upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-07 18:25:09 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove TKEY Mode 2 (Diffie-Hellman)

Browse source 
Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from
BIND 9 (from named, named.conf and all the tools).  The TKEY usage is
fringe at best and in all known cases, GSSAPI is being used as it should.

The draft-eastlake-dnsop-rfc2930bis-tkey specifies that:

    4.2 Diffie-Hellman Exchanged Keying (Deprecated)

       The use of this mode (#2) is NOT RECOMMENDED for the following two
       reasons but the specification is still included in Appendix A in case
       an implementation is needed for compatibility with old TKEY
       implementations. See Section 4.6 on ECDH Exchanged Keying.

          The mixing function used does not meet current cryptographic
          standards because it uses MD5 [RFC6151].

          RSA keys must be excessively long to achieve levels of security
          required by current standards.

We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key
exchange mode 6 if the draft ever reaches the RFC status.  Meanwhile the
insecure DH mode needs to be removed.
This commit is contained in:
Ondřej Surý 2023-02-28 16:05:34 +01:00 committed by Ondřej Surý
parent 584eb79400
commit bd4576b3ce
44 changed files with 63 additions and 3112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -387,9 +387,6 @@ main(int argc, char **argv) {
if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
if (alg == DST_ALG_DH) {
options |= DST_TYPE_KEY;
}
if (use_nsec3) {
switch (alg) {
@ -597,13 +594,6 @@ main(int argc, char **argv) {
}
}
if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
alg == DNS_KEYALG_DH)
{
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
}
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */

37
bin/dnssec/dnssec-keygen.c
View file

@ -80,7 +80,6 @@ struct keygen_ctx {
char *algname;
char *nametype;
char *type;
int generator;
int protocol;
int size;
int signatory;
@ -143,14 +142,13 @@ usage(void) {
fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " ED25519 | ED448\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " ED25519:\tignored\n");
@ -165,8 +163,6 @@ usage(void) {
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
"(DH only)\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
fprintf(stderr, " -p <protocol>: (default: 3 [dnssec])\n");
fprintf(stderr, " -s <strength>: strength value this key signs DNS "
@ -322,10 +318,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
fatal("unsupported algorithm: %s", algstr);
}
if (ctx->alg == DST_ALG_DH) {
ctx->options |= DST_TYPE_KEY;
}
if (ctx->use_nsec3) {
switch (ctx->alg) {
case DST_ALG_RSASHA1:
@ -535,11 +527,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
fatal("RSA key size %d out of range", ctx->size);
}
break;
case DNS_KEYALG_DH:
if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) {
fatal("DH key size %d out of range", ctx->size);
}
break;
case DST_ALG_ECDSA256:
ctx->size = 256;
break;
@ -554,10 +541,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
break;
}
if (ctx->alg != DNS_KEYALG_DH && ctx->generator != 0) {
fatal("specified DH generator for a non-DH key");
}
if (ctx->nametype == NULL) {
if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
fatal("no nametype specified");
@ -607,12 +590,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
}
}
if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
ctx->alg == DNS_KEYALG_DH)
{
fatal("a key with algorithm %s cannot be a zone key", algstr);
}
switch (ctx->alg) {
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
@ -621,10 +598,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
show_progress = true;
break;
case DNS_KEYALG_DH:
param = ctx->generator;
break;
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
@ -950,11 +923,9 @@ main(int argc, char **argv) {
}
break;
case 'g':
ctx.generator = strtol(isc_commandline_argument, &endp,
10);
if (*endp != '\0' || ctx.generator <= 0) {
fatal("-g requires a positive number");
}
fprintf(stderr,
"phased-out option -e "
"(was 'use specified generator (DH only)')\n");
break;
case 'K':
ctx.directory = isc_commandline_argument;

4
bin/dnssec/dnssec-keygen.rst
View file

@ -49,9 +49,7 @@ Options
This option selects the cryptographic algorithm. For DNSSEC keys, the value of
``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
TKEY, the value must be DH (Diffie-Hellman); specifying this value
automatically sets the :option:`-T KEY <-T>` option as well.
RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
These values are case-insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for

17
bin/dnssec/dnssectool.c
View file

@ -490,8 +490,6 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
uint16_t id, oldid;
uint32_t rid, roldid;
dns_secalg_t alg;
char filename[NAME_MAX];
isc_buffer_t fileb;
isc_stdtime_t now;
if (exact != NULL) {
@ -502,21 +500,6 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
rid = dst_key_rid(dstkey);
alg = dst_key_alg(dstkey);
/*
* For Diffie Hellman just check if there is a direct collision as
* they can't be revoked. Additionally dns_dnssec_findmatchingkeys
* only handles DNSKEY which is not used for HMAC.
*/
if (alg == DST_ALG_DH) {
isc_buffer_init(&fileb, filename, sizeof(filename));
result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE, dir,
&fileb);
if (result != ISC_R_SUCCESS) {
return (true);
}
return (isc_file_exists(filename));
}
ISC_LIST_INIT(matchkeys);
isc_stdtime_get(&now);
result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);

1
bin/named/config.c
View file

@ -119,7 +119,6 @@ options {\n\
tcp-listen-queue 10;\n\
tcp-receive-buffer 0;\n\
tcp-send-buffer 0;\n\
# tkey-dhkey <none>\n\
# tkey-domain <none>\n\
# tkey-gssapi-credential <none>\n\
transfer-message-size 20480;\n\

8
bin/named/main.c
View file

@ -465,7 +465,7 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
static void
list_dnssec_algorithms(isc_buffer_t *b) {
for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) {
if (i == DST_ALG_DH || i == DST_ALG_GSSAPI ||
if (i == DST_ALG_GSSAPI ||
(i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST))
{
continue;
@ -540,11 +540,7 @@ format_supported_algorithms(void (*emit)(isc_buffer_t *b)) {
(*emit)(&b);
isc_buffer_init(&b, buf, sizeof(buf));
isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s",
(dst_algorithm_supported(DST_ALG_DH) &&
dst_algorithm_supported(DST_ALG_HMACMD5))
? "yes"
: "non");
isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", "no");
(*emit)(&b);
isc_buffer_init(&b, buf, sizeof(buf));

16
bin/named/tkeyconf.c
View file

@ -48,32 +48,16 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
isc_result_t result;
dns_tkeyctx_t *tctx = NULL;
const char *s;
uint32_t n;
dns_fixedname_t fname;
dns_name_t *name;
isc_buffer_t b;
const cfg_obj_t *obj;
int type;
result = dns_tkeyctx_create(mctx, &tctx);
if (result != ISC_R_SUCCESS) {
return (result);
}
obj = NULL;
result = cfg_map_get(options, "tkey-dhkey", &obj);
if (result == ISC_R_SUCCESS) {
s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
isc_buffer_constinit(&b, s, strlen(s));
isc_buffer_add(&b, strlen(s));
name = dns_fixedname_initname(&fname);
RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
RETERR(dst_key_fromfile(name, (dns_keytag_t)n, DNS_KEYALG_DH,
type, NULL, mctx, &tctx->dhkey));
}
obj = NULL;
result = cfg_map_get(options, "tkey-domain", &obj);
if (result == ISC_R_SUCCESS) {

21
bin/tests/system/Makefile.am
View file

@ -24,9 +24,7 @@ check_PROGRAMS = \
makejournal \
pipelined/pipequeries \
rndc/gencheck \
rpz/dnsrps \
tkey/keycreate \
tkey/keydelete
rpz/dnsrps
feature_test_CPPFLAGS = \
$(AM_CPPFLAGS) \
@ -56,22 +54,6 @@ rpz_dnsrps_LDADD = \
$(LDADD) \
$(LIBDNS_LIBS)
tkey_keycreate_CPPFLAGS = \
$(AM_CPPFLAGS) \
$(LIBDNS_CFLAGS)
tkey_keycreate_LDADD = \
$(LDADD) \
$(LIBDNS_LIBS)
tkey_keydelete_CPPFLAGS = \
$(AM_CPPFLAGS) \
$(LIBDNS_CFLAGS)
tkey_keydelete_LDADD = \
$(LDADD) \
$(LIBDNS_LIBS)
TESTS =
if HAVE_PERLMOD_TIME_HIRES
@ -158,7 +140,6 @@ TESTS += \
staticstub \
stub \
synthfromdnssec \
tkey \
tools \
transport-acl \
tsig \

4
bin/tests/system/dnssec/ns3/sign.sh
View file

@ -659,7 +659,7 @@ cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
# A NSEC zone with occuded data at the delegation
# A NSEC zone with occluded data at the delegation
#
zone=occluded.example
infile=occluded.example.db.in
@ -667,7 +667,7 @@ zonefile=occluded.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone")
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}."
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"

26
bin/tests/system/tkey/clean.sh
View file

@ -1,26 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
rm -f ./K*
rm -f ./dig.out.*
rm -f ./rndc.out.*
rm -f ns*/K*
rm -f ns*/_default.tsigkeys
rm -f ns*/managed-keys.bind*
rm -f ns*/named.conf
rm -f ns*/named.conf-e
rm -f ns*/named.lock
rm -f ns*/named.memstats
rm -f ns*/named.run

260
bin/tests/system/tkey/keycreate.c
View file

@ -1,260 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <stdlib.h>
#include <string.h>
#include <isc/base64.h>
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/loop.h>
#include <isc/managers.h>
#include <isc/mem.h>
#include <isc/netmgr.h>
#include <isc/nonce.h>
#include <isc/random.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
#include <isc/util.h>
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/request.h>
#include <dns/result.h>
#include <dns/tkey.h>
#include <dns/tsig.h>
#include <dns/view.h>
#define CHECK(str, x) \
{ \
if ((x) != ISC_R_SUCCESS) { \
fprintf(stderr, "I:%s: %s\n", (str), \
isc_result_totext(x)); \
exit(-1); \
} \
}
#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
#define TIMEOUT 30
static char *ip_address = NULL;
static int port = 0;
static dst_key_t *ourkey = NULL;
static isc_mem_t *mctx = NULL;
static isc_loopmgr_t *loopmgr = NULL;
static dns_tsigkey_t *tsigkey = NULL, *initialkey = NULL;
static dns_tsig_keyring_t *ring = NULL;
static unsigned char noncedata[16];
static isc_buffer_t nonce;
static dns_requestmgr_t *requestmgr = NULL;
static const char *ownername_str = ".";
static void
recvquery(void *arg) {
dns_request_t *request = (dns_request_t *)arg;
dns_message_t *query = dns_request_getarg(request);
dns_message_t *response = NULL;
isc_result_t result;
char keyname[256];
isc_buffer_t keynamebuf;
int type;
result = dns_request_getresult(request);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "I:request event result: %s\n",
isc_result_totext(result));
exit(-1);
}
dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
result = dns_request_getresponse(request, response,
DNS_MESSAGEPARSE_PRESERVEORDER);
CHECK("dns_request_getresponse", result);
if (response->rcode != dns_rcode_noerror) {
result = dns_result_fromrcode(response->rcode);
fprintf(stderr, "I:response rcode: %s\n",
isc_result_totext(result));
exit(-1);
}
result = dns_tkey_processdhresponse(query, response, ourkey, &nonce,
&tsigkey, ring);
CHECK("dns_tkey_processdhresponse", result);
/*
* Yes, this is a hack.
*/
isc_buffer_init(&keynamebuf, keyname, sizeof(keyname));
result = dst_key_buildfilename(tsigkey->key, 0, "", &keynamebuf);
CHECK("dst_key_buildfilename", result);
printf("%.*s\n", (int)isc_buffer_usedlength(&keynamebuf),
(char *)isc_buffer_base(&keynamebuf));
type = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_KEY;
result = dst_key_tofile(tsigkey->key, type, "");
CHECK("dst_key_tofile", result);
dns_message_detach(&query);
dns_message_detach(&response);
dns_request_destroy(&request);
isc_loopmgr_shutdown(loopmgr);
}
static void
sendquery(void *arg) {
struct in_addr inaddr;
isc_sockaddr_t address;
isc_region_t r;
isc_result_t result;
dns_fixedname_t keyname;
dns_fixedname_t ownername;
isc_buffer_t namestr, keybuf;
unsigned char keydata[9];
dns_message_t *query = NULL;
dns_request_t *request = NULL;
static char keystr[] = "0123456789ab";
UNUSED(arg);
result = ISC_R_FAILURE;
if (inet_pton(AF_INET, ip_address, &inaddr) != 1) {
CHECK("inet_pton", result);
}
isc_sockaddr_fromin(&address, &inaddr, port);
dns_fixedname_init(&keyname);
isc_buffer_constinit(&namestr, "tkeytest.", 9);
isc_buffer_add(&namestr, 9);
result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr, NULL,
0, NULL);
CHECK("dns_name_fromtext", result);
dns_fixedname_init(&ownername);
isc_buffer_constinit(&namestr, ownername_str, strlen(ownername_str));
isc_buffer_add(&namestr, strlen(ownername_str));
result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr,
NULL, 0, NULL);
CHECK("dns_name_fromtext", result);
isc_buffer_init(&keybuf, keydata, 9);
result = isc_base64_decodestring(keystr, &keybuf);
CHECK("isc_base64_decodestring", result);
isc_buffer_usedregion(&keybuf, &r);
result = dns_tsigkey_create(
dns_fixedname_name(&keyname), DNS_TSIG_HMACMD5_NAME,
isc_buffer_base(&keybuf), isc_buffer_usedlength(&keybuf), false,
NULL, 0, 0, mctx, ring, &initialkey);
CHECK("dns_tsigkey_create", result);
dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
result = dns_tkey_builddhquery(query, ourkey,
dns_fixedname_name(&ownername),
DNS_TSIG_HMACMD5_NAME, &nonce, 3600);
CHECK("dns_tkey_builddhquery", result);
result = dns_request_create(requestmgr, query, NULL, &address, NULL,
NULL, DNS_REQUESTOPT_TCP, initialkey,
TIMEOUT, 0, 0, isc_loop_main(loopmgr),
recvquery, query, &request);
CHECK("dns_request_create", result);
}
int
main(int argc, char *argv[]) {
char *ourkeyname = NULL;
isc_nm_t *netmgr = NULL;
isc_sockaddr_t bind_any;
dns_dispatchmgr_t *dispatchmgr = NULL;
dns_dispatch_t *dispatchv4 = NULL;
dns_view_t *view = NULL;
dns_tkeyctx_t *tctx = NULL;
isc_log_t *log = NULL;
isc_logconfig_t *logconfig = NULL;
isc_result_t result;
int type;
if (argc < 4) {
fprintf(stderr, "I:no DH key provided\n");
exit(-1);
}
ip_address = argv[1];
port = atoi(argv[2]);
ourkeyname = argv[3];
if (argc >= 5) {
ownername_str = argv[4];
}
isc_mem_debugging = ISC_MEM_DEBUGRECORD;
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
isc_log_create(mctx, &log, &logconfig);
RUNCHECK(dst_lib_init(mctx, NULL));
RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr));
isc_sockaddr_any(&bind_any);
RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4));
RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL,
&requestmgr));
RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
RUNCHECK(dns_tkeyctx_create(mctx, &tctx));
RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
dns_view_setkeyring(view, ring);
dns_tsigkeyring_detach(&ring);
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey);
CHECK("dst_key_fromnamedfile", result);
isc_buffer_init(&nonce, noncedata, sizeof(noncedata));
isc_nonce_buf(noncedata, sizeof(noncedata));
isc_buffer_add(&nonce, sizeof(noncedata));
isc_loopmgr_setup(loopmgr, sendquery, NULL);
isc_loopmgr_run(loopmgr);
dns_requestmgr_shutdown(requestmgr);
dns_requestmgr_detach(&requestmgr);
dns_dispatch_detach(&dispatchv4);
dns_dispatchmgr_detach(&dispatchmgr);
dst_key_free(&ourkey);
dns_tsigkey_detach(&initialkey);
dns_tsigkey_detach(&tsigkey);
dns_tkeyctx_destroy(&tctx);
dns_view_detach(&view);
isc_log_destroy(&log);
dst_lib_destroy();
isc_managers_destroy(&mctx, &loopmgr, &netmgr);
return (0);
}

202
bin/tests/system/tkey/keydelete.c
View file

@ -1,202 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <stdlib.h>
#include <string.h>
#include <isc/base64.h>
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/loop.h>
#include <isc/managers.h>
#include <isc/mem.h>
#include <isc/netmgr.h>
#include <isc/random.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
#include <isc/util.h>
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/request.h>
#include <dns/result.h>
#include <dns/tkey.h>
#include <dns/tsig.h>
#include <dns/view.h>
#define CHECK(str, x) \
{ \
if ((x) != ISC_R_SUCCESS) { \
fprintf(stderr, "I:%s: %s\n", (str), \
isc_result_totext(x)); \
exit(-1); \
} \
}
#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
#define TIMEOUT 30
static char *ip_address = NULL;
static int port;
static isc_mem_t *mctx = NULL;
static isc_loopmgr_t *loopmgr = NULL;
static dns_tsigkey_t *tsigkey = NULL;
static dns_tsig_keyring_t *ring = NULL;
static dns_requestmgr_t *requestmgr = NULL;
static void
recvquery(void *arg) {
isc_result_t result;
dns_request_t *request = (dns_request_t *)arg;
dns_message_t *query = dns_request_getarg(request);
dns_message_t *response = NULL;
result = dns_request_getresult(request);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "I:request event result: %s\n",
isc_result_totext(result));
exit(-1);
}
dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
result = dns_request_getresponse(request, response,
DNS_MESSAGEPARSE_PRESERVEORDER);
CHECK("dns_request_getresponse", result);
if (response->rcode != dns_rcode_noerror) {
result = dns_result_fromrcode(response->rcode);
fprintf(stderr, "I:response rcode: %s\n",
isc_result_totext(result));
exit(-1);
}
result = dns_tkey_processdeleteresponse(query, response, ring);
CHECK("dns_tkey_processdhresponse", result);
dns_message_detach(&query);
dns_message_detach(&response);
dns_request_destroy(&request);
isc_loopmgr_shutdown(loopmgr);
}
static void
sendquery(void *arg) {
struct in_addr inaddr;
isc_sockaddr_t address;
isc_result_t result;
dns_message_t *query = NULL;
dns_request_t *request = NULL;
UNUSED(arg);
result = ISC_R_FAILURE;
if (inet_pton(AF_INET, ip_address, &inaddr) != 1) {
CHECK("inet_pton", result);
}
isc_sockaddr_fromin(&address, &inaddr, port);
dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
result = dns_tkey_builddeletequery(query, tsigkey);
CHECK("dns_tkey_builddeletequery", result);
result = dns_request_create(requestmgr, query, NULL, &address, NULL,
NULL, DNS_REQUESTOPT_TCP, tsigkey, TIMEOUT,
0, 0, isc_loop_main(loopmgr), recvquery,
query, &request);
CHECK("dns_request_create", result);
}
int
main(int argc, char **argv) {
char *keyname = NULL;
isc_nm_t *netmgr = NULL;
isc_sockaddr_t bind_any;
dns_dispatchmgr_t *dispatchmgr = NULL;
dns_dispatch_t *dispatchv4 = NULL;
dns_view_t *view = NULL;
dns_tkeyctx_t *tctx = NULL;
dst_key_t *dstkey = NULL;
isc_log_t *log = NULL;
isc_logconfig_t *logconfig = NULL;
isc_result_t result;
int type;
if (argc < 4) {
fprintf(stderr, "I:no key to delete\n");
exit(-1);
}
if (strcmp(argv[1], "-r") == 0) {
fprintf(stderr, "I:The -r options has been deprecated\n");
exit(-1);
}
ip_address = argv[1];
port = atoi(argv[2]);
keyname = argv[3];
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
isc_log_create(mctx, &log, &logconfig);
RUNCHECK(dst_lib_init(mctx, NULL));
RUNCHECK(dns_dispatchmgr_create(mctx, netmgr, &dispatchmgr));
isc_sockaddr_any(&bind_any);
RUNCHECK(dns_dispatch_createudp(dispatchmgr, &bind_any, &dispatchv4));
RUNCHECK(dns_requestmgr_create(mctx, dispatchmgr, dispatchv4, NULL,
&requestmgr));
RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
RUNCHECK(dns_tkeyctx_create(mctx, &tctx));
RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
dns_view_setkeyring(view, ring);
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
CHECK("dst_key_fromnamedfile", result);
result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
DNS_TSIG_HMACMD5_NAME, dstkey, true,
NULL, 0, 0, mctx, ring, &tsigkey);
dst_key_free(&dstkey);
CHECK("dns_tsigkey_createfromkey", result);
isc_loopmgr_setup(loopmgr, sendquery, NULL);
isc_loopmgr_run(loopmgr);
dns_requestmgr_shutdown(requestmgr);
dns_requestmgr_detach(&requestmgr);
dns_dispatch_detach(&dispatchv4);
dns_dispatchmgr_detach(&dispatchmgr);
dns_tsigkeyring_detach(&ring);
dns_tsigkey_detach(&tsigkey);
dns_tkeyctx_destroy(&tctx);
dns_view_detach(&view);
isc_log_destroy(&log);
dst_lib_destroy();
isc_managers_destroy(&mctx, &loopmgr, &netmgr);
return (0);
}

27
bin/tests/system/tkey/ns1/example.db
View file

@ -1,27 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 1D
@ IN SOA ns hostmaster (
1
3600
1800
1814400
3
)
NS ns
ns A 10.53.0.1
mx MX 10 mail
a A 10.53.0.1
A 10.53.0.2
txt TXT "this is text"

49
bin/tests/system/tkey/ns1/named.conf.in
View file

@ -1,49 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify no;
tkey-domain "server";
tkey-dhkey "server" KEYID;
allow-query-cache { any; };
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key "tkeytest." {
algorithm hmac-md5;
secret "0123456789ab";
};
zone example {
type primary;
file "example.db";
allow-query { key tkeytest.; none; };
};

20
bin/tests/system/tkey/ns1/setup.sh
View file

@ -1,20 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
. ../../conf.sh
keyname=$($KEYGEN -T KEY -a DH -b 768 -n host server)
keyid=$(keyfile_to_key_id "$keyname")
sed -i -e "s;KEYID;$keyid;" named.conf

20
bin/tests/system/tkey/setup.sh
View file

@ -1,20 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
. ../conf.sh
copy_setports ns1/named.conf.in ns1/named.conf
cd ns1 && $SHELL setup.sh

163
bin/tests/system/tkey/tests.sh
View file

@ -1,163 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
. ../conf.sh
dig_with_opts() {
"$DIG" @10.53.0.1 -p "$PORT" "$@"
}
status=0
n=1
echo_i "generating new DH key ($n)"
ret=0
dhkeyname=$($KEYGEN -T KEY -a DH -b 768 -n host client) || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status+ret))
echo_i "exit status: $status"
exit $status
fi
status=$((status+ret))
n=$((n+1))
for owner in . foo.example.
do
echo_i "creating new key using owner name \"$owner\" ($n)"
ret=0
keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status+ret))
echo_i "exit status: $status"
exit $status
fi
status=$((status+ret))
n=$((n+1))
echo_i "checking the new key ($n)"
ret=0
dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null || ret=1
grep "Some TSIG could not be validated" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
echo_i "deleting new key ($n)"
ret=0
$KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that new key has been deleted ($n)"
ret=0
dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null && ret=1
grep "Some TSIG could not be validated" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
done
echo_i "creating new key using owner name bar.example. ($n)"
ret=0
keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status+ret))
echo_i "exit status: $status"
exit $status
fi
status=$((status+ret))
n=$((n+1))
echo_i "checking the key with 'rndc tsig-list' ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n
grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
echo_i "using key in a request ($n)"
ret=0
dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
echo_i "deleting the key with 'rndc tsig-delete' ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server > /dev/null || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n
grep "key \"bar.example.server" rndc.out.test$n > /dev/null && ret=1
dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1
grep "TSIG could not be validated" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
echo_i "recreating the bar.example. key ($n)"
ret=0
keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status+ret))
echo_i "exit status: $status"
exit $status
fi
status=$((status+ret))
n=$((n+1))
echo_i "checking the new key with 'rndc tsig-list' ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n
grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
echo_i "using the new key in a request ($n)"
ret=0
dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
status=$((status+ret))
n=$((n+1))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

2
configure.ac
View file

@ -762,7 +762,7 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA])
AC_CHECK_FUNCS([TLS_server_method TLS_client_method])

10
doc/arm/reference.rst
View file

@ -1439,16 +1439,6 @@ default is used.
this variable must be defined, unless a specific keytab
is specified using :any:`tkey-gssapi-keytab`.
.. namedconf:statement:: tkey-dhkey
:tags: security
:short: Sets the Diffie-Hellman key used by the server to generate shared keys.
This is the Diffie-Hellman key used by the server to generate shared keys
with clients using the Diffie-Hellman mode of ``TKEY``. The server
must be able to load the public and private keys from files in the
working directory. In most cases, the ``key_name`` should be the
server's host name.
.. namedconf:statement:: dump-file
:tags: logging
:short: Indicates the pathname of the file where the server dumps the database after :option:`rndc dumpdb`.

1
doc/misc/options
View file

@ -283,7 +283,6 @@ options {
tcp-listen-queue <integer>;
tcp-receive-buffer <integer>;
tcp-send-buffer <integer>;
tkey-dhkey <quoted_string> <integer>;
tkey-domain <quoted_string>;
tkey-gssapi-credential <quoted_string>;
tkey-gssapi-keytab <quoted_string>;

1
lib/dns/Makefile.am
View file

@ -202,7 +202,6 @@ libdns_la_SOURCES = \
openssl_link.c \
openssl_shim.c \
openssl_shim.h \
openssldh_link.c \
opensslecdsa_link.c \
openssleddsa_link.c \
opensslrsa_link.c \

1
lib/dns/dnssec.c
View file

@ -1486,7 +1486,6 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
case DST_ALG_HMACSHA256:
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
case DST_ALG_DH:
if (result == DST_R_BADKEYTYPE) {
continue;
}

18
lib/dns/dst_api.c
View file

@ -201,7 +201,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
RETERR(dst__openssl_init(engine));
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
@ -1381,7 +1380,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
REQUIRE(VALID_KEY(key));
REQUIRE(n != NULL);
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
@ -1422,26 +1420,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_GSSAPI:
*n = 128; /*%< XXX */
break;
case DST_ALG_DH:
default:
return (DST_R_UNSUPPORTEDALG);
}
return (ISC_R_SUCCESS);
}
isc_result_t
dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
REQUIRE(n != NULL);
if (key->key_alg == DST_ALG_DH) {
*n = (key->key_size + 7) / 8;
return (ISC_R_SUCCESS);
}
return (DST_R_UNSUPPORTEDALG);
}
/*%
* Set the flags on a key, then recompute the key ID
*/
@ -1897,13 +1881,11 @@ issymmetric(const dst_key_t *key) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_DH:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:

4
lib/dns/dst_internal.h
View file

@ -32,7 +32,6 @@
#include <inttypes.h>
#include <stdbool.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
@ -97,7 +96,6 @@ struct dst_key {
union {
void *generic;
dns_gss_ctx_id_t gssctx;
DH *dh;
dst_hmac_key_t *hmac_key;
EVP_PKEY *pkey;
struct {
@ -213,8 +211,6 @@ dst__hmacsha384_init(struct dst_func **funcp);
isc_result_t
dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t
dst__openssldh_init(struct dst_func **funcp);
isc_result_t
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t
dst__opensslecdsa_init(struct dst_func **funcp);

31
lib/dns/dst_parse.c
View file

@ -82,11 +82,6 @@ static struct parse_map map[] = { { TAG_RSA_MODULUS, "Modulus:" },
{ TAG_RSA_ENGINE, "Engine:" },
{ TAG_RSA_LABEL, "Label:" },
{ TAG_DH_PRIME, "Prime(p):" },
{ TAG_DH_GENERATOR, "Generator(g):" },
{ TAG_DH_PRIVATE, "Private_value(x):" },
{ TAG_DH_PUBLIC, "Public_value(y):" },
{ TAG_ECDSA_PRIVATEKEY, "PrivateKey:" },
{ TAG_ECDSA_ENGINE, "Engine:" },
{ TAG_ECDSA_LABEL, "Label:" },
@ -211,25 +206,6 @@ check_rsa(const dst_private_t *priv, bool external) {
return (ok ? 0 : -1);
}
static int
check_dh(const dst_private_t *priv) {
int i, j;
if (priv->nelements != DH_NTAGS) {
return (-1);
}
for (i = 0; i < DH_NTAGS; i++) {
for (j = 0; j < priv->nelements; j++) {
if (priv->elements[j].tag == TAG(DST_ALG_DH, i)) {
break;
}
}
if (j == priv->nelements) {
return (-1);
}
}
return (0);
}
static int
check_ecdsa(const dst_private_t *priv, bool external) {
int i, j;
@ -357,7 +333,6 @@ check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
static int
check_data(const dst_private_t *priv, const unsigned int alg, bool old,
bool external) {
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (alg) {
case DST_ALG_RSA:
case DST_ALG_RSASHA1:
@ -365,8 +340,6 @@ check_data(const dst_private_t *priv, const unsigned int alg, bool old,
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
return (check_rsa(priv, external));
case DST_ALG_DH:
return (check_dh(priv));
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
@ -679,11 +652,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
fprintf(fp, "%s %u ", ALGORITHM_STR, dst_key_alg(key));
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
case DST_ALG_DH:
fprintf(fp, "(DH)\n");
break;
case DST_ALG_RSASHA1:
fprintf(fp, "(RSASHA1)\n");
break;

6
lib/dns/dst_parse.h
View file

@ -59,12 +59,6 @@
#define TAG_RSA_ENGINE ((DST_ALG_RSA << TAG_SHIFT) + 8)
#define TAG_RSA_LABEL ((DST_ALG_RSA << TAG_SHIFT) + 9)
#define DH_NTAGS 4
#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0)
#define TAG_DH_GENERATOR ((DST_ALG_DH << TAG_SHIFT) + 1)
#define TAG_DH_PRIVATE ((DST_ALG_DH << TAG_SHIFT) + 2)
#define TAG_DH_PUBLIC ((DST_ALG_DH << TAG_SHIFT) + 3)
#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)

40
lib/dns/include/dns/keyvalues.h
View file

@ -52,26 +52,26 @@
#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF /*%< no bits defined here */
/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */
#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */
#define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */
#define DNS_KEYALG_DSA 3 /*%< DSA KEY */
#define DNS_KEYALG_NSEC3DSA 6
#define DNS_KEYALG_DSS DNS_ALG_DSA
#define DNS_KEYALG_ECC 4
#define DNS_KEYALG_RSASHA1 5
#define DNS_KEYALG_NSEC3RSASHA1 7
#define DNS_KEYALG_RSASHA256 8
#define DNS_KEYALG_RSASHA512 10
#define DNS_KEYALG_ECCGOST 12
#define DNS_KEYALG_ECDSA256 13
#define DNS_KEYALG_ECDSA384 14
#define DNS_KEYALG_ED25519 15
#define DNS_KEYALG_ED448 16
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
#define DNS_KEYALG_MAX 255
#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */
#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */
#define DNS_KEYALG_DH_DEPRECATED 2 /*%< deprecated */
#define DNS_KEYALG_DSA 3 /*%< DSA KEY */
#define DNS_KEYALG_NSEC3DSA 6
#define DNS_KEYALG_DSS DNS_ALG_DSA
#define DNS_KEYALG_ECC 4
#define DNS_KEYALG_RSASHA1 5
#define DNS_KEYALG_NSEC3RSASHA1 7
#define DNS_KEYALG_RSASHA256 8
#define DNS_KEYALG_RSASHA512 10
#define DNS_KEYALG_ECCGOST 12
#define DNS_KEYALG_ECDSA256 13
#define DNS_KEYALG_ECDSA384 14
#define DNS_KEYALG_ED25519 15
#define DNS_KEYALG_ED448 16
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
#define DNS_KEYALG_MAX 255
/* Protocol values */
#define DNS_KEYPROTO_RESERVED 0

51
lib/dns/include/dns/tkey.h
View file

@ -35,7 +35,6 @@ ISC_LANG_BEGINDECLS
#define DNS_TKEYMODE_DELETE 5
struct dns_tkeyctx {
dst_key_t *dhkey;
dns_name_t *domain;
dns_gss_cred_id_t gsscred;
isc_mem_t *mctx;
@ -88,33 +87,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
*\li other An error occurred while processing the message
*/
isc_result_t
dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key,
const dns_name_t *name, const dns_name_t *algorithm,
isc_buffer_t *nonce, uint32_t lifetime);
/*%<
* Builds a query containing a TKEY that will generate a shared
* secret using a Diffie-Hellman key exchange. The shared key
* will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
* is supported), and will be named either 'name',
* 'name' + server chosen domain, or random data + server chosen domain
* if 'name' == dns_rootname. If nonce is not NULL, it supplies
* random data used in the shared secret computation. The key is
* requested to have the specified lifetime (in seconds)
*
*
* Requires:
*\li 'msg' is a valid message
*\li 'key' is a valid Diffie Hellman dst key
*\li 'name' is a valid name
*\li 'algorithm' is a valid name
*
* Returns:
*\li #ISC_R_SUCCESS msg was successfully updated to include the
* query to be sent
*\li other an error occurred while building the message
*/
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
@ -156,29 +128,6 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
*\li other an error occurred while building the message
*/
isc_result_t
dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dst_key_t *key, isc_buffer_t *nonce,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
/*%<
* Processes a response to a query containing a TKEY that was
* designed to generate a shared secret using a Diffie-Hellman key
* exchange. If the query was successful, a new shared key
* is created and added to the list of shared keys.
*
* Requires:
*\li 'qmsg' is a valid message (the query)
*\li 'rmsg' is a valid message (the response)
*\li 'key' is a valid Diffie Hellman dst key
*\li 'outkey' is either NULL or a pointer to NULL
*\li 'ring' is a valid keyring or NULL
*
* Returns:
*\li #ISC_R_SUCCESS the shared key was successfully added
*\li #ISC_R_NOTFOUND an error occurred while looking for a
* component of the query or response
*/
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *gname, dns_gss_ctx_id_t *context,

19
lib/dns/include/dst/dst.h
View file

@ -82,7 +82,7 @@ typedef enum dst_algorithm {
DST_ALG_UNKNOWN = 0,
DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */
DST_ALG_RSAMD5 = 1,
DST_ALG_DH = 2,
DST_ALG_DH = 2, /* Deprecated */
DST_ALG_DSA = 3,
DST_ALG_ECC = 4,
DST_ALG_RSASHA1 = 5,
@ -804,23 +804,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n);
*\li "n" stores the size of a generated signature
*/
isc_result_t
dst_key_secretsize(const dst_key_t *key, unsigned int *n);
/*%<
* Computes the size of a shared secret generated by the given key.
*
* Requires:
*\li "key" is a valid key.
*\li "n" is not NULL
*
* Returns:
*\li #ISC_R_SUCCESS
*\li DST_R_UNSUPPORTEDALG
*
* Ensures:
*\li "n" stores the size of a generated shared secret
*/
uint16_t
dst_region_computeid(const isc_region_t *source);
uint16_t

1
lib/dns/nsec.c
View file

@ -284,7 +284,6 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (dnskey.algorithm == DST_ALG_RSAMD5 ||
dnskey.algorithm == DST_ALG_DH ||
dnskey.algorithm == DST_ALG_DSA ||
dnskey.algorithm == DST_ALG_RSASHA1)
{

74
lib/dns/openssl_shim.c
View file

@ -164,80 +164,6 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
}
#endif /* !HAVE_ECDSA_SIG_GET0 */
#if !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
/*
* DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
* are from OpenSSL 1.1.0.
*/
void
DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {
if (pub_key != NULL) {
*pub_key = dh->pub_key;
}
if (priv_key != NULL) {
*priv_key = dh->priv_key;
}
}
int
DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
if (pub_key != NULL) {
BN_free(dh->pub_key);
dh->pub_key = pub_key;
}
if (priv_key != NULL) {
BN_free(dh->priv_key);
dh->priv_key = priv_key;
}
return (1);
}
void
DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
const BIGNUM **g) {
if (p != NULL) {
*p = dh->p;
}
if (q != NULL) {
*q = dh->q;
}
if (g != NULL) {
*g = dh->g;
}
}
int
DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
/* If the fields p and g in d are NULL, the corresponding input
* parameters MUST be non-NULL. q may remain NULL.
*/
if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) {
return (0);
}
if (p != NULL) {
BN_free(dh->p);
dh->p = p;
}
if (q != NULL) {
BN_free(dh->q);
dh->q = q;
}
if (g != NULL) {
BN_free(dh->g);
dh->g = g;
}
if (q != NULL) {
dh->length = BN_num_bits(q);
}
return (1);
}
#endif /* !HAVE_DH_GET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
#if !HAVE_ERR_GET_ERROR_ALL
static const char err_empty_string = '\0';

14
lib/dns/openssl_shim.h
View file

@ -96,20 +96,6 @@ int
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
#endif /* !HAVE_ECDSA_SIG_GET0 */
#if !HAVE_DH_GET0_KEY
void
DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
int
DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
void
DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
int
DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
#endif /* !HAVE_DH_GET0_KEY */
#if !HAVE_ERR_GET_ERROR_ALL
unsigned long
ERR_get_error_all(const char **file, int *line, const char **func,

1325
lib/dns/openssldh_link.c
View file

File diff suppressed because it is too large Load diff

39
lib/dns/rcode.c
View file

@ -97,25 +97,26 @@
/* RFC2535 section 7, RFC3110 */
#define SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, { DNS_KEYALG_DH, "DH", 0 }, \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
{ DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
{ DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \
{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
{ DNS_KEYALG_ED448, "ED448", 0 }, \
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \
0, NULL, 0 \
#define SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
{ DNS_KEYALG_DH_DEPRECATED, "DH", 0 }, \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
{ DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
{ DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \
{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
{ DNS_KEYALG_ED448, "ED448", 0 }, \
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \
0, NULL, 0 \
}
/* RFC2535 section 7.1 */

3
lib/dns/resolver.c
View file

@ -11016,9 +11016,6 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver,
REQUIRE(VALID_RESOLVER(resolver));
/*
* DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
*/
if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) {
return (false);
}

491
lib/dns/tkey.c
View file

@ -109,18 +109,14 @@ dumpmessage(dns_message_t *msg) {
isc_result_t
dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) {
dns_tkeyctx_t *tctx;
REQUIRE(mctx != NULL);
REQUIRE(tctxp != NULL && *tctxp == NULL);
tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
tctx->mctx = NULL;
dns_tkeyctx_t *tctx = isc_mem_get(mctx, sizeof(*tctx));
*tctx = (dns_tkeyctx_t){
.mctx = NULL,
};
isc_mem_attach(mctx, &tctx->mctx);
tctx->dhkey = NULL;
tctx->domain = NULL;
tctx->gsscred = NULL;
tctx->gssapi_keytab = NULL;
*tctxp = tctx;
return (ISC_R_SUCCESS);
@ -137,9 +133,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
*tctxp = NULL;
mctx = tctx->mctx;
if (tctx->dhkey != NULL) {
dst_key_free(&tctx->dhkey);
}
if (tctx->domain != NULL) {
if (dns_name_dynamic(tctx->domain)) {
dns_name_free(tctx->domain, mctx);
@ -212,270 +205,6 @@ free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
}
}
static isc_result_t
compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
isc_region_t *serverrandomness, isc_buffer_t *secret) {
isc_md_t *md;
isc_region_t r, r2;
unsigned char digests[ISC_MAX_MD_SIZE * 2];
unsigned char *digest1, *digest2;
unsigned int digestslen, digestlen1 = 0, digestlen2 = 0;
unsigned int i;
isc_result_t result;
isc_buffer_usedregion(shared, &r);
md = isc_md_new();
if (md == NULL) {
return (ISC_R_NOSPACE);
}
/*
* MD5 ( query data | DH value ).
*/
digest1 = digests;
result = isc_md_init(md, ISC_MD_MD5);
if (result != ISC_R_SUCCESS) {
goto end;
}
result = isc_md_update(md, queryrandomness->base,
queryrandomness->length);
if (result != ISC_R_SUCCESS) {
goto end;
}
result = isc_md_update(md, r.base, r.length);
if (result != ISC_R_SUCCESS) {
goto end;
}
result = isc_md_final(md, digest1, &digestlen1);
if (result != ISC_R_SUCCESS) {
goto end;
}
result = isc_md_reset(md);
if (result != ISC_R_SUCCESS) {
goto end;
}
/*
* MD5 ( server data | DH value ).
*/
digest2 = digests + digestlen1;
result = isc_md_init(md, ISC_MD_MD5);
if (result != ISC_R_SUCCESS) {
goto end;
}
result = isc_md_update(md, serverrandomness->base,
serverrandomness->length);
if (result != ISC_R_SUCCESS) {
goto end;
}
result = isc_md_update(md, r.base, r.length);
if (result != ISC_R_SUCCESS) {
goto end;
}
result = isc_md_final(md, digest2, &digestlen2);
if (result != ISC_R_SUCCESS) {
goto end;
}
isc_md_free(md);
md = NULL;
digestslen = digestlen1 + digestlen2;
/*
* XOR ( DH value, MD5-1 | MD5-2).
*/
isc_buffer_availableregion(secret, &r);
isc_buffer_usedregion(shared, &r2);
if (r.length < digestslen || r.length < r2.length) {
return (ISC_R_NOSPACE);
}
if (r2.length > digestslen) {
memmove(r.base, r2.base, r2.length);
for (i = 0; i < digestslen; i++) {
r.base[i] ^= digests[i];
}
isc_buffer_add(secret, r2.length);
} else {
memmove(r.base, digests, digestslen);
for (i = 0; i < r2.length; i++) {
r.base[i] ^= r2.base[i];
}
isc_buffer_add(secret, digestslen);
}
result = ISC_R_SUCCESS;
end:
if (md != NULL) {
isc_md_free(md);
}
return (result);
}
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
dns_rdata_tkey_t *tkeyout, dns_tsig_keyring_t *ring,
dns_namelist_t *namelist) {
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname;
dns_rdataset_t *keyset = NULL;
dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
bool found_key = false, found_incompatible = false;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, *shared = NULL;
isc_region_t r, r2, ourkeyr;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
isc_buffer_t secret;
unsigned char *randomdata = NULL, secretdata[256];
dns_ttl_t ttl = 0;
if (tctx->dhkey == NULL) {
tkey_log("process_dhtkey: tkey-dhkey not defined");
tkeyout->error = dns_tsigerror_badalg;
return (DNS_R_REFUSED);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
result == ISC_R_SUCCESS && !found_key;
result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
{
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
keyset = NULL;
result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
&keyset);
if (result != ISC_R_SUCCESS) {
continue;
}
for (result = dns_rdataset_first(keyset);
result == ISC_R_SUCCESS && !found_key;
result = dns_rdataset_next(keyset))
{
dns_rdataset_current(keyset, &keyrdata);
pubkey = NULL;
result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
msg->mctx, &pubkey);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
continue;
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey)) {
found_key = true;
ttl = keyset->ttl;
break;
} else {
found_incompatible = true;
}
}
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
tkeyout->error = dns_tsigerror_badkey;
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist);
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
dns_rdatatype_key, &ourkeyr);
dns_name_init(&ourname, NULL);
dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist);
RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
isc_buffer_allocate(msg->mctx, &shared, sharedsize);
result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
isc_result_totext(result));
goto failure;
}
dst_key_free(&pubkey);
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
isc_nonce_buf(randomdata, TKEY_RANDOM_AMOUNT);
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_free(&shared);
RETERR(dns_tsigkey_create(
name, &tkeyin->algorithm, isc_buffer_base(&secret),
isc_buffer_usedlength(&secret), true, signer, tkeyin->inception,
tkeyin->expire, ring->mctx, ring, NULL));
/* This key is good for a long time */
tkeyout->inception = tkeyin->inception;
tkeyout->expire = tkeyin->expire;
tkeyout->key = randomdata;
tkeyout->keylen = TKEY_RANDOM_AMOUNT;
return (ISC_R_SUCCESS);
failure:
if (!ISC_LIST_EMPTY(*namelist)) {
free_namelist(msg, namelist);
}
if (shared != NULL) {
isc_buffer_free(&shared);
}
if (pubkey != NULL) {
dst_key_free(&pubkey);
}
if (randomdata != NULL) {
isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
}
return (result);
}
static isc_result_t
process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
@ -854,11 +583,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
}
switch (tkeyin.mode) {
case DNS_TKEYMODE_DIFFIEHELLMAN:
tkeyout.error = dns_rcode_noerror;
RETERR(process_dhtkey(msg, signer, keyname, &tkeyin, tctx,
&tkeyout, ring, &namelist));
break;
case DNS_TKEYMODE_GSSAPI:
tkeyout.error = dns_rcode_noerror;
RETERR(process_gsstkey(msg, keyname, &tkeyin, tctx, &tkeyout,
@ -988,81 +712,6 @@ buildquery(dns_message_t *msg, const dns_name_t *name, dns_rdata_tkey_t *tkey,
return (ISC_R_SUCCESS);
}
isc_result_t
dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key,
const dns_name_t *name, const dns_name_t *algorithm,
isc_buffer_t *nonce, uint32_t lifetime) {
dns_rdata_tkey_t tkey;
dns_rdata_t *rdata = NULL;
isc_buffer_t *dynbuf = NULL;
isc_region_t r;
dns_name_t keyname;
dns_namelist_t namelist;
isc_result_t result;
isc_stdtime_t now;
dns_name_t *item;
REQUIRE(msg != NULL);
REQUIRE(key != NULL);
REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
REQUIRE(dst_key_isprivate(key));
REQUIRE(name != NULL);
REQUIRE(algorithm != NULL);
tkey.common.rdclass = dns_rdataclass_any;
tkey.common.rdtype = dns_rdatatype_tkey;
ISC_LINK_INIT(&tkey.common, link);
tkey.mctx = msg->mctx;
dns_name_init(&tkey.algorithm, NULL);
dns_name_clone(algorithm, &tkey.algorithm);
isc_stdtime_get(&now);
tkey.inception = now;
tkey.expire = now + lifetime;
tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
if (nonce != NULL) {
isc_buffer_usedregion(nonce, &r);
} else {
r.base = NULL;
r.length = 0;
}
tkey.error = 0;
tkey.key = r.base;
tkey.keylen = r.length;
tkey.other = NULL;
tkey.otherlen = 0;
RETERR(buildquery(msg, name, &tkey, false));
dns_message_gettemprdata(msg, &rdata);
isc_buffer_allocate(msg->mctx, &dynbuf, 1024);
RETERR(dst_key_todns(key, dynbuf));
isc_buffer_usedregion(dynbuf, &r);
dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_key, &r);
dns_message_takebuffer(msg, &dynbuf);
dns_name_init(&keyname, NULL);
dns_name_clone(dst_key_name(key), &keyname);
ISC_LIST_INIT(namelist);
add_rdata_to_list(msg, &keyname, rdata, 0, &namelist);
item = ISC_LIST_HEAD(namelist);
while (item != NULL) {
dns_name_t *next = ISC_LIST_NEXT(item, link);
ISC_LIST_UNLINK(namelist, item, link);
dns_message_addname(msg, item, DNS_SECTION_ADDITIONAL);
item = next;
}
return (ISC_R_SUCCESS);
failure:
if (dynbuf != NULL) {
isc_buffer_free(&dynbuf);
}
return (result);
}
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
@ -1165,138 +814,6 @@ find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
return (result);
}
isc_result_t
dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dst_key_t *key, isc_buffer_t *nonce,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring) {
dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
dst_key_t *theirkey = NULL;
dns_rdata_tkey_t qtkey, rtkey;
unsigned char secretdata[256];
unsigned int sharedsize;
isc_buffer_t *shared = NULL, secret;
isc_region_t r, r2;
isc_result_t result;
bool freertkey = false;
REQUIRE(qmsg != NULL);
REQUIRE(rmsg != NULL);
REQUIRE(key != NULL);
REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
REQUIRE(dst_key_isprivate(key));
if (outkey != NULL) {
REQUIRE(*outkey == NULL);
}
if (rmsg->rcode != dns_rcode_noerror) {
return (dns_result_fromrcode(rmsg->rcode));
}
RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
freertkey = true;
RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata, DNS_SECTION_ADDITIONAL));
RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
if (rtkey.error != dns_rcode_noerror ||
rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
rtkey.mode != qtkey.mode ||
!dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
rmsg->rcode != dns_rcode_noerror)
{
tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
"or error set(1)");
result = DNS_R_INVALIDTKEY;
dns_rdata_freestruct(&qtkey);
goto failure;
}
dns_rdata_freestruct(&qtkey);
dns_name_init(&keyname, NULL);
dns_name_clone(dst_key_name(key), &keyname);
ourkeyname = NULL;
ourkeyset = NULL;
RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
dns_rdatatype_key, 0, &ourkeyname,
&ourkeyset));
result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
while (result == ISC_R_SUCCESS) {
theirkeyname = NULL;
dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
&theirkeyname);
if (dns_name_equal(theirkeyname, ourkeyname)) {
goto next;
}
theirkeyset = NULL;
result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
0, &theirkeyset);
if (result == ISC_R_SUCCESS) {
RETERR(dns_rdataset_first(theirkeyset));
break;
}
next:
result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
}
if (theirkeyset == NULL) {
tkey_log("dns_tkey_processdhresponse: failed to find server "
"key");
result = ISC_R_NOTFOUND;
goto failure;
}
dns_rdataset_current(theirkeyset, &theirkeyrdata);
RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata, rmsg->mctx,
&theirkey));
RETERR(dst_key_secretsize(key, &sharedsize));
isc_buffer_allocate(rmsg->mctx, &shared, sharedsize);
RETERR(dst_key_computesecret(theirkey, key, shared));
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
r.base = rtkey.key;
r.length = rtkey.keylen;
if (nonce != NULL) {
isc_buffer_usedregion(nonce, &r2);
} else {
r2.base = NULL;
r2.length = 0;
}
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_usedregion(&secret, &r);
result = dns_tsigkey_create(tkeyname, &rtkey.algorithm, r.base,
r.length, true, NULL, rtkey.inception,
rtkey.expire, rmsg->mctx, ring, outkey);
isc_buffer_free(&shared);
dns_rdata_freestruct(&rtkey);
dst_key_free(&theirkey);
return (result);
failure:
if (shared != NULL) {
isc_buffer_free(&shared);
}
if (theirkey != NULL) {
dst_key_free(&theirkey);
}
if (freertkey) {
dns_rdata_freestruct(&rtkey);
}
return (result);
}
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *gname, dns_gss_ctx_id_t *context,

8
lib/dns/zone.c
View file

@ -9006,8 +9006,8 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db,
}
alg = tuple->rdata.data[3];
if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH ||
alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1)
if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA ||
alg == DNS_KEYALG_RSASHA1)
{
nseconly = true;
}
@ -9017,8 +9017,8 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db,
if (keys != NULL && !nseconly) {
for (unsigned int i = 0; i < numkeys; i++) {
alg = dst_key_alg(keys[i]);
if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DH ||
alg == DNS_KEYALG_DSA || alg == DNS_KEYALG_RSASHA1)
if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA ||
alg == DNS_KEYALG_RSASHA1)
{
nseconly = true;
break;

4
lib/isccfg/kaspconf.c
View file

@ -246,8 +246,8 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
}
/* NSEC3 cannot be used with certain key algorithms. */
if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DH ||
keyalg == DNS_KEYALG_DSA || keyalg == DNS_KEYALG_RSASHA1)
if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DSA ||
keyalg == DNS_KEYALG_RSASHA1)
{
badalg = keyalg;
}

14
lib/isccfg/namedconf.c
View file

@ -145,18 +145,6 @@ static cfg_type_t cfg_type_view;
static cfg_type_t cfg_type_viewopts;
static cfg_type_t cfg_type_zone;
/*% tkey-dhkey */
static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
{ "name", &cfg_type_qstring, 0 },
{ "keyid", &cfg_type_uint32, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey", cfg_parse_tuple,
cfg_print_tuple, cfg_doc_tuple,
&cfg_rep_tuple, tkey_dhkey_fields };
/*% listen-on */
static cfg_tuplefielddef_t listenon_tuple_fields[] = {
@ -1327,7 +1315,7 @@ static cfg_clausedef_t options_clauses[] = {
{ "tcp-listen-queue", &cfg_type_uint32, 0 },
{ "tcp-receive-buffer", &cfg_type_uint32, 0 },
{ "tcp-send-buffer", &cfg_type_uint32, 0 },
{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
{ "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "tkey-domain", &cfg_type_qstring, 0 },
{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },

1
tests/dns/Makefile.am
View file

@ -21,7 +21,6 @@ check_PROGRAMS = \
dbdiff_test \
dbiterator_test \
dbversion_test \
dh_test \
dispatch_test \
dns64_test \
dst_test \

1
tests/dns/comparekeys/Kexample-private.+002+65316.key
View file

@ -1 +0,0 @@
example-private. IN KEY 512 3 2 AAECAAAAgKVXnUOFKMvLvwO/VdY9bq+eOPBxrRWsDpcL9FJ9+hklVvii pcLOIhiKLeHI/u9vM2nhd8+opIW92+j2pB185MRgSrINQcC+XpI/xiDG HwE78bQ+2Ykb/memG+ctkVyrFGHtaJLCUGWrUHy1jbtvYeaKeS92jR/2 4oryt3N851u5

9
tests/dns/comparekeys/Kexample-private.+002+65316.private
View file

@ -1,9 +0,0 @@
Private-key-format: v1.3
Algorithm: 2 (DH)
Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5lOB//////////8=
Generator(g): Ag==
Private_value(x): dLr0sfk/P1V0DfQ7Ke3IIaSM8nHjtrBRlMcQXRMVrLhbbKeCodvpSRtI0Nwtt38Df8dbGGtP676my2Ht2UHyL7rO0+ASv98NCysL0Xp6q2a7fn67iGFUBTg3jzXC89FYv4sYNeVLDGrKC3EjtGkalzgDVuzEC8CqRkWKeys3ufc=
Public_value(y): pVedQ4Uoy8u/A79V1j1ur5448HGtFawOlwv0Un36GSVW+KKlws4iGIot4cj+728zaeF3z6ikhb3b6PakHXzkxGBKsg1BwL5ekj/GIMYfATvxtD7ZiRv+Z6Yb5y2RXKsUYe1oksJQZatQfLWNu29h5op5L3aNH/biivK3c3znW7k=
Created: 20000101000000
Publish: 20000101000000
Activate: 20000101000000

94
tests/dns/dh_test.c
View file

@ -1,94 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <sched.h> /* IWYU pragma: keep */
#include <setjmp.h>
#include <stdarg.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define UNIT_TESTING
#include <cmocka.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/name.h>
#include "dst_internal.h"
#include <tests/dns.h>
static int
setup_test(void **state) {
isc_result_t result;
UNUSED(state);
result = dst_lib_init(mctx, NULL);
if (result != ISC_R_SUCCESS) {
return (1);
}
return (0);
}
static int
teardown_test(void **state) {
UNUSED(state);
dst_lib_destroy();
return (0);
}
/* OpenSSL DH_compute_key() failure */
ISC_RUN_TEST_IMPL(dh_computesecret) {
dst_key_t *key = NULL;
isc_buffer_t buf;
unsigned char array[1024];
isc_result_t result;
dns_fixedname_t fname;
dns_name_t *name;
UNUSED(state);
name = dns_fixedname_initname(&fname);
isc_buffer_constinit(&buf, "dh.", 3);
isc_buffer_add(&buf, 3);
result = dns_name_fromtext(name, &buf, NULL, 0, NULL);
assert_int_equal(result, ISC_R_SUCCESS);
result = dst_key_fromfile(name, 18602, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_KEY, TESTS_DIR,
mctx, &key);
assert_int_equal(result, ISC_R_SUCCESS);
isc_buffer_init(&buf, array, sizeof(array));
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
dst_key_free(&key);
}
ISC_TEST_LIST_START
ISC_TEST_ENTRY_CUSTOM(dh_computesecret, setup_test, teardown_test)
ISC_TEST_LIST_END
ISC_TEST_MAIN

28
tests/dns/dst_test.c
View file

@ -416,34 +416,6 @@ ISC_RUN_TEST_IMPL(cmp_test) {
/* EdDSA Public Key: different key */
{ "example.", 63663, "example2.", 37529, DST_ALG_ED25519,
DST_TYPE_PUBLIC, false },
/* DH Keypair: self */
{ "example.", 65316, "example.", 65316, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, true },
/* DH Keypair: different key */
{ "example.", 65316, "example2.", 19823, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
/* DH Keypair: different key (with generator=5) */
{ "example.", 65316, "example3.", 17187, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
/* DH Keypair: different private key */
{ "example.", 65316, "example-private.", 65316, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
/* DH Public Key: self */
{ "example.", 65316, "example.", 65316, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_KEY, true },
/* DH Public Key: different key */
{ "example.", 65316, "example2.", 19823, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_KEY, false },
/* DH Public Key: different key (with generator=5) */
{ "example.", 65316, "example3.", 17187, DST_ALG_DH,
DST_TYPE_PUBLIC | DST_TYPE_KEY, false },
};
unsigned int i;