Commit d6c50674 authored by Ondřej Surý's avatar Ondřej Surý
Browse files

Remove last traces of DSA and NSEC3DSA algorithm, but restore the algnumber -> name mapping

parent 83dbe04b
......@@ -64,8 +64,8 @@ usage(void) {
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
" RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
" NSEC3DSA | NSEC3RSASHA1 |\n"
" RSA | RSAMD5 | DH | RSASHA1 |\n"
" NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
......@@ -402,13 +402,9 @@ main(int argc, char **argv) {
if (use_nsec3) {
switch (alg) {
case DST_ALG_DSA:
alg = DST_ALG_NSEC3DSA;
break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
......
......@@ -106,7 +106,7 @@
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para>
<para>
......@@ -119,9 +119,9 @@
<para>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
will be used instead.
</para>
<para>
As of BIND 9.12.0, this option is mandatory except when using
......
......@@ -79,8 +79,8 @@ usage(void) {
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n");
fprintf(stderr, " RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
" |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
......@@ -92,9 +92,6 @@ usage(void) {
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
"by 64\n");
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
......@@ -161,11 +158,6 @@ usage(void) {
exit (-1);
}
static bool
dsa_size_ok(int size) {
return (size >= 512 && size <= 1024 && size % 64 == 0);
}
static void
progress(int p)
{
......@@ -542,13 +534,9 @@ main(int argc, char **argv) {
if (use_nsec3) {
switch (alg) {
case DST_ALG_DSA:
alg = DST_ALG_NSEC3DSA;
break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
......@@ -728,11 +716,6 @@ main(int argc, char **argv) {
if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size);
break;
case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
if (size != 0 && !dsa_size_ok(size))
fatal("invalid DSS key size: %d", size);
break;
case DST_ALG_ECCGOST:
size = 256;
break;
......@@ -815,8 +798,6 @@ main(int argc, char **argv) {
param = generator;
break;
case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
......
......@@ -123,7 +123,7 @@
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <option>-T KEY</option>
......@@ -132,9 +132,9 @@
<para>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
will be used instead.
</para>
<para>
This parameter <emphasis>must</emphasis> be specified except
......
......@@ -78,11 +78,10 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
/* Key class: RSA, ECC, ECX, DSA, or unknown */
/* Key class: RSA, ECC, ECX, or unknown */
typedef enum {
key_unknown,
key_rsa,
key_dsa,
key_ecc,
key_ecx
} key_class_t;
......@@ -150,45 +149,6 @@ static CK_ATTRIBUTE ecc_template[] = {
{CKA_ID, NULL_PTR, 0}
};
/*
* Public key template for DSA keys
*/
#define DSA_LABEL 0
#define DSA_VERIFY 1
#define DSA_TOKEN 2
#define DSA_PRIVATE 3
#define DSA_PRIME 4
#define DSA_SUBPRIME 5
#define DSA_BASE 6
#define DSA_ID 7
#define DSA_ATTRS 8
static CK_ATTRIBUTE dsa_template[] = {
{CKA_LABEL, NULL_PTR, 0},
{CKA_VERIFY, &truevalue, sizeof(truevalue)},
{CKA_TOKEN, &truevalue, sizeof(truevalue)},
{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
{CKA_PRIME, NULL_PTR, 0},
{CKA_SUBPRIME, NULL_PTR, 0},
{CKA_BASE, NULL_PTR, 0},
{CKA_ID, NULL_PTR, 0}
};
#define DSA_PARAM_PRIME 0
#define DSA_PARAM_SUBPRIME 1
#define DSA_PARAM_BASE 2
#define DSA_PARAM_ATTRS 3
static CK_ATTRIBUTE dsa_param_template[] = {
{CKA_PRIME, NULL_PTR, 0},
{CKA_SUBPRIME, NULL_PTR, 0},
{CKA_BASE, NULL_PTR, 0},
};
#define DSA_DOMAIN_PRIMEBITS 0
#define DSA_DOMAIN_PRIVATE 1
#define DSA_DOMAIN_ATTRS 2
static CK_ATTRIBUTE dsa_domain_template[] = {
{CKA_PRIME_BITS, NULL_PTR, 0},
{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
};
/*
* Convert from text to key class. Accepts the names of DNSSEC
* signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
......@@ -202,9 +162,6 @@ keyclass_fromtext(const char *name) {
if (strncasecmp(name, "rsa", 3) == 0 ||
strncasecmp(name, "nsec3rsa", 8) == 0)
return (key_rsa);
else if (strncasecmp(name, "dsa", 3) == 0 ||
strncasecmp(name, "nsec3dsa", 8) == 0)
return (key_dsa);
else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
return (key_ecc);
......@@ -242,7 +199,7 @@ main(int argc, char *argv[]) {
pk11_context_t pctx;
int error = 0;
int c, errflg = 0;
int hide = 1, special = 0, quiet = 0;
int hide = 1, quiet = 0;
int idlen = 0, id_offset = 0;
unsigned int i;
unsigned long id = 0;
......@@ -415,30 +372,6 @@ main(int argc, char *argv[]) {
#endif
break;
case key_dsa:
op_type = OP_DSA;
if (bits == 0)
usage();
dpmech.mechanism = CKM_DSA_PARAMETER_GEN;
dpmech.pParameter = NULL;
dpmech.ulParameterLen = 0;
mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
mech.pParameter = NULL;
mech.ulParameterLen = 0;
public_template = dsa_template;
public_attrcnt = DSA_ATTRS;
id_offset = DSA_ID;
domain_template = dsa_domain_template;
domain_attrcnt = DSA_DOMAIN_ATTRS;
param_template = dsa_param_template;
param_attrcnt = DSA_PARAM_ATTRS;
domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
break;
case key_unknown:
usage();
}
......@@ -546,7 +479,7 @@ main(int argc, char *argv[]) {
fprintf(stderr,
"C_GetAttributeValue0: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_domain;
goto exit_search;
}
/* Allocate space for parameter attributes */
......@@ -559,39 +492,10 @@ main(int argc, char *argv[]) {
if (param_template[i].pValue == NULL) {
fprintf(stderr, "malloc failed\n");
error = 1;
goto exit_params;
goto exit_search;
}
}
rv = pkcs_C_GetAttributeValue(hSession, domainparams,
dsa_param_template, DSA_PARAM_ATTRS);
if (rv != CKR_OK) {
fprintf(stderr,
"C_GetAttributeValue1: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_params;
}
switch (keyclass) {
case key_dsa:
public_template[DSA_PRIME].pValue =
param_template[DSA_PARAM_PRIME].pValue;
public_template[DSA_PRIME].ulValueLen =
param_template[DSA_PARAM_PRIME].ulValueLen;
public_template[DSA_SUBPRIME].pValue =
param_template[DSA_PARAM_SUBPRIME].pValue;
public_template[DSA_SUBPRIME].ulValueLen =
param_template[DSA_PARAM_SUBPRIME].ulValueLen;
public_template[DSA_BASE].pValue =
param_template[DSA_PARAM_BASE].pValue;
public_template[DSA_BASE].ulValueLen =
param_template[DSA_PARAM_BASE].ulValueLen;
break;
default:
break;
}
generate_keys:
/* Generate Key pair for signing/verifying */
rv = pkcs_C_GenerateKeyPair(hSession, &mech,
......@@ -605,27 +509,6 @@ main(int argc, char *argv[]) {
} else if (!quiet)
printf("Key pair generation complete.\n");
exit_params:
/* Free parameter attributes */
if (keyclass == key_dsa) {
for (i = 0; i < param_attrcnt; i++) {
if (param_template[i].pValue != NULL) {
free(param_template[i].pValue);
}
}
}
exit_domain:
/* Destroy domain parameters */
if (keyclass == key_dsa) {
rv = pkcs_C_DestroyObject(hSession, domainparams);
if (rv != CKR_OK) {
fprintf(stderr,
"C_DestroyObject: Error = 0x%.8lX\n", rv);
error = 1;
}
}
exit_search:
rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
......
......@@ -254,11 +254,9 @@ main(void) {
result = dns_name_fromtext(name, &b, NULL, 0, NULL);
if (result != ISC_R_SUCCESS)
return (1);
io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
io(name, 54622, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
mctx);
io(name, 49667, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
io(name, 2, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
isc_buffer_constinit(&b, "dh.", 3);
......@@ -270,7 +268,6 @@ main(void) {
generate(DST_ALG_RSAMD5, mctx);
generate(DST_ALG_DH, mctx);
generate(DST_ALG_DSA, mctx);
generate(DST_ALG_HMACMD5, mctx);
dst_lib_destroy();
......
......@@ -99,9 +99,6 @@
/* Define to 1 to enable dnstap support */
#undef HAVE_DNSTAP
/* Define to 1 if you have the `DSA_get0_pqg' function. */
#undef HAVE_DSA_GET0_PQG
/* Define to 1 if you have the `ECDSA_sign' function. */
#undef HAVE_ECDSA_SIGN
......
......@@ -111,15 +111,6 @@
/* Define if you have h_errno */
#define HAVE_H_ERRNO
/* Define if you have RSA_generate_key(). */
#define HAVE_RSA_GENERATE_KEY
/* Define if you have DSA_generate_parameters(). */
#define HAVE_DSA_GENERATE_PARAMETERS
/* Define if you have DH_generate_parameters(). */
#define HAVE_DH_GENERATE_PARAMETERS
/* Define if you have getpassphrase in the C library. */
#define HAVE_GETPASSPHRASE
......@@ -289,9 +280,6 @@ typedef __int64 off_t;
/* Define if your OpenSSL version supports DH functions. */
@HAVE_DH_GET0_KEY@
/* Define if your OpenSSL version supports DSA functions. */
@HAVE_DSA_GET0_PQG@
/* Define if your OpenSSL version supports ECDSA functions. */
@HAVE_ECDSA_SIG_GET0@
......
......@@ -15787,7 +15787,7 @@ done
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
......
......@@ -857,7 +857,7 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key])
#
# Check whether FIPS mode is available and whether we should enable it
......
......@@ -63,13 +63,6 @@
#define TAG_DH_PRIVATE ((DST_ALG_DH << TAG_SHIFT) + 2)
#define TAG_DH_PUBLIC ((DST_ALG_DH << TAG_SHIFT) + 3)
#define DSA_NTAGS 5
#define TAG_DSA_PRIME ((DST_ALG_DSA << TAG_SHIFT) + 0)
#define TAG_DSA_SUBPRIME ((DST_ALG_DSA << TAG_SHIFT) + 1)
#define TAG_DSA_BASE ((DST_ALG_DSA << TAG_SHIFT) + 2)
#define TAG_DSA_PRIVATE ((DST_ALG_DSA << TAG_SHIFT) + 3)
#define TAG_DSA_PUBLIC ((DST_ALG_DSA << TAG_SHIFT) + 4)
#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
......
......@@ -90,12 +90,6 @@
#define DNS_SIG_RSAMINSIZE ((DNS_SIG_RSAMINBITS+7)/8)
#define DNS_SIG_RSAMAXSIZE ((DNS_SIG_RSAMAXBITS+7)/8)
#define DNS_SIG_DSASIGSIZE 41
#define DNS_SIG_DSAMINBITS 512
#define DNS_SIG_DSAMAXBITS 1024
#define DNS_SIG_DSAMINBYTES 213
#define DNS_SIG_DSAMAXBYTES 405
#define DNS_SIG_ECDSA256SIZE 64
#define DNS_SIG_ECDSA384SIZE 96
......
......@@ -274,8 +274,7 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (dnskey.algorithm == DST_ALG_RSAMD5 ||
dnskey.algorithm == DST_ALG_RSASHA1 ||
dnskey.algorithm == DST_ALG_DSA)
dnskey.algorithm == DST_ALG_RSASHA1)
break;
}
dns_rdataset_disassociate(&rdataset);
......
......@@ -108,7 +108,9 @@
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
{ DNS_KEYALG_DH, "DH", 0 }, \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
......
......@@ -17861,8 +17861,7 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
continue;
alg = tuple->rdata.data[3];
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA) {
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
......
......@@ -58,7 +58,6 @@ typedef struct pk11_object pk11_object_t;
typedef enum {
OP_ANY = 0,
OP_RSA = 1,
OP_DSA = 2,
OP_DH = 3,
OP_ECDSA = 4,
OP_EDDSA = 5,
......
......@@ -1960,8 +1960,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
if (tuple->rdata.type == dns_rdatatype_dnskey) {
uint8_t alg;
alg = tuple->rdata.data[3];
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA) {
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
......
......@@ -203,7 +203,6 @@ my @substdefh = ("AES_CC",
"HAVE_OPENSSL_ED25519",
"HAVE_OPENSSL_ED448",
"HAVE_DH_GET0_KEY",
"HAVE_DSA_GET0_PQG",
"HAVE_ECDSA_SIG_GET0",
"HAVE_RSA_SET0_KEY",
"USE_BACKTRACE",
......@@ -1483,7 +1482,7 @@ int main() {
}
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
printf("This version has no built-in support for DH/DSA/ECDSA/RSA functions.\n\n");
printf("This version has no built-in support for DH/ECDSA/RSA functions.\n\n");
return (1);
}
EOF
......@@ -1495,7 +1494,6 @@ EOF
`.\\testosslfunc.exe`;
if ($? == 0) {
$configdefh{"HAVE_DH_GET0_KEY"} = 1;
$configdefh{"HAVE_DSA_GET0_PQG"} = 1;
$configdefh{"HAVE_ECDSA_SIG_GET0"} = 1;
$configdefh{"HAVE_RSA_SET0_KEY"} = 1;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment