ -1452,7 +1452,7 @@ isselfsigned(dns_validator_t *val) { dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &key, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - keytag = compute_keytag(&rdata, &key); + keytag = compute_keytag(&rdata); for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(sigrdataset)) @@ -1776,7 +1776,7 @@ keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata, dns_rdataset_current(rdataset, keyrdata); result = dns_rdata_tostruct(keyrdata, &key, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - keytag = compute_keytag(keyrdata, &key); + keytag = compute_keytag(keyrdata); if (keyid != keytag || algorithm != key.algorithm) continue; dns_rdata_reset(&newdsrdata); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 9b1ed96b56..7de2e58e64 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3189,7 +3189,7 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; isc_result_t result; - bool logit, foundrsa = false, foundmd5 = false; + bool logit, foundrsa = false; const char *algorithm; result = dns_db_findnode(db, &zone->origin, false, &node); @@ -3211,27 +3211,37 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { result = dns_rdata_tostruct(&rdata, &dnskey, NULL); INSIST(result == ISC_R_SUCCESS); - if ((dnskey.algorithm == DST_ALG_RSASHA1 || - dnskey.algorithm == DST_ALG_RSAMD5) && - dnskey.datalen > 1 && dnskey.data[0] == 1 && - dnskey.data[1] == 3) + /* RFC 3110, section 4: Performance Considerations: + * + * A public exponent of 3 minimizes the effort needed to verify + * a signature. Use of 3 as the public exponent is weak for + * confidentiality uses since, if the same data can be collected + * encrypted under three different keys with an exponent of 3 + * then, using the Chinese Remainder Theorem [NETSEC], the + * original plain text can be easily recovered. If a key is + * known to be used only for authentication, as is the case with + * DNSSEC, then an exponent of 3 is acceptable. However other + * applications in the future may wish to leverage DNS + * distributed keys for applications that do require + * confidentiality. For keys which might have such other uses, + * a more conservative choice would be 65537 (F4, the fourth + * fermat number). + */ + if (dnskey.algorithm == DST_ALG_RSASHA1 && + dnskey.datalen > 1 && dnskey.data[0] == 1 && + dnskey.data[1] == 3) { if (dnskey.algorithm == DST_ALG_RSASHA1) { logit = !foundrsa; foundrsa = true; algorithm = "RSASHA1"; - } else { - logit = !foundmd5; - foundmd5 = true; - algorithm = "RSAMD5"; } - if (logit) + if (logit) { dns_zone_log(zone, ISC_LOG_WARNING, "weak %s (%u) key found " "(exponent=3)", algorithm, dnskey.algorithm); - if (foundrsa && foundmd5) - break; + } } dns_rdata_reset(&rdata); } @@ -17763,7 +17773,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, dns_rdata_toregion(&tuple->rdata, &r); - keyid = dst_region_computeid(&r, dnskey.algorithm); + keyid = dst_region_computeid(&r); buf[0] = dnskey.algorithm; buf[1] = (keyid & 0xff00) >> 8; @@ -17910,7 +17920,7 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, continue; alg = tuple->rdata.data[3]; - if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) { + if (alg == DST_ALG_RSASHA1) { nseconly = true; break; } diff --git a/lib/ns/update.c b/lib/ns/update.c index bfe2290246..a387dfd11d 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -1960,7 +1960,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, if (tuple->rdata.type == dns_rdatatype_dnskey) { uint8_t alg; alg = tuple->rdata.data[3]; - if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) { + if (alg == DST_ALG_RSASHA1) { nseconly = true; break; } @@ -2443,7 +2443,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, dns_rdata_toregion(&tuple->rdata, &r); - keyid = dst_region_computeid(&r, dnskey.algorithm); + keyid = dst_region_computeid(&r); buf[0] = dnskey.algorithm; buf[1] = (keyid & 0xff00) >> 8; @@ -3283,7 +3283,7 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_rdata_toregion(&tuple->rdata, &r); algorithm = dnskey.algorithm; - keyid = dst_region_computeid(&r, algorithm); + keyid = dst_region_computeid(&r); result = dns_zone_signwithkey(zone, algorithm, keyid, (tuple->op == DNS_DIFFOP_DEL));