"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/dns/pkcs11rsa_link.c" between
bind-9.17.3.tar.xz and bind-9.17.4.tar.xz

About: BIND 9.17 implements the Domain Name System (DNS) protocols for the Internet (see the Release Notes). Source code distribution. Unstable development release.

pkcs11rsa_link.c  (bind-9.17.3.tar.xz):pkcs11rsa_link.c  (bind-9.17.4.tar.xz)
skipping to change at line 295 skipping to change at line 295
CK_ATTRIBUTE *attr; CK_ATTRIBUTE *attr;
pk11_object_t *rsa; pk11_object_t *rsa;
pk11_context_t *pk11_ctx; pk11_context_t *pk11_ctx;
isc_result_t ret; isc_result_t ret;
unsigned int i; unsigned int i;
REQUIRE(key->key_alg == DST_ALG_RSASHA1 || REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512); key->key_alg == DST_ALG_RSASHA512);
REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
/* /*
* Reject incorrect RSA key lengths. * Reject incorrect RSA key lengths.
*/ */
switch (dctx->key->key_alg) { switch (dctx->key->key_alg) {
case DST_ALG_RSASHA1: case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1: case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */ /* From RFC 3110 */
if (dctx->key->key_size > 4096) { if (dctx->key->key_size > 4096) {
return (ISC_R_FAILURE); return (ISC_R_FAILURE);
skipping to change at line 337 skipping to change at line 338
pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon, ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
NULL, pk11_get_best_token(OP_RSA)); NULL, pk11_get_best_token(OP_RSA));
if (ret != ISC_R_SUCCESS) { if (ret != ISC_R_SUCCESS) {
goto err; goto err;
} }
for (attr = pk11_attribute_first(rsa); attr != NULL; for (attr = pk11_attribute_first(rsa); attr != NULL;
attr = pk11_attribute_next(rsa, attr)) attr = pk11_attribute_next(rsa, attr))
{
switch (attr->type) { switch (attr->type) {
case CKA_MODULUS: case CKA_MODULUS:
INSIST(keyTemplate[5].type == attr->type); INSIST(keyTemplate[5].type == attr->type);
keyTemplate[5].pValue = isc_mem_get(dctx->mctx, keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen); attr->ulValueLen);
memmove(keyTemplate[5].pValue, attr->pValue, memmove(keyTemplate[5].pValue, attr->pValue,
attr->ulValueLen); attr->ulValueLen);
keyTemplate[5].ulValueLen = attr->ulValueLen; keyTemplate[5].ulValueLen = attr->ulValueLen;
break; break;
case CKA_PUBLIC_EXPONENT: case CKA_PUBLIC_EXPONENT:
INSIST(keyTemplate[6].type == attr->type); INSIST(keyTemplate[6].type == attr->type);
keyTemplate[6].pValue = isc_mem_get(dctx->mctx, keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen); attr->ulValueLen);
memmove(keyTemplate[6].pValue, attr->pValue, memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen); attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen; keyTemplate[6].ulValueLen = attr->ulValueLen;
if (pk11_numbits(attr->pValue, attr->ulValueLen) > unsigned int bits;
maxbits && ret = pk11_numbits(attr->pValue, attr->ulValueLen,
maxbits != 0) { &bits);
if (ret != ISC_R_SUCCESS ||
(bits > maxbits && maxbits != 0)) {
DST_RET(DST_R_VERIFYFAILURE); DST_RET(DST_R_VERIFYFAILURE);
} }
break; break;
} }
}
pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = false; pk11_ctx->ontoken = false;
PK11_RET(pkcs_C_CreateObject, PK11_RET(pkcs_C_CreateObject,
(pk11_ctx->session, keyTemplate, (CK_ULONG)7, (pk11_ctx->session, keyTemplate, (CK_ULONG)7,
&pk11_ctx->object), &pk11_ctx->object),
ISC_R_FAILURE); ISC_R_FAILURE);
switch (dctx->key->key_alg) { switch (dctx->key->key_alg) {
case DST_ALG_RSASHA1: case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1: case DST_ALG_NSEC3RSASHA1:
skipping to change at line 960 skipping to change at line 965
switch (attr->type) { switch (attr->type) {
case CKA_MODULUS: case CKA_MODULUS:
INSIST(keyTemplate[5].type == attr->type); INSIST(keyTemplate[5].type == attr->type);
keyTemplate[5].pValue = isc_mem_get(dctx->mctx, keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen); attr->ulValueLen);
memmove(keyTemplate[5].pValue, attr->pValue, memmove(keyTemplate[5].pValue, attr->pValue,
attr->ulValueLen); attr->ulValueLen);
keyTemplate[5].ulValueLen = attr->ulValueLen; keyTemplate[5].ulValueLen = attr->ulValueLen;
break; break;
case CKA_PUBLIC_EXPONENT: case CKA_PUBLIC_EXPONENT:
unsigned int bits;
INSIST(keyTemplate[6].type == attr->type); INSIST(keyTemplate[6].type == attr->type);
keyTemplate[6].pValue = isc_mem_get(dctx->mctx, keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen); attr->ulValueLen);
memmove(keyTemplate[6].pValue, attr->pValue, memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen); attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen; keyTemplate[6].ulValueLen = attr->ulValueLen;
if (pk11_numbits(attr->pValue, attr->ulValueLen) > ret = pk11_numbits(attr->pValue, attr->ulValueLen,
RSA_MAX_PUBEXP_BITS) { &bits);
if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
{
DST_RET(DST_R_VERIFYFAILURE); DST_RET(DST_R_VERIFYFAILURE);
} }
break; break;
} }
pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = false; pk11_ctx->ontoken = false;
PK11_RET(pkcs_C_CreateObject, PK11_RET(pkcs_C_CreateObject,
(pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey), (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
ISC_R_FAILURE); ISC_R_FAILURE);
skipping to change at line 1338 skipping to change at line 1346
} }
static isc_result_t static isc_result_t
pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
pk11_object_t *rsa; pk11_object_t *rsa;
isc_region_t r; isc_region_t r;
unsigned int e_bytes, mod_bytes; unsigned int e_bytes, mod_bytes;
CK_BYTE *exponent = NULL, *modulus = NULL; CK_BYTE *exponent = NULL, *modulus = NULL;
CK_ATTRIBUTE *attr; CK_ATTRIBUTE *attr;
unsigned int length; unsigned int length;
unsigned int bits;
isc_result_t ret = ISC_R_SUCCESS;
isc_buffer_remainingregion(data, &r); isc_buffer_remainingregion(data, &r);
if (r.length == 0) { if (r.length == 0) {
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
length = r.length; length = r.length;
rsa = isc_mem_get(key->mctx, sizeof(*rsa)); rsa = isc_mem_get(key->mctx, sizeof(*rsa));
memset(rsa, 0, sizeof(*rsa)); memset(rsa, 0, sizeof(*rsa));
e_bytes = *r.base; e_bytes = *r.base;
isc_region_consume(&r, 1); isc_region_consume(&r, 1);
if (e_bytes == 0) { if (e_bytes == 0) {
if (r.length < 2) { if (r.length < 2) {
isc_safe_memwipe(rsa, sizeof(*rsa)); DST_RET(DST_R_INVALIDPUBLICKEY);
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
return (DST_R_INVALIDPUBLICKEY);
} }
e_bytes = (*r.base) << 8; e_bytes = (*r.base) << 8;
isc_region_consume(&r, 1); isc_region_consume(&r, 1);
e_bytes += *r.base; e_bytes += *r.base;
isc_region_consume(&r, 1); isc_region_consume(&r, 1);
} }
if (r.length < e_bytes) { if (r.length < e_bytes) {
isc_safe_memwipe(rsa, sizeof(*rsa)); DST_RET(DST_R_INVALIDPUBLICKEY);
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
return (DST_R_INVALIDPUBLICKEY);
} }
exponent = r.base; exponent = r.base;
isc_region_consume(&r, e_bytes); isc_region_consume(&r, e_bytes);
modulus = r.base; modulus = r.base;
mod_bytes = r.length; mod_bytes = r.length;
key->key_size = pk11_numbits(modulus, mod_bytes); ret = pk11_numbits(modulus, mod_bytes, &bits);
if (ret != ISC_R_SUCCESS) {
goto err;
}
key->key_size = bits;
isc_buffer_forward(data, length); isc_buffer_forward(data, length);
rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
memset(rsa->repr, 0, sizeof(*attr) * 2); memset(rsa->repr, 0, sizeof(*attr) * 2);
rsa->attrcnt = 2; rsa->attrcnt = 2;
attr = rsa->repr; attr = rsa->repr;
attr[0].type = CKA_MODULUS; attr[0].type = CKA_MODULUS;
attr[0].pValue = isc_mem_get(key->mctx, mod_bytes); attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
memmove(attr[0].pValue, modulus, mod_bytes); memmove(attr[0].pValue, modulus, mod_bytes);
attr[0].ulValueLen = (CK_ULONG)mod_bytes; attr[0].ulValueLen = (CK_ULONG)mod_bytes;
attr[1].type = CKA_PUBLIC_EXPONENT; attr[1].type = CKA_PUBLIC_EXPONENT;
attr[1].pValue = isc_mem_get(key->mctx, e_bytes); attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
memmove(attr[1].pValue, exponent, e_bytes); memmove(attr[1].pValue, exponent, e_bytes);
attr[1].ulValueLen = (CK_ULONG)e_bytes; attr[1].ulValueLen = (CK_ULONG)e_bytes;
key->keydata.pkey = rsa; key->keydata.pkey = rsa;
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
err:
isc_safe_memwipe(rsa, sizeof(*rsa));
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
return (ret);
} }
static isc_result_t static isc_result_t
pkcs11rsa_tofile(const dst_key_t *key, const char *directory) { pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
int i; int i;
pk11_object_t *rsa; pk11_object_t *rsa;
CK_ATTRIBUTE *attr; CK_ATTRIBUTE *attr;
CK_ATTRIBUTE *modulus = NULL, *exponent = NULL; CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL; CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL;
CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
skipping to change at line 1567 skipping to change at line 1581
{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
{ CKA_LABEL, NULL, 0 } { CKA_LABEL, NULL, 0 }
}; };
CK_ULONG cnt; CK_ULONG cnt;
CK_ATTRIBUTE *attr; CK_ATTRIBUTE *attr;
CK_ATTRIBUTE *pubattr; CK_ATTRIBUTE *pubattr;
pk11_object_t *rsa; pk11_object_t *rsa;
pk11_object_t *pubrsa; pk11_object_t *pubrsa;
pk11_context_t *pk11_ctx = NULL; pk11_context_t *pk11_ctx = NULL;
isc_result_t ret; isc_result_t ret;
unsigned int bits;
if (label == NULL) { if (label == NULL) {
return (DST_R_NOENGINE); return (DST_R_NOENGINE);
} }
rsa = key->keydata.pkey; rsa = key->keydata.pkey;
pubrsa = pub->keydata.pkey; pubrsa = pub->keydata.pkey;
rsa->object = CK_INVALID_HANDLE; rsa->object = CK_INVALID_HANDLE;
rsa->ontoken = true; rsa->ontoken = true;
skipping to change at line 1645 skipping to change at line 1660
} }
key->label = isc_mem_strdup(key->mctx, label); key->label = isc_mem_strdup(key->mctx, label);
pk11_return_session(pk11_ctx); pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
attr = pk11_attribute_bytype(rsa, CKA_MODULUS); attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL); INSIST(attr != NULL);
key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
if (ret != ISC_R_SUCCESS) {
goto err;
}
key->key_size = bits;
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
err: err:
if (pk11_ctx != NULL) { if (pk11_ctx != NULL) {
pk11_return_session(pk11_ctx); pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
} }
skipping to change at line 1737 skipping to change at line 1756
static isc_result_t static isc_result_t
pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv; dst_private_t priv;
isc_result_t ret; isc_result_t ret;
int i; int i;
pk11_object_t *rsa; pk11_object_t *rsa;
CK_ATTRIBUTE *attr; CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx; isc_mem_t *mctx = key->mctx;
const char *engine = NULL, *label = NULL; const char *engine = NULL, *label = NULL;
unsigned int bits;
/* read private key file */ /* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
if (ret != ISC_R_SUCCESS) { if (ret != ISC_R_SUCCESS) {
return (ret); return (ret);
} }
if (key->external) { if (key->external) {
if (priv.nelements != 0) { if (priv.nelements != 0) {
DST_RET(DST_R_INVALIDPRIVATEKEY); DST_RET(DST_R_INVALIDPRIVATEKEY);
skipping to change at line 1874 skipping to change at line 1894
break; break;
} }
} }
if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) { if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) {
DST_RET(DST_R_INVALIDPRIVATEKEY); DST_RET(DST_R_INVALIDPRIVATEKEY);
} }
attr = pk11_attribute_bytype(rsa, CKA_MODULUS); attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL); INSIST(attr != NULL);
key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
if (ret != ISC_R_SUCCESS) {
goto err;
}
key->key_size = bits;
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL); INSIST(attr != NULL);
if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
{ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
if (ret != ISC_R_SUCCESS) {
goto err;
}
if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE); DST_RET(ISC_R_RANGE);
} }
dst__privstruct_free(&priv, mctx); dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv)); isc_safe_memwipe(&priv, sizeof(priv));
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
err: err:
pkcs11rsa_destroy(key); pkcs11rsa_destroy(key);
skipping to change at line 1914 skipping to change at line 1942
{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
{ CKA_LABEL, NULL, 0 } { CKA_LABEL, NULL, 0 }
}; };
CK_ULONG cnt; CK_ULONG cnt;
CK_ATTRIBUTE *attr; CK_ATTRIBUTE *attr;
pk11_object_t *rsa; pk11_object_t *rsa;
pk11_context_t *pk11_ctx = NULL; pk11_context_t *pk11_ctx = NULL;
isc_result_t ret; isc_result_t ret;
unsigned int i; unsigned int i;
unsigned int bits;
UNUSED(pin); UNUSED(pin);
rsa = isc_mem_get(key->mctx, sizeof(*rsa)); rsa = isc_mem_get(key->mctx, sizeof(*rsa));
memset(rsa, 0, sizeof(*rsa)); memset(rsa, 0, sizeof(*rsa));
rsa->object = CK_INVALID_HANDLE; rsa->object = CK_INVALID_HANDLE;
rsa->ontoken = true; rsa->ontoken = true;
rsa->reqlogon = true; rsa->reqlogon = true;
key->keydata.pkey = rsa; key->keydata.pkey = rsa;
skipping to change at line 1999 skipping to change at line 2028
} }
if (engine != NULL) { if (engine != NULL) {
key->engine = isc_mem_strdup(key->mctx, engine); key->engine = isc_mem_strdup(key->mctx, engine);
} }
key->label = isc_mem_strdup(key->mctx, label); key->label = isc_mem_strdup(key->mctx, label);
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL); INSIST(attr != NULL);
if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
{ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
if (ret != ISC_R_SUCCESS) {
goto err;
}
if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE); DST_RET(ISC_R_RANGE);
} }
attr = pk11_attribute_bytype(rsa, CKA_MODULUS); attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL); INSIST(attr != NULL);
key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
if (ret != ISC_R_SUCCESS) {
goto err;
}
key->key_size = bits;
pk11_return_session(pk11_ctx); pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
err: err:
pkcs11rsa_destroy(key); pkcs11rsa_destroy(key);
if (pk11_ctx != NULL) { if (pk11_ctx != NULL) {
 End of changes. 19 change blocks. 
19 lines changed or deleted 56 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)