Commit 27593e65 authored by Ondřej Surý's avatar Ondřej Surý
Browse files

Remove support for obsoleted ECC-GOST (GOST R 34.11-94) algorithm

parent 57f0949e
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=.
infile=root.db.in
zonefile=root.db
key1=`$KEYGEN -q -a ECCGOST -n zone $zone`
key2=`$KEYGEN -q -a ECCGOST -n zone -f KSK $zone`
$DSFROMKEY -a gost $key2.key > dsset-gost
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
# Configure the resolving server with a trusted key.
cat $key1.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > trusted.conf
cp trusted.conf ../ns2/trusted.conf
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh gost
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
cd ns1 && $SHELL sign.sh
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
n=0
rm -f dig.out.*
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
# Check the example. domain
echo "I:checking that positive validation works ($n)"
ret=0
$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -114,7 +114,7 @@ rm -f ns3/test-?.bk
rm -f ns3/test-?.bk.signed
rm -f ns3/test-?.bk.signed.jnl
rm -f import.key Kimport*
rm -f checkgost checkdsa checkecdsa
rm -f checkdsa checkecdsa
rm -f ns3/a-file
rm -f ns*/named.lock
rm -f dig.out.*
......
......@@ -125,20 +125,13 @@ zone=externalkey
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
for alg in ECCGOST ECDSAP256SHA256 NSEC3RSASHA1 DSA
for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA
do
case $alg in
DSA)
$SHELL ../checkdsa.sh 2> /dev/null || continue
checkfile=../checkdsa
touch $checkfile ;;
ECCGOST)
fail=0
$KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1
rm -f Ktest*
[ $fail != 0 ] && continue
checkfile=../checkgost
touch $checkfile ;;
ECDSAP256SHA256)
fail=0
$KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
......
......@@ -897,16 +897,14 @@ n=`expr $n + 1`
echo_i "testing adding external keys to a inline zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
for alg in 3 7 12 13
for alg in 3 7 13
do
[ $alg = 3 -a ! -f checkdsa ] && continue;
[ $alg = 12 -a ! -f checkgost ] && continue;
[ $alg = 13 -a ! -f checkecdsa ] && continue;
case $alg in
3) echo_i "checking DSA";;
7) echo_i "checking NSEC3RSASHA1";;
12) echo_i "checking GOST";;
13) echo_i "checking ECDSAP256SHA256";;
*) echo_i "checking $alg";;
esac
......
......@@ -30,11 +30,6 @@ while test "$#" -gt 0; do
alg="-a RSASHA1"
msg1="RSA cryptography"
;;
gost|GOST)
alg="-a eccgost"
msg1="GOST cryptography"
msg2="--with-gost"
;;
ecdsa|ECDSA)
alg="-a ecdsap256sha256"
msg1="ECDSA cryptography"
......
......@@ -395,9 +395,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your OpenSSL version supports EVP AES */
#undef HAVE_OPENSSL_EVP_AES
/* Define if your OpenSSL version supports GOST. */
#undef HAVE_OPENSSL_GOST
/* Define if native PKCS#11 is used as cryptographic library provider */
#undef HAVE_PKCS11
......@@ -410,9 +407,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your PKCS11 provider supports Ed448. */
#undef HAVE_PKCS11_ED448
/* Define if your PKCS11 provider supports GOST. */
#undef HAVE_PKCS11_GOST
/* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
#undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
......@@ -604,9 +598,6 @@ int sigwait(const unsigned int *set, int *sig);
(O_NDELAY/O_NONBLOCK). */
#undef PORT_NONBLOCK
/* Define if GOST private keys are encoded in ASN.1. */
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
#undef SIZEOF_VOID_P
......
......@@ -327,9 +327,6 @@ typedef __int64 off_t;
/* Define if OpenSSL includes Ed448 support */
@HAVE_OPENSSL_ED448@
/* Define if your OpenSSL version supports GOST. */
@HAVE_OPENSSL_GOST@
/* Define if your OpenSSL version supports DH functions. */
@HAVE_DH_GET0_KEY@
......@@ -354,12 +351,6 @@ typedef __int64 off_t;
/* Define if your PKCS11 provider supports Ed448. */
@HAVE_PKCS11_ED448@
/* Define if your PKCS11 provider supports GOST. */
@HAVE_PKCS11_GOST@
/* Define if GOST private keys are encoded in ASN.1. */
@PREFER_GOSTASN1@
/* Define if OpenSSL is used as cryptographic library provider. */
@HAVE_OPENSSL@
......
......@@ -800,7 +800,6 @@ NZDSRCS
NZD_TOOLS
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
PKCS11_ECDSA
PKCS11LINKSRCS
PKCS11LINKOBJS
......@@ -820,13 +819,10 @@ ISC_OPENSSL_LIBS
ISC_OPENSSL_INC
ISC_PLATFORM_OPENSSLHASH
ISC_PLATFORM_WANTAES
OPENSSL_GOST
OPENSSL_ED25519
OPENSSL_ECDSA
OPENSSLLINKSRCS
OPENSSLLINKOBJS
OPENSSLGOSTLINKSRCS
OPENSSLGOSTLINKOBJS
OPENSSLEDDSALINKSRCS
OPENSSLEDDSALINKOBJS
OPENSSLECDSALINKSRCS
......@@ -1001,7 +997,6 @@ enable_native_pkcs11
with_openssl
with_pkcs11
with_ecdsa
with_gost
with_eddsa
with_aes
with_cc_alg
......@@ -1747,7 +1742,6 @@ Optional Packages:
--with-pkcs11=PATH Build with PKCS11 support [yes|no|path] (PATH is for
the PKCS11 provider)
--with-ecdsa Crypto ECDSA
--with-gost Crypto GOST [yes|no|raw|asn1].
--with-eddsa Crypto EDDSA [yes|all|no].
--with-aes Crypto AES
--with-cc-alg=ALG choose the algorithm for Client Cookie
......@@ -16150,7 +16144,7 @@ fi
 
 
#
# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
# were --with-ecdsa, --with-eddsa, --with-aes specified
#
 
# Check whether --with-ecdsa was given.
......@@ -16161,14 +16155,6 @@ else
fi
 
 
# Check whether --with-gost was given.
if test "${with_gost+set}" = set; then :
withval=$with_gost; with_gost="$withval"
else
with_gost="auto"
fi
# Check whether --with-eddsa was given.
if test "${with_eddsa+set}" = set; then :
withval=$with_eddsa; with_eddsa="$withval"
......@@ -16245,26 +16231,7 @@ then
done
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
gosttype="raw"
case "$with_gost" in
raw)
with_gost="yes"
;;
asn1)
$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h
gosttype="asn1"
with_gost="yes"
;;
auto|yes|no)
;;
*)
as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5
;;
esac
 
case "$use_openssl" in
native_pkcs11)
......@@ -16277,8 +16244,6 @@ $as_echo "disabled because of native PKCS11" >&6; }
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
 
......@@ -16295,8 +16260,6 @@ $as_echo "no" >&6; }
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
......@@ -16308,8 +16271,6 @@ $as_echo "no" >&6; }
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
......@@ -16663,89 +16624,6 @@ $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
;;
esac
 
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
$as_echo_n "checking for OpenSSL GOST support... " >&6; }
have_gost=""
case "$use_pkcs11" in
auto|no)
;;
*)
if $use_threads; then
CC="$CC -pthread"
fi
;;
esac
if test "$cross_compiling" = yes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
$as_echo "using --with-gost" >&6; }
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/conf.h>
#include <openssl/engine.h>
int main() {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
ENGINE *e;
EC_KEY *ek;
ek = NULL;
OPENSSL_config(NULL);
e = ENGINE_by_id("gost");
if (e == NULL)
return (1);
if (ENGINE_init(e) <= 0)
return (1);
return (0);
#else
return (1);
#endif
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
have_gost="yes"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
have_gost="no"
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
case "$with_gost" in
yes)
case "$have_gost" in
no) as_fn_error $? "gost not supported" "$LINENO" 5 ;;
*) have_gost=yes ;;
esac
;;
no)
have_gost=no ;;
*)
case "$have_gost" in
yes|no) ;;
*) as_fn_error $? "need --with-gost=[yes, no, raw or asn1]" "$LINENO" 5 ;;
esac
;;
esac
case $have_gost in
yes)
OPENSSL_GOST="yes"
OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
;;
*)
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
have_ed25519=""
......@@ -16954,9 +16832,6 @@ esac
 
 
 
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
then
......@@ -17211,7 +17086,6 @@ esac
 
 
PKCS11_ECDSA=""
PKCS11_GOST=""
PKCS11_ED25519=""
set_pk11_flavor="no"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
......@@ -17240,22 +17114,6 @@ $as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h
 
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 GOST" >&5
$as_echo_n "checking for PKCS11 GOST... " >&6; }
case "$with_gost" in
yes)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
$as_echo "enabled" >&6; }
PKCS11_GOST="yes"
$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
$as_echo "disabled" >&6; }
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5
$as_echo_n "checking for PKCS11 Ed25519... " >&6; }
case "$with_eddsa" in
......@@ -17346,7 +17204,6 @@ esac
 
 
 
if test "X$CRYPTO" = "X"; then
# cat << \EOF
as_fn_error $? "No cryptography library has been found or provided.
......@@ -26455,9 +26312,6 @@ report() {
fi
echo " Provider library: $PKCS11_PROVIDER"
fi
if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
echo " GOST algorithm support (encoding: $gosttype) (--with-gost)"
fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
......@@ -26526,8 +26380,6 @@ report() {
fi
test "yes" = "$want_native_pkcs11" ||
echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
echo " GOST algorithm support (--with-gost)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
......
......@@ -1419,13 +1419,10 @@ AC_ARG_WITH(pkcs11,
use_pkcs11="$withval", use_pkcs11="auto")
#
# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
# were --with-ecdsa, --with-eddsa, --with-aes specified
#
AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]),
with_ecdsa="$withval", with_ecdsa="auto")
AC_ARG_WITH(gost,
AS_HELP_STRING([--with-gost], [Crypto GOST [yes|no|raw|asn1].]),
with_gost="$withval", with_gost="auto")
AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]),
with_eddsa="$withval", with_eddsa="auto")
AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
......@@ -1486,25 +1483,7 @@ then
done
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
gosttype="raw"
case "$with_gost" in
raw)
with_gost="yes"
;;
asn1)
AC_DEFINE(PREFER_GOSTASN1, 1,
[Define if GOST private keys are encoded in ASN.1.])
gosttype="asn1"
with_gost="yes"
;;
auto|yes|no)
;;
*)
AC_MSG_ERROR(unknown GOST private key encoding)
;;
esac
case "$use_openssl" in
native_pkcs11)
......@@ -1516,8 +1495,6 @@ case "$use_openssl" in
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_DEFINE([HAVE_PKCS11],[1],[Define if native PKCS#11 is used as cryptographic library provider])
......@@ -1531,8 +1508,6 @@ case "$use_openssl" in
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
......@@ -1544,8 +1519,6 @@ case "$use_openssl" in
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRCS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
......@@ -1772,72 +1745,6 @@ int main() {
;;
esac
AC_MSG_CHECKING(for OpenSSL GOST support)
have_gost=""
case "$use_pkcs11" in
auto|no)
;;
*)
if $use_threads; then
CC="$CC -pthread"
fi
;;
esac
AC_TRY_RUN([
#include <openssl/conf.h>
#include <openssl/engine.h>
int main() {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
ENGINE *e;
EC_KEY *ek;
ek = NULL;
OPENSSL_config(NULL);
e = ENGINE_by_id("gost");
if (e == NULL)
return (1);
if (ENGINE_init(e) <= 0)
return (1);
return (0);
#else
return (1);
#endif
}
],
[AC_MSG_RESULT(yes)
have_gost="yes"],
[AC_MSG_RESULT(no)
have_gost="no"],
[AC_MSG_RESULT(using --with-gost)])
case "$with_gost" in
yes)
case "$have_gost" in
no) AC_MSG_ERROR([gost not supported]) ;;
*) have_gost=yes ;;
esac
;;
no)
have_gost=no ;;
*)
case "$have_gost" in
yes|no) ;;
*) AC_MSG_ERROR([need --with-gost=[[yes, no, raw or asn1]]]) ;;
esac
;;
esac