Commit 239e9dc8 authored by Mukund Sivaraman's avatar Mukund Sivaraman

Reject incorrect RSA key lengths during key generation and and sign/verify...

Reject incorrect RSA key lengths during key generation and and sign/verify context creation (#45043)
parent f23c10f9
4601. [bug] Reject incorrect RSA key lengths during key
generation and and sign/verify context
creation. [RT #45043]
4600. [bug] Adjust RPZ trigger counts only when the entry
being deleted exists. [RT #43386]
......
......@@ -261,6 +261,33 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
dctx->key->key_alg == DST_ALG_RSASHA512);
#endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
#if USE_EVP
evp_md_ctx = EVP_MD_CTX_create();
if (evp_md_ctx == NULL)
......@@ -958,6 +985,33 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
EVP_PKEY *pkey = EVP_PKEY_new();
#endif
/*
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (key->key_size > 4096)
goto err;
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((key->key_size < 512) ||
(key->key_size > 4096))
goto err;
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((key->key_size < 1024) ||
(key->key_size > 4096))
goto err;
break;
default:
INSIST(0);
}
if (rsa == NULL || e == NULL || cb == NULL)
goto err;
#if USE_EVP
......
......@@ -92,6 +92,33 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
key->key_alg == DST_ALG_RSASHA512);
#endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
rsa = key->keydata.pkey;
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
......@@ -301,6 +328,33 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
key->key_alg == DST_ALG_RSASHA512);
#endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
rsa = key->keydata.pkey;
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
......@@ -549,6 +603,33 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
#endif
REQUIRE(rsa != NULL);
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
......@@ -678,6 +759,33 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
#endif
REQUIRE(rsa != NULL);
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
......@@ -1094,6 +1202,33 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
UNUSED(callback);
/*
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((key->key_size < 512) ||
(key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((key->key_size < 1024) ||
(key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment