|
|
900526 |
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
|
|
|
900526 |
index 7a56c79..3ac01a8 100644
|
|
|
900526 |
--- a/lib/dns/hmac_link.c
|
|
|
900526 |
+++ b/lib/dns/hmac_link.c
|
|
|
900526 |
@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
|
|
|
900526 |
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
|
|
|
900526 |
if (hmacmd5ctx == NULL)
|
|
|
900526 |
return (ISC_R_NOMEMORY);
|
|
|
900526 |
- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
|
|
|
900526 |
+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
|
|
|
900526 |
dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
|
900526 |
else if (hkey1 == NULL || hkey2 == NULL)
|
|
|
900526 |
return (ISC_FALSE);
|
|
|
900526 |
|
|
|
900526 |
- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
|
|
|
900526 |
+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
|
|
|
900526 |
return (ISC_TRUE);
|
|
|
900526 |
else
|
|
|
900526 |
return (ISC_FALSE);
|
|
|
900526 |
@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
|
|
|
900526 |
isc_buffer_t b;
|
|
|
900526 |
isc_result_t ret;
|
|
|
900526 |
unsigned int bytes;
|
|
|
900526 |
- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
|
|
|
900526 |
+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
|
|
|
900526 |
|
|
|
900526 |
UNUSED(callback);
|
|
|
900526 |
|
|
|
900526 |
bytes = (key->key_size + 7) / 8;
|
|
|
900526 |
- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
|
|
|
900526 |
- bytes = ISC_SHA1_BLOCK_LENGTH;
|
|
|
900526 |
- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
|
|
|
900526 |
+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
|
|
|
900526 |
+ bytes = ISC_MD5_BLOCK_LENGTH;
|
|
|
900526 |
+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
|
|
|
900526 |
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
|
|
|
900526 |
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
|
|
|
900526 |
|
|
|
900526 |
if (ret != ISC_R_SUCCESS)
|
|
|
900526 |
@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
|
|
|
900526 |
isc_buffer_init(&b, data, bytes);
|
|
|
900526 |
isc_buffer_add(&b, bytes);
|
|
|
900526 |
ret = hmacmd5_fromdns(key, &b);
|
|
|
900526 |
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
|
|
|
900526 |
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
|
|
|
900526 |
|
|
|
900526 |
return (ret);
|
|
|
900526 |
}
|
|
|
900526 |
@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
|
|
|
900526 |
memset(hkey->key, 0, sizeof(hkey->key));
|
|
|
900526 |
|
|
|
900526 |
- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
|
|
|
900526 |
+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
|
|
|
900526 |
isc_md5_init(&md5ctx);
|
|
|
900526 |
isc_md5_update(&md5ctx, r.base, r.length);
|
|
|
900526 |
isc_md5_final(&md5ctx, hkey->key);
|
|
|
900526 |
@@ -237,6 +237,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
key->key_size = keylen * 8;
|
|
|
900526 |
key->keydata.hmacmd5 = hkey;
|
|
|
900526 |
|
|
|
900526 |
+ isc_buffer_forward(data, r.length);
|
|
|
900526 |
+
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
@@ -518,6 +520,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
key->key_size = keylen * 8;
|
|
|
900526 |
key->keydata.hmacsha1 = hkey;
|
|
|
900526 |
|
|
|
900526 |
+ isc_buffer_forward(data, r.length);
|
|
|
900526 |
+
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
@@ -804,6 +808,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
key->key_size = keylen * 8;
|
|
|
900526 |
key->keydata.hmacsha224 = hkey;
|
|
|
900526 |
|
|
|
900526 |
+ isc_buffer_forward(data, r.length);
|
|
|
900526 |
+
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
@@ -1090,6 +1096,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
key->key_size = keylen * 8;
|
|
|
900526 |
key->keydata.hmacsha256 = hkey;
|
|
|
900526 |
|
|
|
900526 |
+ isc_buffer_forward(data, r.length);
|
|
|
900526 |
+
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
@@ -1376,6 +1384,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
key->key_size = keylen * 8;
|
|
|
900526 |
key->keydata.hmacsha384 = hkey;
|
|
|
900526 |
|
|
|
900526 |
+ isc_buffer_forward(data, r.length);
|
|
|
900526 |
+
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
@@ -1662,6 +1672,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
key->key_size = keylen * 8;
|
|
|
900526 |
key->keydata.hmacsha512 = hkey;
|
|
|
900526 |
|
|
|
900526 |
+ isc_buffer_forward(data, r.length);
|
|
|
900526 |
+
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
|
|
900526 |
index bdbd269..37853aa 100644
|
|
|
900526 |
--- a/lib/dns/include/dst/dst.h
|
|
|
900526 |
+++ b/lib/dns/include/dst/dst.h
|
|
|
900526 |
@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t;
|
|
|
900526 |
#define DST_ALG_HMACSHA256 163 /* XXXMPA */
|
|
|
900526 |
#define DST_ALG_HMACSHA384 164 /* XXXMPA */
|
|
|
900526 |
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
|
|
|
900526 |
+#define DST_ALG_INDIRECT 252
|
|
|
900526 |
#define DST_ALG_PRIVATE 254
|
|
|
900526 |
#define DST_ALG_EXPAND 255
|
|
|
900526 |
#define DST_MAX_ALGS 255
|
|
|
900526 |
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
|
|
|
900526 |
index bcb3d05..3114954 100644
|
|
|
900526 |
--- a/lib/dns/ncache.c
|
|
|
900526 |
+++ b/lib/dns/ncache.c
|
|
|
900526 |
@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
|
|
|
900526 |
dns_name_fromregion(&tname, &remaining);
|
|
|
900526 |
INSIST(remaining.length >= tname.length);
|
|
|
900526 |
isc_buffer_forward(&source, tname.length);
|
|
|
900526 |
- remaining.length -= tname.length;
|
|
|
900526 |
- remaining.base += tname.length;
|
|
|
900526 |
+ isc_region_consume(&remaining, tname.length);
|
|
|
900526 |
|
|
|
900526 |
INSIST(remaining.length >= 2);
|
|
|
900526 |
type = isc_buffer_getuint16(&source);
|
|
|
900526 |
- remaining.length -= 2;
|
|
|
900526 |
- remaining.base += 2;
|
|
|
900526 |
+ isc_region_consume(&remaining, 2);
|
|
|
900526 |
|
|
|
900526 |
if (type != dns_rdatatype_rrsig ||
|
|
|
900526 |
!dns_name_equal(&tname, name)) {
|
|
|
900526 |
@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
|
|
|
900526 |
INSIST(remaining.length >= 1);
|
|
|
900526 |
trust = isc_buffer_getuint8(&source);
|
|
|
900526 |
INSIST(trust <= dns_trust_ultimate);
|
|
|
900526 |
- remaining.length -= 1;
|
|
|
900526 |
- remaining.base += 1;
|
|
|
900526 |
+ isc_region_consume(&remaining, 1);
|
|
|
900526 |
|
|
|
900526 |
raw = remaining.base;
|
|
|
900526 |
count = raw[0] * 256 + raw[1];
|
|
|
900526 |
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
|
|
|
900526 |
index 55752da..f0cee8d 100644
|
|
|
900526 |
--- a/lib/dns/openssldh_link.c
|
|
|
900526 |
+++ b/lib/dns/openssldh_link.c
|
|
|
900526 |
@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
|
|
|
900526 |
|
|
|
900526 |
static void
|
|
|
900526 |
uint16_toregion(isc_uint16_t val, isc_region_t *region) {
|
|
|
900526 |
- *region->base++ = (val & 0xff00) >> 8;
|
|
|
900526 |
- *region->base++ = (val & 0x00ff);
|
|
|
900526 |
+ *region->base = (val & 0xff00) >> 8;
|
|
|
900526 |
+ isc_region_consume(region, 1);
|
|
|
900526 |
+ *region->base = (val & 0x00ff);
|
|
|
900526 |
+ isc_region_consume(region, 1);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
static isc_uint16_t
|
|
|
900526 |
@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
|
|
|
900526 |
val = ((unsigned int)(cp[0])) << 8;
|
|
|
900526 |
val |= ((unsigned int)(cp[1]));
|
|
|
900526 |
|
|
|
900526 |
- region->base += 2;
|
|
|
900526 |
+ isc_region_consume(region, 2);
|
|
|
900526 |
+
|
|
|
900526 |
return (val);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
}
|
|
|
900526 |
else
|
|
|
900526 |
BN_bn2bin(dh->p, r.base);
|
|
|
900526 |
- r.base += plen;
|
|
|
900526 |
+ isc_region_consume(&r, plen);
|
|
|
900526 |
|
|
|
900526 |
uint16_toregion(glen, &r);
|
|
|
900526 |
if (glen > 0)
|
|
|
900526 |
BN_bn2bin(dh->g, r.base);
|
|
|
900526 |
- r.base += glen;
|
|
|
900526 |
+ isc_region_consume(&r, glen);
|
|
|
900526 |
|
|
|
900526 |
uint16_toregion(publen, &r);
|
|
|
900526 |
BN_bn2bin(dh->pub_key, r.base);
|
|
|
900526 |
- r.base += publen;
|
|
|
900526 |
+ isc_region_consume(&r, publen);
|
|
|
900526 |
|
|
|
900526 |
isc_buffer_add(data, dnslen);
|
|
|
900526 |
|
|
|
900526 |
@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
if (plen == 1 || plen == 2) {
|
|
|
900526 |
- if (plen == 1)
|
|
|
900526 |
- special = *r.base++;
|
|
|
900526 |
- else
|
|
|
900526 |
+ if (plen == 1) {
|
|
|
900526 |
+ special = *r.base;
|
|
|
900526 |
+ isc_region_consume(&r, 1);
|
|
|
900526 |
+ } else {
|
|
|
900526 |
special = uint16_fromregion(&r);
|
|
|
900526 |
+ }
|
|
|
900526 |
switch (special) {
|
|
|
900526 |
case 1:
|
|
|
900526 |
dh->p = &bn768;
|
|
|
900526 |
@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
DH_free(dh);
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
- }
|
|
|
900526 |
- else {
|
|
|
900526 |
+ } else {
|
|
|
900526 |
dh->p = BN_bin2bn(r.base, plen, NULL);
|
|
|
900526 |
- r.base += plen;
|
|
|
900526 |
+ isc_region_consume(&r, plen);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
}
|
|
|
900526 |
- }
|
|
|
900526 |
- else {
|
|
|
900526 |
+ } else {
|
|
|
900526 |
if (glen == 0) {
|
|
|
900526 |
DH_free(dh);
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
dh->g = BN_bin2bn(r.base, glen, NULL);
|
|
|
900526 |
}
|
|
|
900526 |
- r.base += glen;
|
|
|
900526 |
+ isc_region_consume(&r, glen);
|
|
|
900526 |
|
|
|
900526 |
if (r.length < 2) {
|
|
|
900526 |
DH_free(dh);
|
|
|
900526 |
@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
dh->pub_key = BN_bin2bn(r.base, publen, NULL);
|
|
|
900526 |
- r.base += publen;
|
|
|
900526 |
+ isc_region_consume(&r, publen);
|
|
|
900526 |
|
|
|
900526 |
key->key_size = BN_num_bits(dh->p);
|
|
|
900526 |
|
|
|
900526 |
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
|
|
|
900526 |
index fd6e91e..8e16557 100644
|
|
|
900526 |
--- a/lib/dns/openssldsa_link.c
|
|
|
900526 |
+++ b/lib/dns/openssldsa_link.c
|
|
|
900526 |
@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
|
|
|
900526 |
DSA *dsa = key->keydata.dsa;
|
|
|
900526 |
isc_region_t r;
|
|
|
900526 |
DSA_SIG *dsasig;
|
|
|
900526 |
+ unsigned int klen;
|
|
|
900526 |
#if USE_EVP
|
|
|
900526 |
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
|
|
900526 |
EVP_PKEY *pkey;
|
|
|
900526 |
@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
|
|
|
900526 |
"DSA_do_sign",
|
|
|
900526 |
DST_R_SIGNFAILURE));
|
|
|
900526 |
#endif
|
|
|
900526 |
- *r.base++ = (key->key_size - 512)/64;
|
|
|
900526 |
+
|
|
|
900526 |
+ klen = (key->key_size - 512)/64;
|
|
|
900526 |
+ if (klen > 255)
|
|
|
900526 |
+ return (ISC_R_FAILURE);
|
|
|
900526 |
+ *r.base = klen;
|
|
|
900526 |
+ isc_region_consume(&r, 1);
|
|
|
900526 |
+
|
|
|
900526 |
BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
|
|
|
900526 |
- r.base += ISC_SHA1_DIGESTLENGTH;
|
|
|
900526 |
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
|
|
900526 |
BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
|
|
|
900526 |
- r.base += ISC_SHA1_DIGESTLENGTH;
|
|
|
900526 |
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
|
|
900526 |
DSA_SIG_free(dsasig);
|
|
|
900526 |
isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
|
|
|
900526 |
|
|
|
900526 |
@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
if (r.length < (unsigned int) dnslen)
|
|
|
900526 |
return (ISC_R_NOSPACE);
|
|
|
900526 |
|
|
|
900526 |
- *r.base++ = t;
|
|
|
900526 |
+ *r.base = t;
|
|
|
900526 |
+ isc_region_consume(&r, 1);
|
|
|
900526 |
BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
|
|
|
900526 |
- r.base += ISC_SHA1_DIGESTLENGTH;
|
|
|
900526 |
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
|
|
900526 |
BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
|
|
|
900526 |
- r.base += p_bytes;
|
|
|
900526 |
+ isc_region_consume(&r, p_bytes);
|
|
|
900526 |
BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
|
|
|
900526 |
- r.base += p_bytes;
|
|
|
900526 |
+ isc_region_consume(&r, p_bytes);
|
|
|
900526 |
BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
|
|
|
900526 |
- r.base += p_bytes;
|
|
|
900526 |
+ isc_region_consume(&r, p_bytes);
|
|
|
900526 |
|
|
|
900526 |
isc_buffer_add(data, dnslen);
|
|
|
900526 |
|
|
|
900526 |
@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
return (ISC_R_NOMEMORY);
|
|
|
900526 |
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
|
|
|
900526 |
|
|
|
900526 |
- t = (unsigned int) *r.base++;
|
|
|
900526 |
+ t = (unsigned int) *r.base;
|
|
|
900526 |
+ isc_region_consume(&r, 1);
|
|
|
900526 |
if (t > 8) {
|
|
|
900526 |
DSA_free(dsa);
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
p_bytes = 64 + 8 * t;
|
|
|
900526 |
|
|
|
900526 |
- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
|
|
|
900526 |
+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
|
|
|
900526 |
DSA_free(dsa);
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
|
|
|
900526 |
- r.base += ISC_SHA1_DIGESTLENGTH;
|
|
|
900526 |
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
|
|
900526 |
|
|
|
900526 |
dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
|
|
|
900526 |
- r.base += p_bytes;
|
|
|
900526 |
+ isc_region_consume(&r, p_bytes);
|
|
|
900526 |
|
|
|
900526 |
dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
|
|
|
900526 |
- r.base += p_bytes;
|
|
|
900526 |
+ isc_region_consume(&r, p_bytes);
|
|
|
900526 |
|
|
|
900526 |
dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
|
|
|
900526 |
- r.base += p_bytes;
|
|
|
900526 |
+ isc_region_consume(&r, p_bytes);
|
|
|
900526 |
|
|
|
900526 |
key->key_size = p_bytes * 8;
|
|
|
900526 |
|
|
|
900526 |
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
|
|
900526 |
index c64cc55..40c612b 100644
|
|
|
900526 |
--- a/lib/dns/opensslecdsa_link.c
|
|
|
900526 |
+++ b/lib/dns/opensslecdsa_link.c
|
|
|
900526 |
@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
|
|
|
900526 |
"ECDSA_do_sign",
|
|
|
900526 |
DST_R_SIGNFAILURE));
|
|
|
900526 |
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
|
|
|
900526 |
- r.base += siglen / 2;
|
|
|
900526 |
+ isc_region_consume(&r, siglen / 2);
|
|
|
900526 |
BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
|
|
|
900526 |
- r.base += siglen / 2;
|
|
|
900526 |
+ isc_region_consume(&r, siglen / 2);
|
|
|
900526 |
ECDSA_SIG_free(ecdsasig);
|
|
|
900526 |
isc_buffer_add(sig, siglen);
|
|
|
900526 |
ret = ISC_R_SUCCESS;
|
|
|
900526 |
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
|
|
|
900526 |
index 1edeb8d..53c6d4b 100644
|
|
|
900526 |
--- a/lib/dns/opensslrsa_link.c
|
|
|
900526 |
+++ b/lib/dns/opensslrsa_link.c
|
|
|
900526 |
@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
RSA *rsa;
|
|
|
900526 |
isc_region_t r;
|
|
|
900526 |
unsigned int e_bytes;
|
|
|
900526 |
+ unsigned int length;
|
|
|
900526 |
#if USE_EVP
|
|
|
900526 |
EVP_PKEY *pkey;
|
|
|
900526 |
#endif
|
|
|
900526 |
@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
isc_buffer_remainingregion(data, &r);
|
|
|
900526 |
if (r.length == 0)
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
+ length = r.length;
|
|
|
900526 |
|
|
|
900526 |
rsa = RSA_new();
|
|
|
900526 |
if (rsa == NULL)
|
|
|
900526 |
@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
RSA_free(rsa);
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
- e_bytes = *r.base++;
|
|
|
900526 |
- r.length--;
|
|
|
900526 |
+ e_bytes = *r.base;
|
|
|
900526 |
+ isc_region_consume(&r, 1);
|
|
|
900526 |
|
|
|
900526 |
if (e_bytes == 0) {
|
|
|
900526 |
if (r.length < 2) {
|
|
|
900526 |
RSA_free(rsa);
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
- e_bytes = ((*r.base++) << 8);
|
|
|
900526 |
- e_bytes += *r.base++;
|
|
|
900526 |
- r.length -= 2;
|
|
|
900526 |
+ e_bytes = (*r.base) << 8;
|
|
|
900526 |
+ isc_region_consume(&r, 1);
|
|
|
900526 |
+ e_bytes += *r.base;
|
|
|
900526 |
+ isc_region_consume(&r, 1);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
if (r.length < e_bytes) {
|
|
|
900526 |
@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
900526 |
return (DST_R_INVALIDPUBLICKEY);
|
|
|
900526 |
}
|
|
|
900526 |
rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
|
|
|
900526 |
- r.base += e_bytes;
|
|
|
900526 |
- r.length -= e_bytes;
|
|
|
900526 |
+ isc_region_consume(&r, e_bytes);
|
|
|
900526 |
|
|
|
900526 |
rsa->n = BN_bin2bn(r.base, r.length, NULL);
|
|
|
900526 |
|
|
|
900526 |
key->key_size = BN_num_bits(rsa->n);
|
|
|
900526 |
|
|
|
900526 |
- isc_buffer_forward(data, r.length);
|
|
|
900526 |
+ isc_buffer_forward(data, length);
|
|
|
900526 |
|
|
|
900526 |
#if USE_EVP
|
|
|
900526 |
pkey = EVP_PKEY_new();
|
|
|
900526 |
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
|
|
900526 |
index 2004b0b..c7971b1 100644
|
|
|
900526 |
--- a/lib/dns/resolver.c
|
|
|
900526 |
+++ b/lib/dns/resolver.c
|
|
|
900526 |
@@ -8959,6 +8959,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
|
|
|
900526 |
|
|
|
900526 |
REQUIRE(VALID_RESOLVER(resolver));
|
|
|
900526 |
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
|
|
|
900526 |
+ return (ISC_FALSE);
|
|
|
900526 |
+
|
|
|
900526 |
#if USE_ALGLOCK
|
|
|
900526 |
RWLOCK(&resolver->alglock, isc_rwlocktype_read);
|
|
|
900526 |
#endif
|
|
|
900526 |
|