Commit 239e9dc8 authored by Mukund Sivaraman's avatar Mukund Sivaraman

Reject incorrect RSA key lengths during key generation and and sign/verify...

Reject incorrect RSA key lengths during key generation and and sign/verify context creation (#45043)
parent f23c10f9
4601. [bug] Reject incorrect RSA key lengths during key
generation and and sign/verify context
creation. [RT #45043]
4600. [bug] Adjust RPZ trigger counts only when the entry 4600. [bug] Adjust RPZ trigger counts only when the entry
being deleted exists. [RT #43386] being deleted exists. [RT #43386]
......
...@@ -261,6 +261,33 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { ...@@ -261,6 +261,33 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
dctx->key->key_alg == DST_ALG_RSASHA512); dctx->key->key_alg == DST_ALG_RSASHA512);
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
#if USE_EVP #if USE_EVP
evp_md_ctx = EVP_MD_CTX_create(); evp_md_ctx = EVP_MD_CTX_create();
if (evp_md_ctx == NULL) if (evp_md_ctx == NULL)
...@@ -958,6 +985,33 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { ...@@ -958,6 +985,33 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY *pkey = EVP_PKEY_new();
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (key->key_size > 4096)
goto err;
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((key->key_size < 512) ||
(key->key_size > 4096))
goto err;
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((key->key_size < 1024) ||
(key->key_size > 4096))
goto err;
break;
default:
INSIST(0);
}
if (rsa == NULL || e == NULL || cb == NULL) if (rsa == NULL || e == NULL || cb == NULL)
goto err; goto err;
#if USE_EVP #if USE_EVP
......
...@@ -92,6 +92,33 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { ...@@ -92,6 +92,33 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
key->key_alg == DST_ALG_RSASHA512); key->key_alg == DST_ALG_RSASHA512);
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
rsa = key->keydata.pkey; rsa = key->keydata.pkey;
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
...@@ -301,6 +328,33 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, ...@@ -301,6 +328,33 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
key->key_alg == DST_ALG_RSASHA512); key->key_alg == DST_ALG_RSASHA512);
#endif #endif
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
rsa = key->keydata.pkey; rsa = key->keydata.pkey;
pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
...@@ -549,6 +603,33 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { ...@@ -549,6 +603,33 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
#endif #endif
REQUIRE(rsa != NULL); REQUIRE(rsa != NULL);
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
switch (key->key_alg) { switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE #ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5: case DST_ALG_RSAMD5:
...@@ -678,6 +759,33 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { ...@@ -678,6 +759,33 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
#endif #endif
REQUIRE(rsa != NULL); REQUIRE(rsa != NULL);
/*
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (dctx->key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((dctx->key->key_size < 512) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((dctx->key->key_size < 1024) ||
(dctx->key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
switch (key->key_alg) { switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE #ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5: case DST_ALG_RSAMD5:
...@@ -1094,6 +1202,33 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { ...@@ -1094,6 +1202,33 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
UNUSED(callback); UNUSED(callback);
/*
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (key->key_size > 4096)
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((key->key_size < 512) ||
(key->key_size > 4096))
return (ISC_R_FAILURE);
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((key->key_size < 1024) ||
(key->key_size > 4096))
return (ISC_R_FAILURE);
break;
default:
INSIST(0);
}
pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
sizeof(*pk11_ctx)); sizeof(*pk11_ctx));
if (pk11_ctx == NULL) if (pk11_ctx == NULL)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment