Commit cc6cddfd authored by Evan Hunt's avatar Evan Hunt

2726. [func] Added support for SHA-2 DNSSEC algorithms,

			RSASHA256 and RSASHA512. [RT #20023]
parent 8d307467
2726. [func] Added support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512. [RT #20023]
2725. [doc] Added information about the file "managed-keys.bind"
to the ARM. [RT #20235]
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.22 2009/10/14 22:07:13 marka Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.23 2009/10/22 02:21:30 each Exp $ */
/*! \file */
......@@ -53,7 +53,8 @@ int verbose;
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1";
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.13 2009/10/16 15:37:01 jreed Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.14 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
......@@ -90,14 +90,16 @@
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 (RSA),
RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
These values are case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead.
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
......@@ -394,9 +396,7 @@
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4033</citetitle>.
<citetitle>RFC 4034</citetitle>.
</para>
</refsect1>
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.101 2009/10/12 20:48:10 each Exp $ */
/* $Id: dnssec-keygen.c,v 1.102 2009/10/22 02:21:30 each Exp $ */
/*! \file */
......@@ -83,8 +83,9 @@ usage(void) {
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | "
"NSEC3RSASHA1 | NSEC3DSA |\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
......@@ -95,6 +96,8 @@ usage(void) {
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
......@@ -469,7 +472,8 @@ main(int argc, char **argv) {
}
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
......@@ -505,9 +509,14 @@ main(int argc, char **argv) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
if (size != 0 && (size < 512 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
case DNS_KEYALG_RSASHA512:
if (size != 0 && (size < 1024 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
case DNS_KEYALG_DH:
if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size);
......@@ -574,7 +583,8 @@ main(int argc, char **argv) {
}
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
......@@ -643,12 +653,16 @@ main(int argc, char **argv) {
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
param = rsa_exp;
break;
case DNS_KEYALG_DH:
param = generator;
break;
case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.30 2009/10/16 15:37:01 jreed Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.31 2009/10/22 02:21:30 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
......@@ -110,7 +110,8 @@
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
......@@ -118,7 +119,9 @@
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead.
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
......@@ -137,10 +140,10 @@
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
</para>
<para>
......@@ -177,7 +180,8 @@
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
default. Note that RSASHA256 and RSASHA512 algorithms
are NSEC3-capable.
</para>
</listitem>
</varlistentry>
......@@ -526,7 +530,7 @@
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4033</citetitle>.
<citetitle>RFC 4034</citetitle>.
</para>
</refsect1>
......
......@@ -3,13 +3,13 @@
DNS Extensions working group J. Jansen
Internet-Draft NLnet Labs
Intended status: Standards Track April 24, 2009
Expires: October 26, 2009
Intended status: Standards Track June 04, 2009
Expires: December 6, 2009
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
for DNSSEC
draft-ietf-dnsext-dnssec-rsasha256-13
draft-ietf-dnsext-dnssec-rsasha256-14
Status of this Memo
......@@ -32,7 +32,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 26, 2009.
This Internet-Draft will expire on December 6, 2009.
Copyright Notice
......@@ -52,9 +52,9 @@ Abstract
Jansen Expires October 26, 2009 [Page 1]
Jansen Expires December 6, 2009 [Page 1]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
......@@ -77,7 +77,7 @@ Table of Contents
5.2. Support for NSEC3 Denial of Existence . . . . . . . . . . 5
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. RSA/SHA-256 Key and Signature . . . . . . . . . . . . . . 6
6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 6
6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource
......@@ -108,9 +108,9 @@ Table of Contents
Jansen Expires October 26, 2009 [Page 2]
Jansen Expires December 6, 2009 [Page 2]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
1. Introduction
......@@ -164,9 +164,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 3]
Jansen Expires December 6, 2009 [Page 3]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
2.2. RSA/SHA-512 DNSKEY Resource Records
......@@ -220,9 +220,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 4]
Jansen Expires December 6, 2009 [Page 4]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
3.2. RSA/SHA-512 RRSIG Resource Records
......@@ -276,14 +276,15 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 5]
Jansen Expires December 6, 2009 [Page 5]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
both NSEC and NSEC3 [RFC5155] negative answers. An authoritative
server that does not implement NSEC3 MAY still serve zones that use
RSA/SHA-2 with NSEC denial of existence.
negative answers in the form of both NSEC and NSEC3 with hash
algorithm 1, as defined in [RFC5155]. An authoritative server that
does not implement NSEC3 MAY still serve zones that use RSA/SHA-2
with NSEC denial of existence.
6. Examples
......@@ -313,84 +314,83 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
With this key, sign the following RRSet, consisting of 1 A record:
www.example.net. 3600 IN A 123.123.123.123
www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created:
www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000
20000101000000 9033 example.net. KWgSIg3khRfyrHmtJU
5pzpsANyy27+HOZ6waMQ5kV690ljVmbHmGc8ULOfXw3aWmP0wJB
ND/TQhjCvrb3T9ffQ== );{id = 9033}
20000101000000 9033 example.net. kRCOH6u7l0QGy9qpC9
l1sLncJcOKFLJ7GhiUOibu4teYp5VE9RncriShZNz85mwlMgNEa
cFYK/lPtPiVYP4bwg== ;{id = 9033}
6.2. RSA/SHA-512 Key and Signature
Given a private key with the following values (in Base64):
Jansen Expires October 26, 2009 [Page 6]
Jansen Expires December 6, 2009 [Page 6]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
6.2. RSA/SHA-512 Key and Signature
Given a private key with the following values (in Base64):
Private-key-format: v1.2
Algorithm: 9 (RSASHA512)
Modulus: 8Du9YHEwFNjO5iG9jrrNyKwRs5mAzJgXBrjbA49R/ESWJKw6eHH
XfZaxnP+gVhZBDmqwND/SFwrEkN5LyH3HZ+/d/ECW+vT8Lxprqf
haTfxQkV4OFjw/ikuTcBMoUIYfhO1NVPBcH1mWh34DWmu6eedzH
IbdeNZnIkWSv4muchs=
Algorithm: 10 (RSASHA512)
Modulus: 0eg1M5b563zoq4k5ZEOnWmd2/BvpjzedJVdfIsDcMuuhE5SQ3pf
Q7qmdaeMlC6Nf8DKGoUPGPXe06cP27/WRODtxXquSUytkO0kJDk
8KX8PtA0+yBWwy7UnZDyCkynO00Uuk8HPVtZeMO1pHtlAGVnc8V
jXZlNKdyit99waaE4s=
PublicExponent: AQAB
PrivateExponent: sRm5YLHQ2m2DCdDx55j7P+bqHdcaRroQr5nzi8pKjIkbjumRKV3
zmNhRFAa3cv9w8mnggIRUIzyC8LGQeLuRFjbv6uXDzoPX2O321j
PlTUOwCYMTVnbkZUem6c+7iRd2v5zNNe9uiXex6T8CDXyhQhqYb
8q2AajPrTlRzv6uW8E=
Prime1: +DPVg2OlfYqcNlm67T42608gjyqWFdVc0UtDDDBo+ABWavqp+Yk
Fb/z/Ig+iBE901Q8RWdqVLND3PtGwWipIyw==
Prime2: 98fQbOaWH3D/WFhnu47f1qOgaob/ss3FQ12QbUdRDpgfmdryHH7
j1UGR2Xs0aRPwBASXYhgtamXtxLorXIFh8Q==
Exponent1: j0UsbGlqr6sBPQZStnuBLBdCziFg/T1qFI4DJ9gR34YiXCJRV29
Wqiw6AalQdnh/EjVeaKWaEoKVFbfoukNKPQ==
Exponent2: 4YTy9ftVjd5p+f3UxEgBATnCatLebd6NeYfySRQM+YyJzp4RmNA
BC/t3BQv3IuBrpyyKoFTDGUEWjOSpTLPR8Q==
Coefficient: BpIAEwh5rlw9M8FpGHjpF5TxSdhCjnA8NT0tB+MB/k0msceyBbx
avjzJXTi/QPk9PIO8Wv6eCzMQEM0QDZO53Q==
PrivateExponent: rFS1IPbJllFFgFc33B5DDlC1egO8e81P4fFadODbp56V7sphKa6
AZQCx8NYAew6VXFFPAKTw41QdHnK5kIYOwxvfFDjDcUGza88qbj
yrDPSJenkeZbISMUSSqy7AMFzEolkk6WSn6k3thUVRgSlqDoOV3
SEIAsrB043XzGrKIVE=
Prime1: 8mbtsu9Tl9v7tKSHdCIeprLIQXQLzxlSZun5T1n/OjvXSUtvD7x
nZJ+LHqaBj1dIgMbCq2U8O04QVcK3TS9GiQ==
Prime2: 3a6gkfs74d0Jb7yL4j4adAif4fcp7ZrGt7G5NRVDDY/Mv4TERAK
Ma0TKN3okKE0A7X+Rv2K84mhT4QLDlllEcw==
Exponent1: v3D5A9uuCn5rgVR7wgV8ba0/KSpsdSiLgsoA42GxiB1gvvs7gJM
MmVTDu/ZG1p1ZnpLbhh/S/Qd/MSwyNlxC+Q==
Exponent2: m+ezf9dsDvYQK+gzjOLWYeKq5xWYBEYFGa3BLocMiF4oxkzOZ3J
PZSWU/h1Fjp5RV7aPP0Vmx+hNjYMPIQ8Y5w==
Coefficient: Je5YhYpUron/WdOXjxNAxDubAp3i5X7UOUfhJcyIggqwY86IE0Q
/Bk0Dw4SC9zxnsimmdBXW2Izd8Lwuk8FQcQ==
The DNSKEY record for this key would be:
example.net. 3600 IN DNSKEY (256 3 9 AwEAAfA7vWBxMBTYzuYhvY66z
cisEbOZgMyYFwa42wOPUfxEliSsOnhx132WsZz/oFYWQQ5qsDQ/0
hcKxJDeS8h9x2fv3fxAlvr0/C8aa6n4Wk38UJFeDhY8P4pLk3ATK
FCGH4TtTVTwXB9Zlod+A1prunnncxyG3XjWZyJFkr+JrnIb
);{id = 28237 (zsk), size = 1024b}
example.net. 3600 IN DNSKEY (256 3 10 AwEAAdHoNTOW+et86KuJOWRD
p1pndvwb6Y83nSVXXyLA3DLroROUkN6X0O6pnWnjJQujX/AyhqFD
xj13tOnD9u/1kTg7cV6rklMrZDtJCQ5PCl/D7QNPsgVsMu1J2Q8g
pMpztNFLpPBz1bWXjDtaR7ZQBlZ3PFY12ZTSncorffcGmhOL
);{id = 3740 (zsk), size = 1024b}
With this key, sign the following RRSet, consisting of 1 A record:
www.example.net. 3600 IN A 123.123.123.123
www.example.net. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and
the expiration date at 00:00 hours on January 1st, 2030, the
following signature should be created:
www.example.net. 3600 IN RRSIG (A 9 3 3600 20300101000000
20000101000000 28237 example.net. mCanSdkQztEUOmslG
z7VvfkKPMp4ftz3K1PTf2jdla4vUu/tRE585xymurMB+wXhrFcK
dhm0egnPq8X/gmm0cmui/GQwFT5hmP5bL1ETuQsM3HOu3j9E3tq
4sFWIsUv3N6ohpYEbhj5jk0b/01EMUPM9y5rLzFHmYYujzKQwqu
M= );{id = 28237}
www.example.net. 3600 IN RRSIG (A 10 3 3600 20300101000000
20000101000000 3740 example.net. tsb4wnjRUDnB1BUi+t
6TMTXThjVnG+eCkWqjvvjhzQL1d0YRoOe0CbxrVDYd0xDtsuJRa
eUw1ep94PzEWzr0iGYgZBWm/zpq+9fOuagYJRfDqfReKBzMweOL
DiNa8iP5g9vMhpuv6OPlvpXwm9Sa9ZXIbNl1MBGk0fthPgxdDLw
=);{id = 3740}
Jansen Expires October 26, 2009 [Page 7]
Jansen Expires December 6, 2009 [Page 7]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
7. IANA Considerations
......@@ -444,9 +444,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 8]
Jansen Expires December 6, 2009 [Page 8]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
9. Acknowledgments
......@@ -500,9 +500,9 @@ Internet-Draft DNSSEC RSA/SHA-2 April 2009
Jansen Expires October 26, 2009 [Page 9]
Jansen Expires December 6, 2009 [Page 9]
Internet-Draft DNSSEC RSA/SHA-2 April 2009
Internet-Draft DNSSEC RSA/SHA-2 June 2009
Version 2.1", RFC 3447, February 2003.
......@@ -556,5 +556,5 @@ Author's Address
Jansen Expires October 26, 2009 [Page 10]
Jansen Expires December 6, 2009 [Page 10]
......@@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.42 2009/10/20 04:39:48 marka Exp $
* $Id: dst_api.c,v 1.43 2009/10/22 02:21:30 each Exp $
*/
/*! \file */
......@@ -204,6 +204,8 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512]));
#ifdef HAVE_OPENSSL_DSA
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
......@@ -1045,6 +1047,8 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8;
break;
case DST_ALG_DSA:
......@@ -1300,6 +1304,8 @@ issymmetric(const dst_key_t *key) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
case DST_ALG_DH:
......@@ -1545,7 +1551,8 @@ algorithm_status(unsigned int alg) {
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA || alg == DST_ALG_DH ||
alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
alg == DST_ALG_NSEC3RSASHA1)
alg == DST_ALG_NSEC3RSASHA1 ||
alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512)
return (DST_R_NOCRYPTO);
#endif
return (DST_R_UNSUPPORTEDALG);
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_internal.h,v 1.20 2009/10/09 06:09:21 each Exp $ */
/* $Id: dst_internal.h,v 1.21 2009/10/22 02:21:30 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
......@@ -42,6 +42,7 @@
#include <isc/types.h>
#include <isc/md5.h>
#include <isc/sha1.h>
#include <isc/sha2.h>
#include <isc/stdtime.h>
#include <isc/hmacmd5.h>
#include <isc/hmacsha.h>
......@@ -136,6 +137,8 @@ struct dst_context {
dst_gssapi_signverifyctx_t *gssctx;
isc_md5_t *md5ctx;
isc_sha1_t *sha1ctx;
isc_sha256_t *sha256ctx;
isc_sha512_t *sha512ctx;
isc_hmacmd5_t *hmacmd5ctx;
isc_hmacsha1_t *hmacsha1ctx;
isc_hmacsha224_t *hmacsha224ctx;
......
......@@ -31,7 +31,7 @@
/*%
* Principal Author: Brian Wellington
* $Id: dst_parse.c,v 1.21 2009/10/09 06:09:21 each Exp $
* $Id: dst_parse.c,v 1.22 2009/10/22 02:21:30 each Exp $
*/
#include <config.h>
......@@ -579,6 +579,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
case DST_ALG_NSEC3DSA:
fprintf(fp, "(NSEC3DSA)\n");
break;
case DST_ALG_RSASHA256:
fprintf(fp, "(RSASHA256)\n");
break;
case DST_ALG_RSASHA512:
fprintf(fp, "(RSASHA512)\n");
break;
case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n");
break;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keyvalues.h,v 1.26 2009/06/30 02:52:32 each Exp $ */
/* $Id: keyvalues.h,v 1.27 2009/10/22 02:21:31 each Exp $ */
#ifndef DNS_KEYVALUES_H
#define DNS_KEYVALUES_H 1
......@@ -68,6 +68,8 @@
#define DNS_KEYALG_ECC 4
#define DNS_KEYALG_RSASHA1 5
#define DNS_KEYALG_NSEC3RSASHA1 7
#define DNS_KEYALG_RSASHA256 8
#define DNS_KEYALG_RSASHA512 10
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst.h,v 1.22 2009/10/12 20:48:12 each Exp $ */
/* $Id: dst.h,v 1.23 2009/10/22 02:21:31 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
......@@ -56,6 +56,8 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_RSASHA1 5
#define DST_ALG_NSEC3DSA 6
#define DST_ALG_NSEC3RSASHA1 7
#define DST_ALG_RSASHA256 8
#define DST_ALG_RSASHA512 10
#define DST_ALG_HMACMD5 157
#define DST_ALG_GSSAPI 160
#define DST_ALG_HMACSHA1 161 /* XXXMPA */
......
......@@ -17,7 +17,7 @@
/*
* Principal Author: Brian Wellington
* $Id: opensslrsa_link.c,v 1.30 2009/10/20 02:59:19 marka Exp $
* $Id: opensslrsa_link.c,v 1.31 2009/10/22 02:21:30 each Exp $
*/
#ifdef OPENSSL
#ifndef USE_EVP
......@@ -29,6 +29,7 @@
#include <isc/entropy.h>
#include <isc/md5.h>
#include <isc/sha1.h>
#include <isc/sha2.h>
#include <isc/mem.h>
#include <isc/string.h>
#include <isc/util.h>
......@@ -105,27 +106,122 @@
static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
#if defined(USE_EVP) && OPENSSL_VERSION_NUMBER < 0x00908000L
/*
* OpenSSL 0.9.7 doesn't support SHA2.
* Provide the method functions we need.
*/
/*
* Use our namespace, not OpenSSL's.
*/
#define EVP_sha256 ISC_EVP_sha256
#define EVP_sha512 ISC_EVP_sha512
/*
* OpensSSL 0.9.8 defines these.
*/
#if 0
#define NID_sha256WithRSAEncryption 668
#define NID_sha256 672
#define NID_sha512WithRSAEncryption 670
#define NID_sha512 674
#else
#define NID_sha256WithRSAEncryption 0