Commit 27593e65 authored by Ondřej Surý's avatar Ondřej Surý
Browse files

Remove support for obsoleted ECC-GOST (GOST R 34.11-94) algorithm

parent 57f0949e
...@@ -1115,7 +1115,7 @@ usage(void) { ...@@ -1115,7 +1115,7 @@ usage(void) {
program); program);
fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n" fprintf(stderr, "Options:\n"
" -a <algorithm> digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n" " -a <algorithm> digest algorithm (SHA-1 / SHA-256 / SHA-384)\n"
" -c <class> of domain (default IN)\n" " -c <class> of domain (default IN)\n"
" -D prefer CDNSKEY records instead of CDS\n" " -D prefer CDNSKEY records instead of CDS\n"
" -d <file|dir> where to find parent dsset- file\n" " -d <file|dir> where to find parent dsset- file\n"
......
...@@ -144,7 +144,7 @@ ...@@ -144,7 +144,7 @@
</para> </para>
<para> <para>
The <replaceable>algorithm</replaceable> must be one of SHA-1 The <replaceable>algorithm</replaceable> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified, values are case insensitive. If no algorithm is specified,
the default is SHA-256. the default is SHA-256.
</para> </para>
......
...@@ -117,7 +117,7 @@ ...@@ -117,7 +117,7 @@
<para> <para>
Select the digest algorithm. The value of Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1), <option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384). SHA-256 (SHA256) or SHA-384 (SHA384).
These values are case insensitive. These values are case insensitive.
</para> </para>
</listitem> </listitem>
......
...@@ -97,7 +97,7 @@ ...@@ -97,7 +97,7 @@
<p> <p>
Select the digest algorithm. The value of Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1), <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384). SHA-256 (SHA256) or SHA-384 (SHA384).
These values are case insensitive. These values are case insensitive.
</p> </p>
</dd> </dd>
......
...@@ -64,7 +64,7 @@ usage(void) { ...@@ -64,7 +64,7 @@ usage(void) {
fprintf(stderr, " -a algorithm: \n" fprintf(stderr, " -a algorithm: \n"
" RSA | RSAMD5 | DH | DSA | RSASHA1 |\n" " RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
" NSEC3DSA | NSEC3RSASHA1 |\n" " NSEC3DSA | NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 | ECCGOST |\n" " RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n"); " ECDSAP256SHA256 | ECDSAP384SHA384\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -c class (default: IN)\n");
...@@ -427,7 +427,6 @@ main(int argc, char **argv) { ...@@ -427,7 +427,6 @@ main(int argc, char **argv) {
case DST_ALG_NSEC3RSASHA1: case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256: case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512: case DST_ALG_RSASHA512:
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256: case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384: case DST_ALG_ECDSA384:
case DST_ALG_ED25519: case DST_ALG_ED25519:
......
...@@ -106,7 +106,7 @@ ...@@ -106,7 +106,7 @@
<para> <para>
Selects the cryptographic algorithm. The value of Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1, <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para> </para>
<para> <para>
......
...@@ -79,7 +79,7 @@ usage(void) { ...@@ -79,7 +79,7 @@ usage(void) {
fprintf(stderr, " -a <algorithm>:\n"); fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1" fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n"); " | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n"); fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n"); fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
......
...@@ -123,7 +123,7 @@ ...@@ -123,7 +123,7 @@
<para> <para>
Selects the cryptographic algorithm. For DNSSEC keys, the value Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1, of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <option>-T KEY</option> his value will automatically set the <option>-T KEY</option>
......
...@@ -360,10 +360,6 @@ strtodsdigest(const char *algname) { ...@@ -360,10 +360,6 @@ strtodsdigest(const char *algname) {
strcasecmp(algname, "SHA-256") == 0) strcasecmp(algname, "SHA-256") == 0)
{ {
return (DNS_DSDIGEST_SHA256); return (DNS_DSDIGEST_SHA256);
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
} else if (strcasecmp(algname, "GOST") == 0) {
return (DNS_DSDIGEST_GOST);
#endif
} else if (strcasecmp(algname, "SHA384") == 0 || } else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0) strcasecmp(algname, "SHA-384") == 0)
{ {
......
...@@ -32,7 +32,7 @@ class dnskey: ...@@ -32,7 +32,7 @@ class dnskey:
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1', _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None, 'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256', 'RSASHA512', None, None, 'ECDSAP256SHA256',
'ECDSAP384SHA384', 'ED25519', 'ED448') 'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None): def __init__(self, key, directory=None, keyttl=None):
......
...@@ -71,7 +71,7 @@ class PolicyLex: ...@@ -71,7 +71,7 @@ class PolicyLex:
return t return t
def t_ALGNAME(self, t): def t_ALGNAME(self, t):
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b' r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper() t.value = t.value.upper()
return t return t
...@@ -139,7 +139,6 @@ class Policy: ...@@ -139,7 +139,6 @@ class Policy:
'NSEC3RSASHA1': [512, 4096], 'NSEC3RSASHA1': [512, 4096],
'RSASHA256': [1024, 4096], 'RSASHA256': [1024, 4096],
'RSASHA512': [1024, 4096], 'RSASHA512': [1024, 4096],
'ECCGOST': None,
'ECDSAP256SHA256': None, 'ECDSAP256SHA256': None,
'ECDSAP384SHA384': None, 'ECDSAP384SHA384': None,
'ED25519': None, 'ED25519': None,
...@@ -278,8 +277,7 @@ class Policy: ...@@ -278,8 +277,7 @@ class Policy:
('ZSK key size %d not divisible by 64 ' + ('ZSK key size %d not divisible by 64 ' +
'as required for DSA') % self.zsk_keysize 'as required for DSA') % self.zsk_keysize
if self.algorithm in ['ECCGOST', \ if self.algorithm in ['ECDSAP256SHA256', \
'ECDSAP256SHA256', \
'ECDSAP384SHA384', \ 'ECDSAP384SHA384', \
'ED25519', \ 'ED25519', \
'ED448']: 'ED448']:
...@@ -369,10 +367,6 @@ class dnssec_policy: ...@@ -369,10 +367,6 @@ class dnssec_policy:
self.alg_policy['RSASHA512'].algorithm = "RSASHA512" self.alg_policy['RSASHA512'].algorithm = "RSASHA512"
self.alg_policy['RSASHA512'].name = "RSASHA512" self.alg_policy['RSASHA512'].name = "RSASHA512"
self.alg_policy['ECCGOST'] = copy(p)
self.alg_policy['ECCGOST'].algorithm = "ECCGOST"
self.alg_policy['ECCGOST'].name = "ECCGOST"
self.alg_policy['ECDSAP256SHA256'] = copy(p) self.alg_policy['ECDSAP256SHA256'] = copy(p)
self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256" self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256"
self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256" self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256"
......
...@@ -76,7 +76,7 @@ KRB5_CONFIG=/dev/null ...@@ -76,7 +76,7 @@ KRB5_CONFIG=/dev/null
# #
# List of tests hard-coded to use ports 5300 and 9953. For this # List of tests hard-coded to use ports 5300 and 9953. For this
# reason, these must be run sequentially. # reason, these must be run sequentially.
SEQUENTIALDIRS="ecdsa eddsa gost @PKCS11_TEST@ tkey" SEQUENTIALDIRS="ecdsa eddsa @PKCS11_TEST@ tkey"
# List of tests that use ports assigned by caller (other than 5300 # List of tests that use ports assigned by caller (other than 5300
# and 9953). Because separate blocks of ports can be used for teach # and 9953). Because separate blocks of ports can be used for teach
......
...@@ -87,7 +87,7 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \ ...@@ -87,7 +87,7 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \
database digdelv dlv dlvauto dlz dlzexternal dname \ database digdelv dlv dlvauto dlz dlzexternal dname \
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa \ dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa \
ednscompliance emptyzones \ ednscompliance emptyzones \
fetchlimit filter-aaaa formerr forward geoip glue gost idna inline ixfr \ fetchlimit filter-aaaa formerr forward geoip glue idna inline ixfr \
keepalive @KEYMGR@ legacy limits logfileconfig masterfile \ keepalive @KEYMGR@ legacy limits logfileconfig masterfile \
masterformat metadata mkeys names notify nslookup nsupdate \ masterformat metadata mkeys names notify nslookup nsupdate \
nzd2nzf padding pending pipelined @PKCS11_TEST@ reclimit \ nzd2nzf padding pending pipelined @PKCS11_TEST@ reclimit \
......
...@@ -37,7 +37,6 @@ $DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 ...@@ -37,7 +37,6 @@ $DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2
supported=`cat ../supported` supported=`cat ../supported`
case "$supported" in case "$supported" in
gost) algo=GOST ;;
*) algo=SHA-384 ;; *) algo=SHA-384 ;;
esac esac
......
...@@ -26,7 +26,7 @@ options { ...@@ -26,7 +26,7 @@ options {
dnssec-validation yes; dnssec-validation yes;
dnssec-must-be-secure . yes; dnssec-must-be-secure . yes;
/* only SHA-256 is enabled */ /* only SHA-256 is enabled */
disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; }; disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
}; };
......
...@@ -25,7 +25,7 @@ options { ...@@ -25,7 +25,7 @@ options {
dnssec-enable yes; dnssec-enable yes;
dnssec-validation yes; dnssec-validation yes;
/* only SHA-256 is enabled */ /* only SHA-256 is enabled */
disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; }; disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
}; };
zone "." { zone "." {
......
...@@ -12,17 +12,12 @@ ...@@ -12,17 +12,12 @@
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
gostfail=0 ecdsafail=0 ecdsafail=0
$SHELL ../testcrypto.sh -q gost || gostfail=1
$SHELL ../testcrypto.sh -q ecdsa || ecdsafail=1 $SHELL ../testcrypto.sh -q ecdsa || ecdsafail=1
if [ $gostfail = 0 -a $ecdsafail = 0 ]; then if [ $ecdsafail = 1 ]; then
echo both > supported echo_i "This test requires support for ECDSA cryptography." >&2
elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then
echo_i "This test requires support for ECDSA or GOST cryptography." >&2
exit 255 exit 255
elif [ $gostfail = 0 ]; then
echo gost > supported
else else
echo ecdsa > supported echo ecdsa > supported
fi fi
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f */K* */dsset-* */*.signed */trusted.conf
rm -f ns1/root.db
rm -f ns1/signer.err
rm -f dig.out*
rm -f */named.run
rm -f */named.memstats
rm -f ns*/named.lock
rm -f ns*/managed-keys.bind*
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db.signed";
};
include "trusted.conf";
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
. IN SOA marka.isc.org. a.root.servers.nil. (
2010121600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment