src - OpenBSD base system

diff options


context:
space:
mode:

author	Jakob Schlyter <jakob@cvs.openbsd.org>	2005-03-22 16:38:09 +0000
committer	Jakob Schlyter <jakob@cvs.openbsd.org>	2005-03-22 16:38:09 +0000
commit	7a6d00ce9e0a8125414b0bfc04fb4ef0e46ee67e (patch)
tree	66f5f67a267164e108d5acc65ffc896c19a37f0e /usr.sbin
parent	67f78d13b4e9df89218f0f8572dab2d392658337 (diff)

ISC BIND release 9.3.1. ok deraadt@

Diffstat (limited to 'usr.sbin')

-rw-r--r--

usr.sbin/bind/lib/dns/dst_internal.h

-rw-r--r--

usr.sbin/bind/lib/dns/dst_lib.c

-rw-r--r--

usr.sbin/bind/lib/dns/dst_openssl.h

-rw-r--r--

usr.sbin/bind/lib/dns/dst_parse.c

101

-rw-r--r--

usr.sbin/bind/lib/dns/dst_parse.h

-rw-r--r--

usr.sbin/bind/lib/dns/dst_result.c

-rw-r--r--

usr.sbin/bind/lib/dns/gssapi_link.c

-rw-r--r--

usr.sbin/bind/lib/dns/gssapictx.c

-rw-r--r--

usr.sbin/bind/lib/dns/hmac_link.c

1422

-rw-r--r--

usr.sbin/bind/lib/dns/include/dst/Makefile.in

-rw-r--r--

usr.sbin/bind/lib/dns/include/dst/dst.h

372

-rw-r--r--

usr.sbin/bind/lib/dns/include/dst/gssapi.h

-rw-r--r--

usr.sbin/bind/lib/dns/include/dst/lib.h

-rw-r--r--

usr.sbin/bind/lib/dns/include/dst/result.h

-rw-r--r--

usr.sbin/bind/lib/dns/key.c

-rw-r--r--

usr.sbin/bind/lib/dns/openssl_link.c

-rw-r--r--

usr.sbin/bind/lib/dns/opensslrsa_link.c

17 files changed, 273 insertions, 1961 deletions

diff --git a/usr.sbin/bind/lib/dns/dst_internal.h b/usr.sbin/bind/lib/dns/dst_internal.h
index 9dbf40ecba4..4c086dcd283 100644
--- a/usr.sbin/bind/lib/dns/dst_internal.h
+++ b/usr.sbin/bind/lib/dns/dst_internal.h

@@ -1,5 +1,5 @@

@@ -16,7 +16,7 @@

* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: dst_internal.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */

+/* $ISC: dst_internal.h,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $ */

#ifndef DST_DST_INTERNAL_H

#define DST_DST_INTERNAL_H 1

@@ -46,20 +46,18 @@ extern isc_mem_t *dst__memory_pool;

typedef struct dst_func dst_func_t;

-/*% DST Key Structure */

struct dst_key {

unsigned int magic;

- dns_name_t * key_name; /*%< name of the key */

- unsigned int key_size; /*%< size of the key in bits */

- unsigned int key_proto; /*%< protocols this key is used for */

- unsigned int key_alg; /*%< algorithm of the key */

- isc_uint32_t key_flags; /*%< flags of the public key */

- isc_uint16_t key_id; /*%< identifier of the key */

- isc_uint16_t key_bits; /*%< hmac digest bits */

- dns_rdataclass_t key_class; /*%< class of the key record */

- isc_mem_t *mctx; /*%< memory context */

- void * opaque; /*%< pointer to key in crypto pkg fmt */

- dst_func_t * func; /*%< crypto package specific functions */

+ dns_name_t * key_name; /* name of the key */

+ unsigned int key_size; /* size of the key in bits */

+ unsigned int key_proto; /* protocols this key is used for */

+ unsigned int key_alg; /* algorithm of the key */

+ isc_uint32_t key_flags; /* flags of the public key */

+ isc_uint16_t key_id; /* identifier of the key */

+ dns_rdataclass_t key_class; /* class of the key record */

+ isc_mem_t *mctx; /* memory context */

+ void * opaque; /* pointer to key in crypto pkg fmt */

+ dst_func_t * func; /* crypto package specific functions */

};

struct dst_context {

@@ -102,35 +100,30 @@ struct dst_func {

void (*cleanup)(void);

};

-/*%

+/*

* Initializers

isc_result_t dst__openssl_init(void);

isc_result_t dst__hmacmd5_init(struct dst_func **funcp);

-isc_result_t dst__hmacsha1_init(struct dst_func **funcp);

-isc_result_t dst__hmacsha224_init(struct dst_func **funcp);

-isc_result_t dst__hmacsha256_init(struct dst_func **funcp);

-isc_result_t dst__hmacsha384_init(struct dst_func **funcp);

-isc_result_t dst__hmacsha512_init(struct dst_func **funcp);

isc_result_t dst__opensslrsa_init(struct dst_func **funcp);

isc_result_t dst__openssldsa_init(struct dst_func **funcp);

isc_result_t dst__openssldh_init(struct dst_func **funcp);

isc_result_t dst__gssapi_init(struct dst_func **funcp);

-/*%

+/*

* Destructors

void dst__openssl_destroy(void);

-/*%

+/*

* Memory allocators using the DST memory pool.

void * dst__mem_alloc(size_t size);

void dst__mem_free(void *ptr);

void * dst__mem_realloc(void *ptr, size_t size);

-/*%

+/*

* Entropy retriever using the DST entropy pool.

isc_result_t dst__entropy_getdata(void *buf, unsigned int len,

@@ -139,4 +132,3 @@ isc_result_t dst__entropy_getdata(void *buf, unsigned int len,

ISC_LANG_ENDDECLS

#endif /* DST_DST_INTERNAL_H */

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/dst_lib.c b/usr.sbin/bind/lib/dns/dst_lib.c
index 8a01fa95712..fdfd737e729 100644
--- a/usr.sbin/bind/lib/dns/dst_lib.c
+++ b/usr.sbin/bind/lib/dns/dst_lib.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -17,11 +17,9 @@

* Principal Author: Brian Wellington

- * $ISC: dst_lib.c,v 1.1.6.3 2005/04/29 00:15:51 marka Exp $

+ * $ISC: dst_lib.c,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $

-/*! \file */

#include <config.h>

#include <stddef.h>

diff --git a/usr.sbin/bind/lib/dns/dst_openssl.h b/usr.sbin/bind/lib/dns/dst_openssl.h
index 56e781bcce5..2da3cc8bd51 100644
--- a/usr.sbin/bind/lib/dns/dst_openssl.h
+++ b/usr.sbin/bind/lib/dns/dst_openssl.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,7 +15,7 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: dst_openssl.h,v 1.1.4.3 2005/04/29 00:15:52 marka Exp $ */

+/* $ISC: dst_openssl.h,v 1.1.2.1 2004/12/09 04:07:17 marka Exp $ */

#ifndef DST_OPENSSL_H

#define DST_OPENSSL_H 1

@@ -31,4 +31,3 @@ dst__openssl_toresult(isc_result_t fallback);

ISC_LANG_ENDDECLS

#endif /* DST_OPENSSL_H */

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/dst_parse.c b/usr.sbin/bind/lib/dns/dst_parse.c
index 1db079f507d..55b977604a3 100644
--- a/usr.sbin/bind/lib/dns/dst_parse.c
+++ b/usr.sbin/bind/lib/dns/dst_parse.c

@@ -1,5 +1,5 @@

@@ -16,9 +16,9 @@

* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-/*%

+/*

* Principal Author: Brian Wellington

- * $ISC: dst_parse.c,v 1.1.6.7 2006/05/16 03:59:26 marka Exp $

+ * $ISC: dst_parse.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $

#include <config.h>

@@ -67,23 +67,6 @@ static struct parse_map map[] = {

{TAG_DSA_PUBLIC, "Public_value(y):"},

{TAG_HMACMD5_KEY, "Key:"},

- {TAG_HMACMD5_BITS, "Bits:"},

- {TAG_HMACSHA1_KEY, "Key:"},

- {TAG_HMACSHA1_BITS, "Bits:"},

- {TAG_HMACSHA224_KEY, "Key:"},

- {TAG_HMACSHA224_BITS, "Bits:"},

- {TAG_HMACSHA256_KEY, "Key:"},

- {TAG_HMACSHA256_BITS, "Bits:"},

- {TAG_HMACSHA384_KEY, "Key:"},

- {TAG_HMACSHA384_BITS, "Bits:"},

- {TAG_HMACSHA512_KEY, "Key:"},

- {TAG_HMACSHA512_BITS, "Bits:"},

{0, NULL}

};

@@ -158,53 +141,16 @@ check_dsa(const dst_private_t *priv) {

}

static int

-check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {

- int i, j;

- if (priv->nelements != HMACMD5_NTAGS) {

- /*

- * If this is a good old format and we are accepting

- * the old format return success.

- */

- if (old && priv->nelements == OLD_HMACMD5_NTAGS &&

- priv->elements[0].tag == TAG_HMACMD5_KEY)

- return (0);

+check_hmac_md5(const dst_private_t *priv) {

+ if (priv->nelements != HMACMD5_NTAGS)

return (-1);

- }

- /*

- * We must be new format at this point.

- */

- for (i = 0; i < HMACMD5_NTAGS; i++) {

- for (j = 0; j < priv->nelements; j++)

- if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i))

- break;

- if (j == priv->nelements)

- return (-1);

- }

- return (0);

-static int

-check_hmac_sha(const dst_private_t *priv, unsigned int ntags,

- unsigned int alg)

- unsigned int i, j;

- if (priv->nelements != ntags)

+ if (priv->elements[0].tag != TAG_HMACMD5_KEY)

return (-1);

- for (i = 0; i < ntags; i++) {

- for (j = 0; j < priv->nelements; j++)

- if (priv->elements[j].tag == TAG(alg, i))

- break;

- if (j == priv->nelements)

- return (-1);

- }

return (0);

}

static int

-check_data(const dst_private_t *priv, const unsigned int alg,

- isc_boolean_t old)

+check_data(const dst_private_t *priv, const unsigned int alg) {

/* XXXVIX this switch statement is too sparse to gen a jump table. */

switch (alg) {

case DST_ALG_RSAMD5:

@@ -215,17 +161,7 @@ check_data(const dst_private_t *priv, const unsigned int alg,

case DST_ALG_DSA:

return (check_dsa(priv));

case DST_ALG_HMACMD5:

- return (check_hmac_md5(priv, old));

- case DST_ALG_HMACSHA1:

- return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));

- case DST_ALG_HMACSHA224:

- return (check_hmac_sha(priv, HMACSHA224_NTAGS, alg));

- case DST_ALG_HMACSHA256:

- return (check_hmac_sha(priv, HMACSHA256_NTAGS, alg));

- case DST_ALG_HMACSHA384:

- return (check_hmac_sha(priv, HMACSHA384_NTAGS, alg));

- case DST_ALG_HMACSHA512:

- return (check_hmac_sha(priv, HMACSHA512_NTAGS, alg));

+ return (check_hmac_md5(priv));

default:

return (DST_R_UNSUPPORTEDALG);

}

@@ -377,7 +313,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,

done:

priv->nelements = n;

- if (check_data(priv, alg, ISC_TRUE) < 0)

+ if (check_data(priv, alg) < 0)

goto fail;

return (ISC_R_SUCCESS);

@@ -405,7 +341,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,

REQUIRE(priv != NULL);

- if (check_data(priv, dst_key_alg(key), ISC_FALSE) < 0)

+ if (check_data(priv, dst_key_alg(key)) < 0)

return (DST_R_INVALIDPRIVATEKEY);

isc_buffer_init(&b, filename, sizeof(filename));

@@ -444,21 +380,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,

case DST_ALG_HMACMD5:

fprintf(fp, "(HMAC_MD5)\n");

break;

- case DST_ALG_HMACSHA1:

- fprintf(fp, "(HMAC_SHA1)\n");

- break;

- case DST_ALG_HMACSHA224:

- fprintf(fp, "(HMAC_SHA224)\n");

- break;

- case DST_ALG_HMACSHA256:

- fprintf(fp, "(HMAC_SHA256)\n");

- break;

- case DST_ALG_HMACSHA384:

- fprintf(fp, "(HMAC_SHA384)\n");

- break;

- case DST_ALG_HMACSHA512:

- fprintf(fp, "(HMAC_SHA512)\n");

- break;

default:

fprintf(fp, "(?)\n");

break;

@@ -489,5 +410,3 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,

fclose(fp);

return (ISC_R_SUCCESS);

}

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/dst_parse.h b/usr.sbin/bind/lib/dns/dst_parse.h
index 785db8f5ec1..1e9a5ad6ec4 100644
--- a/usr.sbin/bind/lib/dns/dst_parse.h
+++ b/usr.sbin/bind/lib/dns/dst_parse.h

@@ -1,5 +1,5 @@

@@ -16,9 +16,8 @@

* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: dst_parse.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */

+/* $ISC: dst_parse.h,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $ */

-/*! \file */

#ifndef DST_DST_PARSE_H

#define DST_DST_PARSE_H 1

@@ -60,30 +59,8 @@

#define TAG_DSA_PRIVATE ((DST_ALG_DSA << TAG_SHIFT) + 3)

#define TAG_DSA_PUBLIC ((DST_ALG_DSA << TAG_SHIFT) + 4)

-#define OLD_HMACMD5_NTAGS 1

-#define HMACMD5_NTAGS 2

+#define HMACMD5_NTAGS 1

#define TAG_HMACMD5_KEY ((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)

-#define TAG_HMACMD5_BITS ((DST_ALG_HMACMD5 << TAG_SHIFT) + 1)

-#define HMACSHA1_NTAGS 2

-#define TAG_HMACSHA1_KEY ((DST_ALG_HMACSHA1 << TAG_SHIFT) + 0)

-#define TAG_HMACSHA1_BITS ((DST_ALG_HMACSHA1 << TAG_SHIFT) + 1)

-#define HMACSHA224_NTAGS 2

-#define TAG_HMACSHA224_KEY ((DST_ALG_HMACSHA224 << TAG_SHIFT) + 0)

-#define TAG_HMACSHA224_BITS ((DST_ALG_HMACSHA224 << TAG_SHIFT) + 1)

-#define HMACSHA256_NTAGS 2

-#define TAG_HMACSHA256_KEY ((DST_ALG_HMACSHA256 << TAG_SHIFT) + 0)

-#define TAG_HMACSHA256_BITS ((DST_ALG_HMACSHA224 << TAG_SHIFT) + 1)

-#define HMACSHA384_NTAGS 2

-#define TAG_HMACSHA384_KEY ((DST_ALG_HMACSHA384 << TAG_SHIFT) + 0)

-#define TAG_HMACSHA384_BITS ((DST_ALG_HMACSHA384 << TAG_SHIFT) + 1)

-#define HMACSHA512_NTAGS 2

-#define TAG_HMACSHA512_KEY ((DST_ALG_HMACSHA512 << TAG_SHIFT) + 0)

-#define TAG_HMACSHA512_BITS ((DST_ALG_HMACSHA512 << TAG_SHIFT) + 1)

struct dst_private_element {

unsigned short tag;

diff --git a/usr.sbin/bind/lib/dns/dst_result.c b/usr.sbin/bind/lib/dns/dst_result.c
index 6f42d57949f..82518c1491e 100644
--- a/usr.sbin/bind/lib/dns/dst_result.c
+++ b/usr.sbin/bind/lib/dns/dst_result.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,9 +15,9 @@

* PERFORMANCE OF THIS SOFTWARE.

-/*%

+/*

* Principal Author: Brian Wellington

- * $ISC: dst_result.c,v 1.1.6.3 2005/04/29 00:15:52 marka Exp $

+ * $ISC: dst_result.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $

#include <config.h>

@@ -29,27 +29,27 @@

#include <dst/lib.h>

static const char *text[DST_R_NRESULTS] = {

- "algorithm is unsupported", /*%< 0 */

- "openssl failure", /*%< 1 */

- "built with no crypto support", /*%< 2 */

- "illegal operation for a null key", /*%< 3 */

- "public key is invalid", /*%< 4 */

- "private key is invalid", /*%< 5 */

- "UNUSED6", /*%< 6 */

- "error occurred writing key to disk", /*%< 7 */

- "invalid algorithm specific parameter", /*%< 8 */

- "UNUSED9", /*%< 9 */

- "UNUSED10", /*%< 10 */

- "sign failure", /*%< 11 */

- "UNUSED12", /*%< 12 */

- "UNUSED13", /*%< 13 */

- "verify failure", /*%< 14 */

- "not a public key", /*%< 15 */

- "not a private key", /*%< 16 */

- "not a key that can compute a secret", /*%< 17 */

- "failure computing a shared secret", /*%< 18 */

- "no randomness available", /*%< 19 */

- "bad key type" /*%< 20 */

+ "algorithm is unsupported", /* 0 */

+ "openssl failure", /* 1 */

+ "built with no crypto support", /* 2 */

+ "illegal operation for a null key", /* 3 */

+ "public key is invalid", /* 4 */

+ "private key is invalid", /* 5 */

+ "UNUSED6", /* 6 */

+ "error occurred writing key to disk", /* 7 */

+ "invalid algorithm specific parameter", /* 8 */

+ "UNUSED9", /* 9 */

+ "UNUSED10", /* 10 */

+ "sign failure", /* 11 */

+ "UNUSED12", /* 12 */

+ "UNUSED13", /* 13 */

+ "verify failure", /* 14 */

+ "not a public key", /* 15 */

+ "not a private key", /* 16 */

+ "not a key that can compute a secret", /* 17 */

+ "failure computing a shared secret", /* 18 */

+ "no randomness available", /* 19 */

+ "bad key type" /* 20 */

};

#define DST_RESULT_RESULTSET 2

@@ -84,5 +84,3 @@ void

dst_result_register(void) {

initialize();

}

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/gssapi_link.c b/usr.sbin/bind/lib/dns/gssapi_link.c
index d23844006df..b50bb4105a5 100644
--- a/usr.sbin/bind/lib/dns/gssapi_link.c
+++ b/usr.sbin/bind/lib/dns/gssapi_link.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -16,7 +16,7 @@

- * $ISC: gssapi_link.c,v 1.1.6.3 2005/04/29 00:15:53 marka Exp $

+ * $ISC: gssapi_link.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $

#ifdef GSSAPI

@@ -194,17 +194,17 @@ static dst_func_t gssapi_functions = {

gssapi_adddata,

gssapi_sign,

gssapi_verify,

- NULL, /*%< computesecret */

+ NULL, /* computesecret */

gssapi_compare,

- NULL, /*%< paramcompare */

+ NULL, /* paramcompare */

gssapi_generate,

gssapi_isprivate,

gssapi_destroy,

- NULL, /*%< todns */

- NULL, /*%< fromdns */

- NULL, /*%< tofile */

- NULL, /*%< parse */

- NULL, /*%< cleanup */

+ NULL, /* todns */

+ NULL, /* fromdns */

+ NULL, /* tofile */

+ NULL, /* parse */

+ NULL, /* cleanup */

};

isc_result_t

@@ -218,5 +218,3 @@ dst__gssapi_init(dst_func_t **funcp) {

#else

int gssapi_link_unneeded = 1;

#endif

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/gssapictx.c b/usr.sbin/bind/lib/dns/gssapictx.c
index a8212282de6..146a8095e57 100644
--- a/usr.sbin/bind/lib/dns/gssapictx.c
+++ b/usr.sbin/bind/lib/dns/gssapictx.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,7 +15,7 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: gssapictx.c,v 1.1.6.3 2005/04/29 00:15:54 marka Exp $ */

+/* $ISC: gssapictx.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $ */

#include <config.h>

@@ -260,5 +260,3 @@ dst_gssapi_acceptctx(dns_name_t *name, void *cred,

}

#endif

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/hmac_link.c b/usr.sbin/bind/lib/dns/hmac_link.c
index f58e4e02381..2703e370a1b 100644
--- a/usr.sbin/bind/lib/dns/hmac_link.c
+++ b/usr.sbin/bind/lib/dns/hmac_link.c

@@ -1,5 +1,5 @@

@@ -18,16 +18,14 @@

* Principal Author: Brian Wellington

- * $ISC: hmac_link.c,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $

+ * $ISC: hmac_link.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $

#include <config.h>

#include <isc/buffer.h>

#include <isc/hmacmd5.h>

-#include <isc/hmacsha.h>

#include <isc/md5.h>

-#include <isc/sha1.h>

#include <isc/mem.h>

#include <isc/string.h>

#include <isc/util.h>

@@ -48,17 +46,6 @@ typedef struct hmackey {

} HMAC_Key;

static isc_result_t

-getkeybits(dst_key_t *key, struct dst_private_element *element) {

- if (element->length != 2)

- return (DST_R_INVALIDPRIVATEKEY);

- key->key_bits = (element->data[0] << 8) + element->data[1];

- return (ISC_R_SUCCESS);

-static isc_result_t

hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {

isc_hmacmd5_t *hmacmd5ctx;

HMAC_Key *hkey = key->opaque;

@@ -108,10 +95,10 @@ static isc_result_t

hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {

isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;

- if (sig->length > ISC_MD5_DIGESTLENGTH)

+ if (sig->length < ISC_MD5_DIGESTLENGTH)

return (DST_R_VERIFYFAILURE);

- if (isc_hmacmd5_verify2(hmacmd5ctx, sig->base, sig->length))

+ if (isc_hmacmd5_verify(hmacmd5ctx, sig->base))

return (ISC_R_SUCCESS);

else

return (DST_R_VERIFYFAILURE);

@@ -143,9 +130,9 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {

unsigned char data[HMAC_LEN];

bytes = (key->key_size + 7) / 8;

- if (bytes > HMAC_LEN) {

- bytes = HMAC_LEN;

- key->key_size = HMAC_LEN * 8;

+ if (bytes > 64) {

+ bytes = 64;

+ key->key_size = 512;

}

memset(data, 0, HMAC_LEN);

@@ -233,7 +220,6 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {

HMAC_Key *hkey;

dst_private_t priv;

int bytes = (key->key_size + 7) / 8;

- unsigned char buf[2];

if (key->opaque == NULL)

return (DST_R_NULLKEY);

@@ -244,12 +230,6 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {

priv.elements[cnt].length = bytes;

priv.elements[cnt++].data = hkey->key;

- buf[0] = (key->key_bits >> 8) & 0xffU;

- buf[1] = key->key_bits & 0xffU;

- priv.elements[cnt].tag = TAG_HMACMD5_BITS;

- priv.elements[cnt].data = buf;

- priv.elements[cnt++].length = 2;

priv.nelements = cnt;

return (dst__privstruct_writefile(key, &priv, directory));

}

@@ -257,40 +237,21 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {

static isc_result_t

hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {

dst_private_t priv;

- isc_result_t result, tresult;

+ isc_result_t ret;

isc_buffer_t b;

isc_mem_t *mctx = key->mctx;

- unsigned int i;

/* read private key file */

- result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);

- if (result != ISC_R_SUCCESS)

- return (result);

+ ret = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);

+ if (ret != ISC_R_SUCCESS)

+ return (ret);

- key->key_bits = 0;

- for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {

- switch (priv.elements[i].tag) {

- case TAG_HMACMD5_KEY:

- isc_buffer_init(&b, priv.elements[i].data,

- priv.elements[i].length);

- isc_buffer_add(&b, priv.elements[i].length);

- tresult = hmacmd5_fromdns(key, &b);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- case TAG_HMACMD5_BITS:

- tresult = getkeybits(key, &priv.elements[i]);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- default:

- result = DST_R_INVALIDPRIVATEKEY;

- break;

- }

+ isc_buffer_init(&b, priv.elements[0].data, priv.elements[0].length);

+ isc_buffer_add(&b, priv.elements[0].length);

+ ret = hmacmd5_fromdns(key, &b);

dst__privstruct_free(&priv, mctx);

memset(&priv, 0, sizeof(priv));

- return (result);

+ return (ret);

}

static dst_func_t hmacmd5_functions = {

@@ -299,9 +260,9 @@ static dst_func_t hmacmd5_functions = {

hmacmd5_adddata,

hmacmd5_sign,

hmacmd5_verify,

- NULL, /*%< computesecret */

+ NULL, /* computesecret */

hmacmd5_compare,

- NULL, /*%< paramcompare */

+ NULL, /* paramcompare */

hmacmd5_generate,

hmacmd5_isprivate,

hmacmd5_destroy,

@@ -309,7 +270,7 @@ static dst_func_t hmacmd5_functions = {

hmacmd5_fromdns,

hmacmd5_tofile,

hmacmd5_parse,

- NULL, /*%< cleanup */

+ NULL, /* cleanup */

};

isc_result_t

@@ -319,1350 +280,3 @@ dst__hmacmd5_init(dst_func_t **funcp) {

*funcp = &hmacmd5_functions;

return (ISC_R_SUCCESS);

}

-static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);

-typedef struct {

- unsigned char key[ISC_SHA1_DIGESTLENGTH];

-} HMACSHA1_Key;

-static isc_result_t

-hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {

- isc_hmacsha1_t *hmacsha1ctx;

- HMACSHA1_Key *hkey = key->opaque;

- hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));

- if (hmacsha1ctx == NULL)

- return (ISC_R_NOMEMORY);

- isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);

- dctx->opaque = hmacsha1ctx;

- return (ISC_R_SUCCESS);

-static void

-hmacsha1_destroyctx(dst_context_t *dctx) {

- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;

- if (hmacsha1ctx != NULL) {

- isc_hmacsha1_invalidate(hmacsha1ctx);

- isc_mem_put(dctx->mctx, hmacsha1ctx, sizeof(isc_hmacsha1_t));

- dctx->opaque = NULL;

- }

-static isc_result_t

-hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {

- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;

- isc_hmacsha1_update(hmacsha1ctx, data->base, data->length);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {

- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;

- unsigned char *digest;

- if (isc_buffer_availablelength(sig) < ISC_SHA1_DIGESTLENGTH)

- return (ISC_R_NOSPACE);

- digest = isc_buffer_used(sig);

- isc_hmacsha1_sign(hmacsha1ctx, digest, ISC_SHA1_DIGESTLENGTH);

- isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {

- isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;

- if (sig->length > ISC_SHA1_DIGESTLENGTH || sig->length == 0)

- return (DST_R_VERIFYFAILURE);

- if (isc_hmacsha1_verify(hmacsha1ctx, sig->base, sig->length))

- return (ISC_R_SUCCESS);

- else

- return (DST_R_VERIFYFAILURE);

-static isc_boolean_t

-hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {

- HMACSHA1_Key *hkey1, *hkey2;

- hkey1 = (HMACSHA1_Key *)key1->opaque;

- hkey2 = (HMACSHA1_Key *)key2->opaque;

- if (hkey1 == NULL && hkey2 == NULL)

- return (ISC_TRUE);

- else if (hkey1 == NULL || hkey2 == NULL)

- return (ISC_FALSE);

- if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH) == 0)

- return (ISC_TRUE);

- else

- return (ISC_FALSE);

-static isc_result_t

-hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) {

- isc_buffer_t b;

- isc_result_t ret;

- int bytes;

- unsigned char data[HMAC_LEN];

- bytes = (key->key_size + 7) / 8;

- if (bytes > HMAC_LEN) {

- bytes = HMAC_LEN;

- key->key_size = HMAC_LEN * 8;

- }

- memset(data, 0, HMAC_LEN);

- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));

- if (ret != ISC_R_SUCCESS)

- return (ret);

- isc_buffer_init(&b, data, bytes);

- isc_buffer_add(&b, bytes);

- ret = hmacsha1_fromdns(key, &b);

- memset(data, 0, ISC_SHA1_DIGESTLENGTH);

- return (ret);

-static isc_boolean_t

-hmacsha1_isprivate(const dst_key_t *key) {

- UNUSED(key);

- return (ISC_TRUE);

-static void

-hmacsha1_destroy(dst_key_t *key) {

- HMACSHA1_Key *hkey = key->opaque;

- memset(hkey, 0, sizeof(HMACSHA1_Key));

- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA1_Key));

- key->opaque = NULL;

-static isc_result_t

-hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {

- HMACSHA1_Key *hkey;

- unsigned int bytes;

- REQUIRE(key->opaque != NULL);

- hkey = (HMACSHA1_Key *) key->opaque;

- bytes = (key->key_size + 7) / 8;

- if (isc_buffer_availablelength(data) < bytes)

- return (ISC_R_NOSPACE);

- isc_buffer_putmem(data, hkey->key, bytes);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {

- HMACSHA1_Key *hkey;

- int keylen;

- isc_region_t r;

- isc_sha1_t sha1ctx;

- isc_buffer_remainingregion(data, &r);

- if (r.length == 0)

- return (ISC_R_SUCCESS);

- hkey = (HMACSHA1_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA1_Key));

- if (hkey == NULL)

- return (ISC_R_NOMEMORY);

- memset(hkey->key, 0, sizeof(hkey->key));

- if (r.length > ISC_SHA1_DIGESTLENGTH) {

- isc_sha1_init(&sha1ctx);

- isc_sha1_update(&sha1ctx, r.base, r.length);

- isc_sha1_final(&sha1ctx, hkey->key);

- keylen = ISC_SHA1_DIGESTLENGTH;

- }

- else {

- memcpy(hkey->key, r.base, r.length);

- keylen = r.length;

- }

- key->key_size = keylen * 8;

- key->opaque = hkey;

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha1_tofile(const dst_key_t *key, const char *directory) {

- int cnt = 0;

- HMACSHA1_Key *hkey;

- dst_private_t priv;

- int bytes = (key->key_size + 7) / 8;

- unsigned char buf[2];

- if (key->opaque == NULL)

- return (DST_R_NULLKEY);

- hkey = (HMACSHA1_Key *) key->opaque;

- priv.elements[cnt].tag = TAG_HMACSHA1_KEY;

- priv.elements[cnt].length = bytes;

- priv.elements[cnt++].data = hkey->key;

- buf[0] = (key->key_bits >> 8) & 0xffU;

- buf[1] = key->key_bits & 0xffU;

- priv.elements[cnt].tag = TAG_HMACSHA1_BITS;

- priv.elements[cnt].data = buf;

- priv.elements[cnt++].length = 2;

- priv.nelements = cnt;

- return (dst__privstruct_writefile(key, &priv, directory));

-static isc_result_t

-hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer) {

- dst_private_t priv;

- isc_result_t result, tresult;

- isc_buffer_t b;

- isc_mem_t *mctx = key->mctx;

- unsigned int i;

- /* read private key file */

- result = dst__privstruct_parse(key, DST_ALG_HMACSHA1, lexer, mctx,

- &priv);

- if (result != ISC_R_SUCCESS)

- return (result);

- key->key_bits = 0;

- for (i = 0; i < priv.nelements; i++) {

- switch (priv.elements[i].tag) {

- case TAG_HMACSHA1_KEY:

- isc_buffer_init(&b, priv.elements[i].data,

- priv.elements[i].length);

- isc_buffer_add(&b, priv.elements[i].length);

- tresult = hmacsha1_fromdns(key, &b);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- case TAG_HMACSHA1_BITS:

- tresult = getkeybits(key, &priv.elements[i]);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- default:

- result = DST_R_INVALIDPRIVATEKEY;

- break;

- }

- dst__privstruct_free(&priv, mctx);

- memset(&priv, 0, sizeof(priv));

- return (result);

-static dst_func_t hmacsha1_functions = {

- hmacsha1_createctx,

- hmacsha1_destroyctx,

- hmacsha1_adddata,

- hmacsha1_sign,

- hmacsha1_verify,

- NULL, /* computesecret */

- hmacsha1_compare,

- NULL, /* paramcompare */

- hmacsha1_generate,

- hmacsha1_isprivate,

- hmacsha1_destroy,

- hmacsha1_todns,

- hmacsha1_fromdns,

- hmacsha1_tofile,

- hmacsha1_parse,

- NULL, /* cleanup */

-};

-isc_result_t

-dst__hmacsha1_init(dst_func_t **funcp) {

- REQUIRE(funcp != NULL);

- if (*funcp == NULL)

- *funcp = &hmacsha1_functions;

- return (ISC_R_SUCCESS);

-static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);

-typedef struct {

- unsigned char key[ISC_SHA224_DIGESTLENGTH];

-} HMACSHA224_Key;

-static isc_result_t

-hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {

- isc_hmacsha224_t *hmacsha224ctx;

- HMACSHA224_Key *hkey = key->opaque;

- hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));

- if (hmacsha224ctx == NULL)

- return (ISC_R_NOMEMORY);

- isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);

- dctx->opaque = hmacsha224ctx;

- return (ISC_R_SUCCESS);

-static void

-hmacsha224_destroyctx(dst_context_t *dctx) {

- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;

- if (hmacsha224ctx != NULL) {

- isc_hmacsha224_invalidate(hmacsha224ctx);

- isc_mem_put(dctx->mctx, hmacsha224ctx, sizeof(isc_hmacsha224_t));

- dctx->opaque = NULL;

- }

-static isc_result_t

-hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {

- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;

- isc_hmacsha224_update(hmacsha224ctx, data->base, data->length);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {

- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;

- unsigned char *digest;

- if (isc_buffer_availablelength(sig) < ISC_SHA224_DIGESTLENGTH)

- return (ISC_R_NOSPACE);

- digest = isc_buffer_used(sig);

- isc_hmacsha224_sign(hmacsha224ctx, digest, ISC_SHA224_DIGESTLENGTH);

- isc_buffer_add(sig, ISC_SHA224_DIGESTLENGTH);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {

- isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;

- if (sig->length > ISC_SHA224_DIGESTLENGTH || sig->length == 0)

- return (DST_R_VERIFYFAILURE);

- if (isc_hmacsha224_verify(hmacsha224ctx, sig->base, sig->length))

- return (ISC_R_SUCCESS);

- else

- return (DST_R_VERIFYFAILURE);

-static isc_boolean_t

-hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {

- HMACSHA224_Key *hkey1, *hkey2;

- hkey1 = (HMACSHA224_Key *)key1->opaque;

- hkey2 = (HMACSHA224_Key *)key2->opaque;

- if (hkey1 == NULL && hkey2 == NULL)

- return (ISC_TRUE);

- else if (hkey1 == NULL || hkey2 == NULL)

- return (ISC_FALSE);

- if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH) == 0)

- return (ISC_TRUE);

- else

- return (ISC_FALSE);

-static isc_result_t

-hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) {

- isc_buffer_t b;

- isc_result_t ret;

- int bytes;

- unsigned char data[HMAC_LEN];

- bytes = (key->key_size + 7) / 8;

- if (bytes > HMAC_LEN) {

- bytes = HMAC_LEN;

- key->key_size = HMAC_LEN * 8;

- }

- memset(data, 0, HMAC_LEN);

- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));

- if (ret != ISC_R_SUCCESS)

- return (ret);

- isc_buffer_init(&b, data, bytes);

- isc_buffer_add(&b, bytes);

- ret = hmacsha224_fromdns(key, &b);

- memset(data, 0, ISC_SHA224_DIGESTLENGTH);

- return (ret);

-static isc_boolean_t

-hmacsha224_isprivate(const dst_key_t *key) {

- UNUSED(key);

- return (ISC_TRUE);

-static void

-hmacsha224_destroy(dst_key_t *key) {

- HMACSHA224_Key *hkey = key->opaque;

- memset(hkey, 0, sizeof(HMACSHA224_Key));

- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA224_Key));

- key->opaque = NULL;

-static isc_result_t

-hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {

- HMACSHA224_Key *hkey;

- unsigned int bytes;

- REQUIRE(key->opaque != NULL);

- hkey = (HMACSHA224_Key *) key->opaque;

- bytes = (key->key_size + 7) / 8;

- if (isc_buffer_availablelength(data) < bytes)

- return (ISC_R_NOSPACE);

- isc_buffer_putmem(data, hkey->key, bytes);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {

- HMACSHA224_Key *hkey;

- int keylen;

- isc_region_t r;

- isc_sha224_t sha224ctx;

- isc_buffer_remainingregion(data, &r);

- if (r.length == 0)

- return (ISC_R_SUCCESS);

- hkey = (HMACSHA224_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA224_Key));

- if (hkey == NULL)

- return (ISC_R_NOMEMORY);

- memset(hkey->key, 0, sizeof(hkey->key));

- if (r.length > ISC_SHA224_DIGESTLENGTH) {

- isc_sha224_init(&sha224ctx);

- isc_sha224_update(&sha224ctx, r.base, r.length);

- isc_sha224_final(hkey->key, &sha224ctx);

- keylen = ISC_SHA224_DIGESTLENGTH;

- }

- else {

- memcpy(hkey->key, r.base, r.length);

- keylen = r.length;

- }

- key->key_size = keylen * 8;

- key->opaque = hkey;

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha224_tofile(const dst_key_t *key, const char *directory) {

- int cnt = 0;

- HMACSHA224_Key *hkey;

- dst_private_t priv;

- int bytes = (key->key_size + 7) / 8;

- unsigned char buf[2];

- if (key->opaque == NULL)

- return (DST_R_NULLKEY);

- hkey = (HMACSHA224_Key *) key->opaque;

- priv.elements[cnt].tag = TAG_HMACSHA224_KEY;

- priv.elements[cnt].length = bytes;

- priv.elements[cnt++].data = hkey->key;

- buf[0] = (key->key_bits >> 8) & 0xffU;

- buf[1] = key->key_bits & 0xffU;

- priv.elements[cnt].tag = TAG_HMACSHA224_BITS;

- priv.elements[cnt].data = buf;

- priv.elements[cnt++].length = 2;

- priv.nelements = cnt;

- return (dst__privstruct_writefile(key, &priv, directory));

-static isc_result_t

-hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer) {

- dst_private_t priv;

- isc_result_t result, tresult;

- isc_buffer_t b;

- isc_mem_t *mctx = key->mctx;

- unsigned int i;

- /* read private key file */

- result = dst__privstruct_parse(key, DST_ALG_HMACSHA224, lexer, mctx,

- &priv);

- if (result != ISC_R_SUCCESS)

- return (result);

- key->key_bits = 0;

- for (i = 0; i < priv.nelements; i++) {

- switch (priv.elements[i].tag) {

- case TAG_HMACSHA224_KEY:

- isc_buffer_init(&b, priv.elements[i].data,

- priv.elements[i].length);

- isc_buffer_add(&b, priv.elements[i].length);

- tresult = hmacsha224_fromdns(key, &b);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- case TAG_HMACSHA224_BITS:

- tresult = getkeybits(key, &priv.elements[i]);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- default:

- result = DST_R_INVALIDPRIVATEKEY;

- break;

- }

- dst__privstruct_free(&priv, mctx);

- memset(&priv, 0, sizeof(priv));

- return (result);

-static dst_func_t hmacsha224_functions = {

- hmacsha224_createctx,

- hmacsha224_destroyctx,

- hmacsha224_adddata,

- hmacsha224_sign,

- hmacsha224_verify,

- NULL, /* computesecret */

- hmacsha224_compare,

- NULL, /* paramcompare */

- hmacsha224_generate,

- hmacsha224_isprivate,

- hmacsha224_destroy,

- hmacsha224_todns,

- hmacsha224_fromdns,

- hmacsha224_tofile,

- hmacsha224_parse,

- NULL, /* cleanup */

-};

-isc_result_t

-dst__hmacsha224_init(dst_func_t **funcp) {

- REQUIRE(funcp != NULL);

- if (*funcp == NULL)

- *funcp = &hmacsha224_functions;

- return (ISC_R_SUCCESS);

-static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);

-typedef struct {

- unsigned char key[ISC_SHA256_DIGESTLENGTH];

-} HMACSHA256_Key;

-static isc_result_t

-hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {

- isc_hmacsha256_t *hmacsha256ctx;

- HMACSHA256_Key *hkey = key->opaque;

- hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));

- if (hmacsha256ctx == NULL)

- return (ISC_R_NOMEMORY);

- isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);

- dctx->opaque = hmacsha256ctx;

- return (ISC_R_SUCCESS);

-static void

-hmacsha256_destroyctx(dst_context_t *dctx) {

- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;

- if (hmacsha256ctx != NULL) {

- isc_hmacsha256_invalidate(hmacsha256ctx);

- isc_mem_put(dctx->mctx, hmacsha256ctx, sizeof(isc_hmacsha256_t));

- dctx->opaque = NULL;

- }

-static isc_result_t

-hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {

- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;

- isc_hmacsha256_update(hmacsha256ctx, data->base, data->length);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {

- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;

- unsigned char *digest;

- if (isc_buffer_availablelength(sig) < ISC_SHA256_DIGESTLENGTH)

- return (ISC_R_NOSPACE);

- digest = isc_buffer_used(sig);

- isc_hmacsha256_sign(hmacsha256ctx, digest, ISC_SHA256_DIGESTLENGTH);

- isc_buffer_add(sig, ISC_SHA256_DIGESTLENGTH);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {

- isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;

- if (sig->length > ISC_SHA256_DIGESTLENGTH || sig->length == 0)

- return (DST_R_VERIFYFAILURE);

- if (isc_hmacsha256_verify(hmacsha256ctx, sig->base, sig->length))

- return (ISC_R_SUCCESS);

- else

- return (DST_R_VERIFYFAILURE);

-static isc_boolean_t

-hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {

- HMACSHA256_Key *hkey1, *hkey2;

- hkey1 = (HMACSHA256_Key *)key1->opaque;

- hkey2 = (HMACSHA256_Key *)key2->opaque;

- if (hkey1 == NULL && hkey2 == NULL)

- return (ISC_TRUE);

- else if (hkey1 == NULL || hkey2 == NULL)

- return (ISC_FALSE);

- if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH) == 0)

- return (ISC_TRUE);

- else

- return (ISC_FALSE);

-static isc_result_t

-hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) {

- isc_buffer_t b;

- isc_result_t ret;

- int bytes;

- unsigned char data[HMAC_LEN];

- bytes = (key->key_size + 7) / 8;

- if (bytes > HMAC_LEN) {

- bytes = HMAC_LEN;

- key->key_size = HMAC_LEN * 8;

- }

- memset(data, 0, HMAC_LEN);

- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));

- if (ret != ISC_R_SUCCESS)

- return (ret);

- isc_buffer_init(&b, data, bytes);

- isc_buffer_add(&b, bytes);

- ret = hmacsha256_fromdns(key, &b);

- memset(data, 0, ISC_SHA256_DIGESTLENGTH);

- return (ret);

-static isc_boolean_t

-hmacsha256_isprivate(const dst_key_t *key) {

- UNUSED(key);

- return (ISC_TRUE);

-static void

-hmacsha256_destroy(dst_key_t *key) {

- HMACSHA256_Key *hkey = key->opaque;

- memset(hkey, 0, sizeof(HMACSHA256_Key));

- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA256_Key));

- key->opaque = NULL;

-static isc_result_t

-hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {

- HMACSHA256_Key *hkey;

- unsigned int bytes;

- REQUIRE(key->opaque != NULL);

- hkey = (HMACSHA256_Key *) key->opaque;

- bytes = (key->key_size + 7) / 8;

- if (isc_buffer_availablelength(data) < bytes)

- return (ISC_R_NOSPACE);

- isc_buffer_putmem(data, hkey->key, bytes);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {

- HMACSHA256_Key *hkey;

- int keylen;

- isc_region_t r;

- isc_sha256_t sha256ctx;

- isc_buffer_remainingregion(data, &r);

- if (r.length == 0)

- return (ISC_R_SUCCESS);

- hkey = (HMACSHA256_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA256_Key));

- if (hkey == NULL)

- return (ISC_R_NOMEMORY);

- memset(hkey->key, 0, sizeof(hkey->key));

- if (r.length > ISC_SHA256_DIGESTLENGTH) {

- isc_sha256_init(&sha256ctx);

- isc_sha256_update(&sha256ctx, r.base, r.length);

- isc_sha256_final(hkey->key, &sha256ctx);

- keylen = ISC_SHA256_DIGESTLENGTH;

- }

- else {

- memcpy(hkey->key, r.base, r.length);

- keylen = r.length;

- }

- key->key_size = keylen * 8;

- key->opaque = hkey;

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha256_tofile(const dst_key_t *key, const char *directory) {

- int cnt = 0;

- HMACSHA256_Key *hkey;

- dst_private_t priv;

- int bytes = (key->key_size + 7) / 8;

- unsigned char buf[2];

- if (key->opaque == NULL)

- return (DST_R_NULLKEY);

- hkey = (HMACSHA256_Key *) key->opaque;

- priv.elements[cnt].tag = TAG_HMACSHA256_KEY;

- priv.elements[cnt].length = bytes;

- priv.elements[cnt++].data = hkey->key;

- buf[0] = (key->key_bits >> 8) & 0xffU;

- buf[1] = key->key_bits & 0xffU;

- priv.elements[cnt].tag = TAG_HMACSHA256_BITS;

- priv.elements[cnt].data = buf;

- priv.elements[cnt++].length = 2;

- priv.nelements = cnt;

- return (dst__privstruct_writefile(key, &priv, directory));

-static isc_result_t

-hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer) {

- dst_private_t priv;

- isc_result_t result, tresult;

- isc_buffer_t b;

- isc_mem_t *mctx = key->mctx;

- unsigned int i;

- /* read private key file */

- result = dst__privstruct_parse(key, DST_ALG_HMACSHA256, lexer, mctx,

- &priv);

- if (result != ISC_R_SUCCESS)

- return (result);

- key->key_bits = 0;

- for (i = 0; i < priv.nelements; i++) {

- switch (priv.elements[i].tag) {

- case TAG_HMACSHA256_KEY:

- isc_buffer_init(&b, priv.elements[i].data,

- priv.elements[i].length);

- isc_buffer_add(&b, priv.elements[i].length);

- tresult = hmacsha256_fromdns(key, &b);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- case TAG_HMACSHA256_BITS:

- tresult = getkeybits(key, &priv.elements[i]);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- default:

- result = DST_R_INVALIDPRIVATEKEY;

- break;

- }

- dst__privstruct_free(&priv, mctx);

- memset(&priv, 0, sizeof(priv));

- return (result);

-static dst_func_t hmacsha256_functions = {

- hmacsha256_createctx,

- hmacsha256_destroyctx,

- hmacsha256_adddata,

- hmacsha256_sign,

- hmacsha256_verify,

- NULL, /* computesecret */

- hmacsha256_compare,

- NULL, /* paramcompare */

- hmacsha256_generate,

- hmacsha256_isprivate,

- hmacsha256_destroy,

- hmacsha256_todns,

- hmacsha256_fromdns,

- hmacsha256_tofile,

- hmacsha256_parse,

- NULL, /* cleanup */

-};

-isc_result_t

-dst__hmacsha256_init(dst_func_t **funcp) {

- REQUIRE(funcp != NULL);

- if (*funcp == NULL)

- *funcp = &hmacsha256_functions;

- return (ISC_R_SUCCESS);

-static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);

-typedef struct {

- unsigned char key[ISC_SHA384_DIGESTLENGTH];

-} HMACSHA384_Key;

-static isc_result_t

-hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {

- isc_hmacsha384_t *hmacsha384ctx;

- HMACSHA384_Key *hkey = key->opaque;

- hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));

- if (hmacsha384ctx == NULL)

- return (ISC_R_NOMEMORY);

- isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);

- dctx->opaque = hmacsha384ctx;

- return (ISC_R_SUCCESS);

-static void

-hmacsha384_destroyctx(dst_context_t *dctx) {

- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;

- if (hmacsha384ctx != NULL) {

- isc_hmacsha384_invalidate(hmacsha384ctx);

- isc_mem_put(dctx->mctx, hmacsha384ctx, sizeof(isc_hmacsha384_t));

- dctx->opaque = NULL;

- }

-static isc_result_t

-hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {

- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;

- isc_hmacsha384_update(hmacsha384ctx, data->base, data->length);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {

- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;

- unsigned char *digest;

- if (isc_buffer_availablelength(sig) < ISC_SHA384_DIGESTLENGTH)

- return (ISC_R_NOSPACE);

- digest = isc_buffer_used(sig);

- isc_hmacsha384_sign(hmacsha384ctx, digest, ISC_SHA384_DIGESTLENGTH);

- isc_buffer_add(sig, ISC_SHA384_DIGESTLENGTH);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {

- isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;

- if (sig->length > ISC_SHA384_DIGESTLENGTH || sig->length == 0)

- return (DST_R_VERIFYFAILURE);

- if (isc_hmacsha384_verify(hmacsha384ctx, sig->base, sig->length))

- return (ISC_R_SUCCESS);

- else

- return (DST_R_VERIFYFAILURE);

-static isc_boolean_t

-hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {

- HMACSHA384_Key *hkey1, *hkey2;

- hkey1 = (HMACSHA384_Key *)key1->opaque;

- hkey2 = (HMACSHA384_Key *)key2->opaque;

- if (hkey1 == NULL && hkey2 == NULL)

- return (ISC_TRUE);

- else if (hkey1 == NULL || hkey2 == NULL)

- return (ISC_FALSE);

- if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH) == 0)

- return (ISC_TRUE);

- else

- return (ISC_FALSE);

-static isc_result_t

-hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) {

- isc_buffer_t b;

- isc_result_t ret;

- int bytes;

- unsigned char data[HMAC_LEN];

- bytes = (key->key_size + 7) / 8;

- if (bytes > HMAC_LEN) {

- bytes = HMAC_LEN;

- key->key_size = HMAC_LEN * 8;

- }

- memset(data, 0, HMAC_LEN);

- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));

- if (ret != ISC_R_SUCCESS)

- return (ret);

- isc_buffer_init(&b, data, bytes);

- isc_buffer_add(&b, bytes);

- ret = hmacsha384_fromdns(key, &b);

- memset(data, 0, ISC_SHA384_DIGESTLENGTH);

- return (ret);

-static isc_boolean_t

-hmacsha384_isprivate(const dst_key_t *key) {

- UNUSED(key);

- return (ISC_TRUE);

-static void

-hmacsha384_destroy(dst_key_t *key) {

- HMACSHA384_Key *hkey = key->opaque;

- memset(hkey, 0, sizeof(HMACSHA384_Key));

- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA384_Key));

- key->opaque = NULL;

-static isc_result_t

-hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {

- HMACSHA384_Key *hkey;

- unsigned int bytes;

- REQUIRE(key->opaque != NULL);

- hkey = (HMACSHA384_Key *) key->opaque;

- bytes = (key->key_size + 7) / 8;

- if (isc_buffer_availablelength(data) < bytes)

- return (ISC_R_NOSPACE);

- isc_buffer_putmem(data, hkey->key, bytes);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {

- HMACSHA384_Key *hkey;

- int keylen;

- isc_region_t r;

- isc_sha384_t sha384ctx;

- isc_buffer_remainingregion(data, &r);

- if (r.length == 0)

- return (ISC_R_SUCCESS);

- hkey = (HMACSHA384_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA384_Key));

- if (hkey == NULL)

- return (ISC_R_NOMEMORY);

- memset(hkey->key, 0, sizeof(hkey->key));

- if (r.length > ISC_SHA384_DIGESTLENGTH) {

- isc_sha384_init(&sha384ctx);

- isc_sha384_update(&sha384ctx, r.base, r.length);

- isc_sha384_final(hkey->key, &sha384ctx);

- keylen = ISC_SHA384_DIGESTLENGTH;

- }

- else {

- memcpy(hkey->key, r.base, r.length);

- keylen = r.length;

- }

- key->key_size = keylen * 8;

- key->opaque = hkey;

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha384_tofile(const dst_key_t *key, const char *directory) {

- int cnt = 0;

- HMACSHA384_Key *hkey;

- dst_private_t priv;

- int bytes = (key->key_size + 7) / 8;

- unsigned char buf[2];

- if (key->opaque == NULL)

- return (DST_R_NULLKEY);

- hkey = (HMACSHA384_Key *) key->opaque;

- priv.elements[cnt].tag = TAG_HMACSHA384_KEY;

- priv.elements[cnt].length = bytes;

- priv.elements[cnt++].data = hkey->key;

- buf[0] = (key->key_bits >> 8) & 0xffU;

- buf[1] = key->key_bits & 0xffU;

- priv.elements[cnt].tag = TAG_HMACSHA384_BITS;

- priv.elements[cnt].data = buf;

- priv.elements[cnt++].length = 2;

- priv.nelements = cnt;

- return (dst__privstruct_writefile(key, &priv, directory));

-static isc_result_t

-hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer) {

- dst_private_t priv;

- isc_result_t result, tresult;

- isc_buffer_t b;

- isc_mem_t *mctx = key->mctx;

- unsigned int i;

- /* read private key file */

- result = dst__privstruct_parse(key, DST_ALG_HMACSHA384, lexer, mctx,

- &priv);

- if (result != ISC_R_SUCCESS)

- return (result);

- key->key_bits = 0;

- for (i = 0; i < priv.nelements; i++) {

- switch (priv.elements[i].tag) {

- case TAG_HMACSHA384_KEY:

- isc_buffer_init(&b, priv.elements[i].data,

- priv.elements[i].length);

- isc_buffer_add(&b, priv.elements[i].length);

- tresult = hmacsha384_fromdns(key, &b);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- case TAG_HMACSHA384_BITS:

- tresult = getkeybits(key, &priv.elements[i]);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- default:

- result = DST_R_INVALIDPRIVATEKEY;

- break;

- }

- dst__privstruct_free(&priv, mctx);

- memset(&priv, 0, sizeof(priv));

- return (result);

-static dst_func_t hmacsha384_functions = {

- hmacsha384_createctx,

- hmacsha384_destroyctx,

- hmacsha384_adddata,

- hmacsha384_sign,

- hmacsha384_verify,

- NULL, /* computesecret */

- hmacsha384_compare,

- NULL, /* paramcompare */

- hmacsha384_generate,

- hmacsha384_isprivate,

- hmacsha384_destroy,

- hmacsha384_todns,

- hmacsha384_fromdns,

- hmacsha384_tofile,

- hmacsha384_parse,

- NULL, /* cleanup */

-};

-isc_result_t

-dst__hmacsha384_init(dst_func_t **funcp) {

- REQUIRE(funcp != NULL);

- if (*funcp == NULL)

- *funcp = &hmacsha384_functions;

- return (ISC_R_SUCCESS);

-static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);

-typedef struct {

- unsigned char key[ISC_SHA512_DIGESTLENGTH];

-} HMACSHA512_Key;

-static isc_result_t

-hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {

- isc_hmacsha512_t *hmacsha512ctx;

- HMACSHA512_Key *hkey = key->opaque;

- hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));

- if (hmacsha512ctx == NULL)

- return (ISC_R_NOMEMORY);

- isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);

- dctx->opaque = hmacsha512ctx;

- return (ISC_R_SUCCESS);

-static void

-hmacsha512_destroyctx(dst_context_t *dctx) {

- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;

- if (hmacsha512ctx != NULL) {

- isc_hmacsha512_invalidate(hmacsha512ctx);

- isc_mem_put(dctx->mctx, hmacsha512ctx, sizeof(isc_hmacsha512_t));

- dctx->opaque = NULL;

- }

-static isc_result_t

-hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {

- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;

- isc_hmacsha512_update(hmacsha512ctx, data->base, data->length);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {

- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;

- unsigned char *digest;

- if (isc_buffer_availablelength(sig) < ISC_SHA512_DIGESTLENGTH)

- return (ISC_R_NOSPACE);

- digest = isc_buffer_used(sig);

- isc_hmacsha512_sign(hmacsha512ctx, digest, ISC_SHA512_DIGESTLENGTH);

- isc_buffer_add(sig, ISC_SHA512_DIGESTLENGTH);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {

- isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;

- if (sig->length > ISC_SHA512_DIGESTLENGTH || sig->length == 0)

- return (DST_R_VERIFYFAILURE);

- if (isc_hmacsha512_verify(hmacsha512ctx, sig->base, sig->length))

- return (ISC_R_SUCCESS);

- else

- return (DST_R_VERIFYFAILURE);

-static isc_boolean_t

-hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {

- HMACSHA512_Key *hkey1, *hkey2;

- hkey1 = (HMACSHA512_Key *)key1->opaque;

- hkey2 = (HMACSHA512_Key *)key2->opaque;

- if (hkey1 == NULL && hkey2 == NULL)

- return (ISC_TRUE);

- else if (hkey1 == NULL || hkey2 == NULL)

- return (ISC_FALSE);

- if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH) == 0)

- return (ISC_TRUE);

- else

- return (ISC_FALSE);

-static isc_result_t

-hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) {

- isc_buffer_t b;

- isc_result_t ret;

- int bytes;

- unsigned char data[HMAC_LEN];

- bytes = (key->key_size + 7) / 8;

- if (bytes > HMAC_LEN) {

- bytes = HMAC_LEN;

- key->key_size = HMAC_LEN * 8;

- }

- memset(data, 0, HMAC_LEN);

- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));

- if (ret != ISC_R_SUCCESS)

- return (ret);

- isc_buffer_init(&b, data, bytes);

- isc_buffer_add(&b, bytes);

- ret = hmacsha512_fromdns(key, &b);

- memset(data, 0, ISC_SHA512_DIGESTLENGTH);

- return (ret);

-static isc_boolean_t

-hmacsha512_isprivate(const dst_key_t *key) {

- UNUSED(key);

- return (ISC_TRUE);

-static void

-hmacsha512_destroy(dst_key_t *key) {

- HMACSHA512_Key *hkey = key->opaque;

- memset(hkey, 0, sizeof(HMACSHA512_Key));

- isc_mem_put(key->mctx, hkey, sizeof(HMACSHA512_Key));

- key->opaque = NULL;

-static isc_result_t

-hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {

- HMACSHA512_Key *hkey;

- unsigned int bytes;

- REQUIRE(key->opaque != NULL);

- hkey = (HMACSHA512_Key *) key->opaque;

- bytes = (key->key_size + 7) / 8;

- if (isc_buffer_availablelength(data) < bytes)

- return (ISC_R_NOSPACE);

- isc_buffer_putmem(data, hkey->key, bytes);

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {

- HMACSHA512_Key *hkey;

- int keylen;

- isc_region_t r;

- isc_sha512_t sha512ctx;

- isc_buffer_remainingregion(data, &r);

- if (r.length == 0)

- return (ISC_R_SUCCESS);

- hkey = (HMACSHA512_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA512_Key));

- if (hkey == NULL)

- return (ISC_R_NOMEMORY);

- memset(hkey->key, 0, sizeof(hkey->key));

- if (r.length > ISC_SHA512_DIGESTLENGTH) {

- isc_sha512_init(&sha512ctx);

- isc_sha512_update(&sha512ctx, r.base, r.length);

- isc_sha512_final(hkey->key, &sha512ctx);

- keylen = ISC_SHA512_DIGESTLENGTH;

- }

- else {

- memcpy(hkey->key, r.base, r.length);

- keylen = r.length;

- }

- key->key_size = keylen * 8;

- key->opaque = hkey;

- return (ISC_R_SUCCESS);

-static isc_result_t

-hmacsha512_tofile(const dst_key_t *key, const char *directory) {

- int cnt = 0;

- HMACSHA512_Key *hkey;

- dst_private_t priv;

- int bytes = (key->key_size + 7) / 8;

- unsigned char buf[2];

- if (key->opaque == NULL)

- return (DST_R_NULLKEY);

- hkey = (HMACSHA512_Key *) key->opaque;

- priv.elements[cnt].tag = TAG_HMACSHA512_KEY;

- priv.elements[cnt].length = bytes;

- priv.elements[cnt++].data = hkey->key;

- buf[0] = (key->key_bits >> 8) & 0xffU;

- buf[1] = key->key_bits & 0xffU;

- priv.elements[cnt].tag = TAG_HMACSHA512_BITS;

- priv.elements[cnt].data = buf;

- priv.elements[cnt++].length = 2;

- priv.nelements = cnt;

- return (dst__privstruct_writefile(key, &priv, directory));

-static isc_result_t

-hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer) {

- dst_private_t priv;

- isc_result_t result, tresult;

- isc_buffer_t b;

- isc_mem_t *mctx = key->mctx;

- unsigned int i;

- /* read private key file */

- result = dst__privstruct_parse(key, DST_ALG_HMACSHA512, lexer, mctx,

- &priv);

- if (result != ISC_R_SUCCESS)

- return (result);

- key->key_bits = 0;

- for (i = 0; i < priv.nelements; i++) {

- switch (priv.elements[i].tag) {

- case TAG_HMACSHA512_KEY:

- isc_buffer_init(&b, priv.elements[i].data,

- priv.elements[i].length);

- isc_buffer_add(&b, priv.elements[i].length);

- tresult = hmacsha512_fromdns(key, &b);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- case TAG_HMACSHA512_BITS:

- tresult = getkeybits(key, &priv.elements[i]);

- if (tresult != ISC_R_SUCCESS)

- result = tresult;

- break;

- default:

- result = DST_R_INVALIDPRIVATEKEY;

- break;

- }

- dst__privstruct_free(&priv, mctx);

- memset(&priv, 0, sizeof(priv));

- return (result);

-static dst_func_t hmacsha512_functions = {

- hmacsha512_createctx,

- hmacsha512_destroyctx,

- hmacsha512_adddata,

- hmacsha512_sign,

- hmacsha512_verify,

- NULL, /* computesecret */

- hmacsha512_compare,

- NULL, /* paramcompare */

- hmacsha512_generate,

- hmacsha512_isprivate,

- hmacsha512_destroy,

- hmacsha512_todns,

- hmacsha512_fromdns,

- hmacsha512_tofile,

- hmacsha512_parse,

- NULL, /* cleanup */

-};

-isc_result_t

-dst__hmacsha512_init(dst_func_t **funcp) {

- REQUIRE(funcp != NULL);

- if (*funcp == NULL)

- *funcp = &hmacsha512_functions;

- return (ISC_R_SUCCESS);

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/include/dst/Makefile.in b/usr.sbin/bind/lib/dns/include/dst/Makefile.in
index f1f02466f7a..f7fd53dd72d 100644
--- a/usr.sbin/bind/lib/dns/include/dst/Makefile.in
+++ b/usr.sbin/bind/lib/dns/include/dst/Makefile.in

@@ -13,7 +13,7 @@

# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

# PERFORMANCE OF THIS SOFTWARE.

-# $ISC: Makefile.in,v 1.1.6.1 2004/12/09 04:41:47 marka Exp $

+# $ISC: Makefile.in,v 1.1.4.1 2004/12/09 04:07:19 marka Exp $

srcdir = @srcdir@

VPATH = @srcdir@

diff --git a/usr.sbin/bind/lib/dns/include/dst/dst.h b/usr.sbin/bind/lib/dns/include/dst/dst.h
index f0834e3c648..06c5518c043 100644
--- a/usr.sbin/bind/lib/dns/include/dst/dst.h
+++ b/usr.sbin/bind/lib/dns/include/dst/dst.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,13 +15,11 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: dst.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */

+/* $ISC: dst.h,v 1.1.4.1 2004/12/09 04:07:19 marka Exp $ */

#ifndef DST_DST_H

#define DST_DST_H 1

-/*! \file */

#include <isc/lang.h>

#include <dns/types.h>

@@ -32,7 +30,7 @@ ISC_LANG_BEGINDECLS

*** Types

***/

-/*%

+/*

* The dst_key structure is opaque. Applications should use the accessor

* functions provided to retrieve key attributes. If an application needs

* to set attributes, new accessor functions will be written.

@@ -44,32 +42,27 @@ typedef struct dst_context dst_context_t;

/* DST algorithm codes */

#define DST_ALG_UNKNOWN 0

#define DST_ALG_RSAMD5 1

-#define DST_ALG_RSA DST_ALG_RSAMD5 /*%< backwards compatibility */

+#define DST_ALG_RSA DST_ALG_RSAMD5 /* backwards compatibility */

#define DST_ALG_DH 2

#define DST_ALG_DSA 3

#define DST_ALG_ECC 4

#define DST_ALG_RSASHA1 5

#define DST_ALG_HMACMD5 157

#define DST_ALG_GSSAPI 160

-#define DST_ALG_HMACSHA1 161 /* XXXMPA */

-#define DST_ALG_HMACSHA224 162 /* XXXMPA */

-#define DST_ALG_HMACSHA256 163 /* XXXMPA */

-#define DST_ALG_HMACSHA384 164 /* XXXMPA */

-#define DST_ALG_HMACSHA512 165 /* XXXMPA */

#define DST_ALG_PRIVATE 254

#define DST_ALG_EXPAND 255

#define DST_MAX_ALGS 255

-/*% A buffer of this size is large enough to hold any key */

+/* A buffer of this size is large enough to hold any key */

#define DST_KEY_MAXSIZE 1280

-/*%

+/*

* A buffer of this size is large enough to hold the textual representation

* of any key

#define DST_KEY_MAXTEXTSIZE 2048

-/*% 'Type' for dst_read_key() */

+/* 'Type' for dst_read_key() */

#define DST_TYPE_KEY 0x1000000 /* KEY key */

#define DST_TYPE_PRIVATE 0x2000000

#define DST_TYPE_PUBLIC 0x4000000

@@ -80,262 +73,239 @@ typedef struct dst_context dst_context_t;

isc_result_t

dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);

-/*%<

+/*

* Initializes the DST subsystem.

* Requires:

- * \li "mctx" is a valid memory context

- * \li "ectx" is a valid entropy context

+ * "mctx" is a valid memory context

+ * "ectx" is a valid entropy context

* Returns:

- * \li ISC_R_SUCCESS

- * \li ISC_R_NOMEMORY

+ * ISC_R_SUCCESS

+ * ISC_R_NOMEMORY

* Ensures:

- * \li DST is properly initialized.

+ * DST is properly initialized.

void

dst_lib_destroy(void);

-/*%<

+/*

* Releases all resources allocated by DST.

isc_boolean_t

dst_algorithm_supported(unsigned int alg);

-/*%<

+/*

* Checks that a given algorithm is supported by DST.

* Returns:

- * \li ISC_TRUE

- * \li ISC_FALSE

+ * ISC_TRUE

+ * ISC_FALSE

isc_result_t

dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);

-/*%<

+/*

* Creates a context to be used for a sign or verify operation.

* Requires:

- * \li "key" is a valid key.

- * \li "mctx" is a valid memory context.

- * \li dctxp != NULL && *dctxp == NULL

+ * "key" is a valid key.

+ * "mctx" is a valid memory context.

+ * dctxp != NULL && *dctxp == NULL

* Returns:

- * \li ISC_R_SUCCESS

- * \li ISC_R_NOMEMORY

+ * ISC_R_SUCCESS

+ * ISC_R_NOMEMORY

* Ensures:

- * \li *dctxp will contain a usable context.

+ * *dctxp will contain a usable context.

void

dst_context_destroy(dst_context_t **dctxp);

-/*%<

+/*

* Destroys all memory associated with a context.

* Requires:

- * \li *dctxp != NULL && *dctxp == NULL

+ * *dctxp != NULL && *dctxp == NULL

* Ensures:

- * \li *dctxp == NULL

+ * *dctxp == NULL

isc_result_t

dst_context_adddata(dst_context_t *dctx, const isc_region_t *data);

-/*%<

+/*

* Incrementally adds data to the context to be used in a sign or verify

* operation.

* Requires:

- * \li "dctx" is a valid context

- * \li "data" is a valid region

+ * "dctx" is a valid context

+ * "data" is a valid region

* Returns:

- * \li ISC_R_SUCCESS

- * \li DST_R_SIGNFAILURE

- * \li all other errors indicate failure

+ * ISC_R_SUCCESS

+ * DST_R_SIGNFAILURE

+ * all other errors indicate failure

isc_result_t

dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig);

-/*%<

+/*

* Computes a signature using the data and key stored in the context.

* Requires:

- * \li "dctx" is a valid context.

- * \li "sig" is a valid buffer.

+ * "dctx" is a valid context.

+ * "sig" is a valid buffer.

* Returns:

- * \li ISC_R_SUCCESS

- * \li DST_R_VERIFYFAILURE

- * \li all other errors indicate failure

+ * ISC_R_SUCCESS

+ * DST_R_VERIFYFAILURE

+ * all other errors indicate failure

* Ensures:

- * \li "sig" will contain the signature

+ * "sig" will contain the signature

isc_result_t

dst_context_verify(dst_context_t *dctx, isc_region_t *sig);

-/*%<

+/*

* Verifies the signature using the data and key stored in the context.

* Requires:

- * \li "dctx" is a valid context.

- * \li "sig" is a valid region.

+ * "dctx" is a valid context.

+ * "sig" is a valid region.

* Returns:

- * \li ISC_R_SUCCESS

- * \li all other errors indicate failure

+ * ISC_R_SUCCESS

+ * all other errors indicate failure

* Ensures:

- * \li "sig" will contain the signature

+ * "sig" will contain the signature

isc_result_t

dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,

isc_buffer_t *secret);

-/*%<

+/*

* Computes a shared secret from two (Diffie-Hellman) keys.

* Requires:

- * \li "pub" is a valid key that can be used to derive a shared secret

- * \li "priv" is a valid private key that can be used to derive a shared secret

- * \li "secret" is a valid buffer

+ * "pub" is a valid key that can be used to derive a shared secret

+ * "priv" is a valid private key that can be used to derive a shared secret

+ * "secret" is a valid buffer

* Returns:

- * \li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- * \li If successful, secret will contain the derived shared secret.

+ * If successful, secret will contain the derived shared secret.

isc_result_t

dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,

const char *directory, isc_mem_t *mctx, dst_key_t **keyp);

-/*%<

+/*

* Reads a key from permanent storage. The key can either be a public or

* private key, and is specified by name, algorithm, and id. If a private key

* is specified, the public key must also be present. If directory is NULL,

* the current directory is assumed.

* Requires:

- * \li "name" is a valid absolute dns name.

- * \li "id" is a valid key tag identifier.

- * \li "alg" is a supported key algorithm.

- * \li "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.

+ * "name" is a valid absolute dns name.

+ * "id" is a valid key tag identifier.

+ * "alg" is a supported key algorithm.

+ * "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.

* DST_TYPE_KEY look for a KEY record otherwise DNSKEY

- * \li "mctx" is a valid memory context.

- * \li "keyp" is not NULL and "*keyp" is NULL.

+ * "mctx" is a valid memory context.

+ * "keyp" is not NULL and "*keyp" is NULL.

* Returns:

- * \li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- * \li If successful, *keyp will contain a valid key.

+ * If successful, *keyp will contain a valid key.

isc_result_t

dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,

dst_key_t **keyp);

-/*%<

+/*

* Reads a key from permanent storage. The key can either be a public or

* key, and is specified by filename. If a private key is specified, the

* public key must also be present.

* Requires:

- * \li "filename" is not NULL

- * \li "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union

+ * "filename" is not NULL

+ * "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union

* DST_TYPE_KEY look for a KEY record otherwise DNSKEY

- * \li "mctx" is a valid memory context

- * \li "keyp" is not NULL and "*keyp" is NULL.

+ * "mctx" is a valid memory context

+ * "keyp" is not NULL and "*keyp" is NULL.

* Returns:

- * \li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- * \li If successful, *keyp will contain a valid key.

- */

-isc_result_t

-dst_key_read_public(const char *filename, int type,

- isc_mem_t *mctx, dst_key_t **keyp);

-/*%<

- * Reads a public key from permanent storage. The key must be a public key.

- *

- * Requires:

- * \li "filename" is not NULL

- * \li "type" is DST_TYPE_KEY look for a KEY record otherwise DNSKEY

- * \li "mctx" is a valid memory context

- * \li "keyp" is not NULL and "*keyp" is NULL.

- *

- * Returns:

- * \li ISC_R_SUCCESS

- * \li DST_R_BADKEYTYPE if the key type is not the expected one

- * \li ISC_R_UNEXPECTEDTOKEN if the file can not be parsed as a public key

- * \li any other result indicates failure

- *

- * Ensures:

- * \li If successful, *keyp will contain a valid key.

+ * If successful, *keyp will contain a valid key.

isc_result_t

dst_key_tofile(const dst_key_t *key, int type, const char *directory);

-/*%<

+/*

* Writes a key to permanent storage. The key can either be a public or

* private key. Public keys are written in DNS format and private keys

* are written as a set of base64 encoded values. If directory is NULL,

* the current directory is assumed.

* Requires:

- * \li "key" is a valid key.

- * \li "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union

+ * "key" is a valid key.

+ * "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union

* Returns:

- * \li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

isc_result_t

dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,

isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);

-/*%<

+/*

* Converts a DNS KEY record into a DST key.

* Requires:

- * \li "name" is a valid absolute dns name.

- * \li "source" is a valid buffer. There must be at least 4 bytes available.

- * \li "mctx" is a valid memory context.

- * \li "keyp" is not NULL and "*keyp" is NULL.

+ * "name" is a valid absolute dns name.

+ * "source" is a valid buffer. There must be at least 4 bytes available.

+ * "mctx" is a valid memory context.

+ * "keyp" is not NULL and "*keyp" is NULL.

* Returns:

- * \li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- * \li If successful, *keyp will contain a valid key, and the consumed

+ * If successful, *keyp will contain a valid key, and the consumed

* pointer in data will be advanced.

isc_result_t

dst_key_todns(const dst_key_t *key, isc_buffer_t *target);

-/*%<

+/*

* Converts a DST key into a DNS KEY record.

* Requires:

- * \li "key" is a valid key.

- * \li "target" is a valid buffer. There must be at least 4 bytes unused.

+ * "key" is a valid key.

+ * "target" is a valid buffer. There must be at least 4 bytes unused.

* Returns:

- * \li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- * \li If successful, the used pointer in 'target' is advanced by at least 4.

+ * If successful, the used pointer in 'target' is advanced by at least 4.

isc_result_t

@@ -343,80 +313,80 @@ dst_key_frombuffer(dns_name_t *name, unsigned int alg,

unsigned int flags, unsigned int protocol,

dns_rdataclass_t rdclass,

isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);

-/*%<

+/*

* Converts a buffer containing DNS KEY RDATA into a DST key.

* Requires:

- *\li "name" is a valid absolute dns name.

- *\li "alg" is a supported key algorithm.

- *\li "source" is a valid buffer.

- *\li "mctx" is a valid memory context.

- *\li "keyp" is not NULL and "*keyp" is NULL.

+ * "name" is a valid absolute dns name.

+ * "alg" is a supported key algorithm.

+ * "source" is a valid buffer.

+ * "mctx" is a valid memory context.

+ * "keyp" is not NULL and "*keyp" is NULL.

* Returns:

- *\li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- *\li If successful, *keyp will contain a valid key, and the consumed

+ * If successful, *keyp will contain a valid key, and the consumed

* pointer in source will be advanced.

isc_result_t

dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);

-/*%<

+/*

* Converts a DST key into DNS KEY RDATA format.

* Requires:

- *\li "key" is a valid key.

- *\li "target" is a valid buffer.

+ * "key" is a valid key.

+ * "target" is a valid buffer.

* Returns:

- *\li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- *\li If successful, the used pointer in 'target' is advanced.

+ * If successful, the used pointer in 'target' is advanced.

isc_result_t

dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);

-/*%<

+/*

* Converts a public key into a private key, reading the private key

* information from the buffer. The buffer should contain the same data

* as the .private key file would.

* Requires:

- *\li "key" is a valid public key.

- *\li "buffer" is not NULL.

+ * "key" is a valid public key.

+ * "buffer" is not NULL.

* Returns:

- *\li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- *\li If successful, key will contain a valid private key.

+ * If successful, key will contain a valid private key.

isc_result_t

dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,

dst_key_t **keyp);

-/*%<

+/*

* Converts a GSSAPI opaque context id into a DST key.

* Requires:

- *\li "name" is a valid absolute dns name.

- *\li "opaque" is a GSSAPI context id.

- *\li "mctx" is a valid memory context.

- *\li "keyp" is not NULL and "*keyp" is NULL.

+ * "name" is a valid absolute dns name.

+ * "opaque" is a GSSAPI context id.

+ * "mctx" is a valid memory context.

+ * "keyp" is not NULL and "*keyp" is NULL.

* Returns:

- *\li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- *\li If successful, *keyp will contain a valid key and be responsible for

+ * If successful, *keyp will contain a valid key and be responsible for

* the context id.

@@ -426,10 +396,9 @@ dst_key_generate(dns_name_t *name, unsigned int alg,

unsigned int flags, unsigned int protocol,

dns_rdataclass_t rdclass,

isc_mem_t *mctx, dst_key_t **keyp);

-/*%<

+/*

* Generate a DST key (or keypair) with the supplied parameters. The

* interpretation of the "param" field depends on the algorithm:

- * \code

* RSA: exponent

* 0 use exponent 3

* !0 use Fermat4 (2^16 + 1)

@@ -441,67 +410,66 @@ dst_key_generate(dns_name_t *name, unsigned int alg,

* HMACMD5: entropy

* 0 default - require good entropy

* !0 lack of good entropy is ok

- *\endcode

* Requires:

- *\li "name" is a valid absolute dns name.

- *\li "keyp" is not NULL and "*keyp" is NULL.

+ * "name" is a valid absolute dns name.

+ * "keyp" is not NULL and "*keyp" is NULL.

* Returns:

- *\li ISC_R_SUCCESS

- * \li any other result indicates failure

+ * ISC_R_SUCCESS

+ * any other result indicates failure

* Ensures:

- *\li If successful, *keyp will contain a valid key.

+ * If successful, *keyp will contain a valid key.

isc_boolean_t

dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);

-/*%<

+/*

* Compares two DST keys.

* Requires:

- *\li "key1" is a valid key.

- *\li "key2" is a valid key.

+ * "key1" is a valid key.

+ * "key2" is a valid key.

* Returns:

- *\li ISC_TRUE

- * \li ISC_FALSE

+ * ISC_TRUE

+ * ISC_FALSE

isc_boolean_t

dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);

-/*%<

+/*

* Compares the parameters of two DST keys. This is used to determine if

* two (Diffie-Hellman) keys can be used to derive a shared secret.

* Requires:

- *\li "key1" is a valid key.

- *\li "key2" is a valid key.

+ * "key1" is a valid key.

+ * "key2" is a valid key.

* Returns:

- *\li ISC_TRUE

- * \li ISC_FALSE

+ * ISC_TRUE

+ * ISC_FALSE

void

dst_key_free(dst_key_t **keyp);

-/*%<

+/*

* Release all memory associated with the key.

* Requires:

- *\li "keyp" is not NULL and "*keyp" is a valid key.

+ * "keyp" is not NULL and "*keyp" is a valid key.

* Ensures:

- *\li All memory associated with "*keyp" will be freed.

- *\li *keyp == NULL

+ * All memory associated with "*keyp" will be freed.

+ * *keyp == NULL

-/*%<

+/*

* Accessor functions to obtain key fields.

* Require:

- *\li "key" is a valid key.

+ * "key" is a valid key.

dns_name_t *

dst_key_name(const dst_key_t *key);

@@ -536,83 +504,65 @@ dst_key_isnullkey(const dst_key_t *key);

isc_result_t

dst_key_buildfilename(const dst_key_t *key, int type,

const char *directory, isc_buffer_t *out);

-/*%<

+/*

* Generates the filename used by dst to store the specified key.

* If directory is NULL, the current directory is assumed.

* Requires:

- *\li "key" is a valid key

- *\li "type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.

- *\li "out" is a valid buffer

+ * "key" is a valid key

+ * "type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.

+ * "out" is a valid buffer

* Ensures:

- *\li the file name will be written to "out", and the used pointer will

+ * the file name will be written to "out", and the used pointer will

* be advanced.

isc_result_t

dst_key_sigsize(const dst_key_t *key, unsigned int *n);

-/*%<

+/*

* Computes the size of a signature generated by the given key.

* Requires:

- *\li "key" is a valid key.

- *\li "n" is not NULL

+ * "key" is a valid key.

+ * "n" is not NULL

* Returns:

- *\li #ISC_R_SUCCESS

- *\li DST_R_UNSUPPORTEDALG

+ * ISC_R_SUCCESS

+ * DST_R_UNSUPPORTEDALG

* Ensures:

- *\li "n" stores the size of a generated signature

+ * "n" stores the size of a generated signature

isc_result_t

dst_key_secretsize(const dst_key_t *key, unsigned int *n);

-/*%<

+/*

* Computes the size of a shared secret generated by the given key.

* Requires:

- *\li "key" is a valid key.

- *\li "n" is not NULL

+ * "key" is a valid key.

+ * "n" is not NULL

* Returns:

- *\li #ISC_R_SUCCESS

- *\li DST_R_UNSUPPORTEDALG

+ * ISC_R_SUCCESS

+ * DST_R_UNSUPPORTEDALG

* Ensures:

- *\li "n" stores the size of a generated shared secret

+ * "n" stores the size of a generated shared secret

isc_uint16_t

dst_region_computeid(const isc_region_t *source, unsigned int alg);

-/*%<

+/*

* Computes the key id of the key stored in the provided region with the

* given algorithm.

* Requires:

- *\li "source" contains a valid, non-NULL region.

+ * "source" contains a valid, non-NULL region.

* Returns:

- *\li the key id

- */

-isc_uint16_t

-dst_key_getbits(const dst_key_t *key);

-/*

- * Get the number of digest bits required (0 == MAX).

- *

- * Requires:

- * "key" is a valid key.

- */

-void

-dst_key_setbits(dst_key_t *key, isc_uint16_t bits);

-/*

- * Set the number of digest bits required (0 == MAX).

- *

- * Requires:

- * "key" is a valid key.

+ * the key id

ISC_LANG_ENDDECLS

diff --git a/usr.sbin/bind/lib/dns/include/dst/gssapi.h b/usr.sbin/bind/lib/dns/include/dst/gssapi.h
index 1e7d1049b8e..0ef4268d6bd 100644
--- a/usr.sbin/bind/lib/dns/include/dst/gssapi.h
+++ b/usr.sbin/bind/lib/dns/include/dst/gssapi.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,13 +15,11 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: gssapi.h,v 1.1.6.3 2005/04/29 00:16:28 marka Exp $ */

+/* $ISC: gssapi.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */

#ifndef DST_GSSAPI_H

#define DST_GSSAPI_H 1

-/*! \file */

#include <isc/lang.h>

#include <isc/types.h>

diff --git a/usr.sbin/bind/lib/dns/include/dst/lib.h b/usr.sbin/bind/lib/dns/include/dst/lib.h
index 01d64ab8414..b4113a49ac1 100644
--- a/usr.sbin/bind/lib/dns/include/dst/lib.h
+++ b/usr.sbin/bind/lib/dns/include/dst/lib.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,13 +15,11 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: lib.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */

+/* $ISC: lib.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */

#ifndef DST_LIB_H

#define DST_LIB_H 1

-/*! \file */

#include <isc/types.h>

#include <isc/lang.h>

diff --git a/usr.sbin/bind/lib/dns/include/dst/result.h b/usr.sbin/bind/lib/dns/include/dst/result.h
index 1a7fb9f4723..cabd7c233dd 100644
--- a/usr.sbin/bind/lib/dns/include/dst/result.h
+++ b/usr.sbin/bind/lib/dns/include/dst/result.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,13 +15,11 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: result.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */

+/* $ISC: result.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */

#ifndef DST_RESULT_H

#define DST_RESULT_H 1

-/*! \file */

#include <isc/lang.h>

#include <isc/resultclass.h>

diff --git a/usr.sbin/bind/lib/dns/key.c b/usr.sbin/bind/lib/dns/key.c
index 02a2eb01747..22599b40bb4 100644
--- a/usr.sbin/bind/lib/dns/key.c
+++ b/usr.sbin/bind/lib/dns/key.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,11 +15,10 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $ISC: key.c,v 1.1.6.6 2006/01/27 23:57:44 marka Exp $ */

+/* $ISC: key.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $ */

#include <config.h>

-#include <stddef.h>

#include <stdlib.h>

#include <isc/region.h>

@@ -125,23 +124,3 @@ dst_key_isnullkey(const dst_key_t *key) {

return (ISC_FALSE);

return (ISC_TRUE);

}

-void

-dst_key_setbits(dst_key_t *key, isc_uint16_t bits) {

- unsigned int maxbits;

- REQUIRE(VALID_KEY(key));

- if (bits != 0) {

- RUNTIME_CHECK(dst_key_sigsize(key, &maxbits) == ISC_R_SUCCESS);

- maxbits *= 8;

- REQUIRE(bits <= maxbits);

- }

- key->key_bits = bits;

-isc_uint16_t

-dst_key_getbits(const dst_key_t *key) {

- REQUIRE(VALID_KEY(key));

- return (key->key_bits);

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/openssl_link.c b/usr.sbin/bind/lib/dns/openssl_link.c
index 1bdecdc4f67..585e8646656 100644
--- a/usr.sbin/bind/lib/dns/openssl_link.c
+++ b/usr.sbin/bind/lib/dns/openssl_link.c

@@ -1,9 +1,9 @@

- * Permission to use, copy, modify, and/or distribute this software for any

+ * Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

* copyright notice and this permission notice appear in all copies.

@@ -18,7 +18,7 @@

* Principal Author: Brian Wellington

- * $ISC: openssl_link.c,v 1.1.6.12 2007/08/28 07:20:04 tbox Exp $

+ * $ISC: openssl_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $

#ifdef OPENSSL

@@ -37,11 +37,9 @@

#include <openssl/err.h>

#include <openssl/rand.h>

-#include <openssl/evp.h>

-#include <openssl/conf.h>

#include <openssl/crypto.h>

-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER != 0x00907000L)

+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER < 0x00907000L)

#define USE_ENGINE 1

#endif

@@ -134,11 +132,6 @@ isc_result_t

dst__openssl_init() {

isc_result_t result;

-#ifdef DNS_CRYPTO_LEAKS

- CRYPTO_malloc_debug_init();

- CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);

- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

-#endif

CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);

nlocks = CRYPTO_num_locks();

locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);

@@ -167,7 +160,7 @@ dst__openssl_init() {

goto cleanup_rm;

}

ENGINE_set_RAND(e, rm);

- RAND_set_rand_method(rm);

+ RAND_set_rand_method(e);

#else

RAND_set_rand_method(rm);

#endif

@@ -178,7 +171,6 @@ dst__openssl_init() {

mem_free(rm);

#endif

cleanup_mutexinit:

- CRYPTO_set_locking_callback(NULL);

DESTROYMUTEXBLOCK(locks, nlocks);

cleanup_mutexalloc:

mem_free(locks);

@@ -187,33 +179,6 @@ dst__openssl_init() {

void

dst__openssl_destroy() {

- /*

- * Sequence taken from apps_shutdown() in <apps/apps.h>.

- */

-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)

- CONF_modules_unload(1);

-#endif

- EVP_cleanup();

-#if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L

- ENGINE_cleanup();

-#endif

-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)

- CRYPTO_cleanup_all_ex_data();

-#endif

- ERR_clear_error();

- ERR_free_strings();

- ERR_remove_state(0);

-#ifdef DNS_CRYPTO_LEAKS

- CRYPTO_mem_leaks_fp(stderr);

-#endif

-#if 0

- /*

- * The old error sequence that leaked. Remove for 9.4.1 if

- * there are no issues by then.

- */

ERR_clear_error();

#ifdef USE_ENGINE

if (e != NULL) {

@@ -221,18 +186,12 @@ dst__openssl_destroy() {

e = NULL;

}

#endif

-#endif

- if (rm != NULL) {

-#if OPENSSL_VERSION_NUMBER >= 0x00907000L

- RAND_cleanup();

-#endif

- mem_free(rm);

- }

if (locks != NULL) {

- CRYPTO_set_locking_callback(NULL);

DESTROYMUTEXBLOCK(locks, nlocks);

mem_free(locks);

}

+ if (rm != NULL)

+ mem_free(rm);

}

isc_result_t

@@ -258,4 +217,3 @@ dst__openssl_toresult(isc_result_t fallback) {

EMPTY_TRANSLATION_UNIT

#endif /* OPENSSL */

-/*! \file */

diff --git a/usr.sbin/bind/lib/dns/opensslrsa_link.c b/usr.sbin/bind/lib/dns/opensslrsa_link.c
index d19bd64e0a9..55c1be871eb 100644
--- a/usr.sbin/bind/lib/dns/opensslrsa_link.c
+++ b/usr.sbin/bind/lib/dns/opensslrsa_link.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -17,7 +17,7 @@

* Principal Author: Brian Wellington

- * $ISC: opensslrsa_link.c,v 1.1.6.11 2006/11/07 21:28:49 marka Exp $

+ * $ISC: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $

#ifdef OPENSSL

@@ -39,22 +39,6 @@

#include <openssl/err.h>

#include <openssl/objects.h>

#include <openssl/rsa.h>

-#if OPENSSL_VERSION_NUMBER > 0x00908000L

-#include <openssl/bn.h>

-#endif

-/*

- * We don't use configure for windows so enforce the OpenSSL version

- * here. Unlike with configure we don't support overriding this test.

- */

-#ifdef WIN32

-#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \

- OPENSSL_VERSION_NUMBER < 0x00908000L) || \

- OPENSSL_VERSION_NUMBER >= 0x0090804fL)

-#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.

-#endif

* XXXMPA Temporarially disable RSA_BLINDING as it requires

@@ -84,12 +68,6 @@

(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \

(rsa)->flags &= ~RSA_FLAG_BLINDING; \

} while (0)

-#elif defined(RSA_FLAG_NO_BLINDING)

-#define SET_FLAGS(rsa) \

- do { \

- (rsa)->flags &= ~RSA_FLAG_BLINDING; \

- (rsa)->flags |= RSA_FLAG_NO_BLINDING; \

- } while (0)

#else

#define SET_FLAGS(rsa) \

do { \

@@ -109,16 +87,12 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {

isc_md5_t *md5ctx;

md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));

- if (md5ctx == NULL)

- return (ISC_R_NOMEMORY);

isc_md5_init(md5ctx);

dctx->opaque = md5ctx;

} else {

isc_sha1_t *sha1ctx;

sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));

- if (sha1ctx == NULL)

- return (ISC_R_NOMEMORY);

isc_sha1_init(sha1ctx);

dctx->opaque = sha1ctx;

}

@@ -286,55 +260,20 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {

static isc_result_t

opensslrsa_generate(dst_key_t *key, int exp) {

-#if OPENSSL_VERSION_NUMBER > 0x00908000L

- BN_GENCB cb;

- RSA *rsa = RSA_new();

- BIGNUM *e = BN_new();

- if (rsa == NULL || e == NULL)

- goto err;

- if (exp == 0) {

- /* RSA_F4 0x10001 */

- BN_set_bit(e, 0);

- BN_set_bit(e, 16);

- } else {

- /* F5 0x100000001 */

- BN_set_bit(e, 0);

- BN_set_bit(e, 32);

- }

- BN_GENCB_set_old(&cb, NULL, NULL);

- if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {

- BN_free(e);

- SET_FLAGS(rsa);

- key->opaque = rsa;

- return (ISC_R_SUCCESS);

- }

-err:

- if (e != NULL)

- BN_free(e);

- if (rsa != NULL)

- RSA_free(rsa);

- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));

-#else

RSA *rsa;

unsigned long e;

if (exp == 0)

- e = RSA_F4;

+ e = RSA_3;

else

- e = 0x40000003;

+ e = RSA_F4;

rsa = RSA_generate_key(key->key_size, e, NULL, NULL);

if (rsa == NULL)

- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));

+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));

SET_FLAGS(rsa);

key->opaque = rsa;

return (ISC_R_SUCCESS);

-#endif

}

static isc_boolean_t

@@ -367,7 +306,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {

e_bytes = BN_num_bytes(rsa->e);

mod_bytes = BN_num_bytes(rsa->n);

- if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */

+ if (e_bytes < 256) { /* key exponent is <= 2040 bits */

if (r.length < 1)

return (ISC_R_NOSPACE);

isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);

@@ -403,7 +342,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {

rsa = RSA_new();

if (rsa == NULL)

- return (dst__openssl_toresult(ISC_R_NOMEMORY));

+ return (ISC_R_NOMEMORY);

SET_FLAGS(rsa);

if (r.length < 1) {

@@ -598,9 +537,9 @@ static dst_func_t opensslrsa_functions = {

opensslrsa_adddata,

opensslrsa_sign,

opensslrsa_verify,

- NULL, /*%< computesecret */

+ NULL, /* computesecret */

opensslrsa_compare,

- NULL, /*%< paramcompare */

+ NULL, /* paramcompare */

opensslrsa_generate,

opensslrsa_isprivate,

opensslrsa_destroy,

@@ -608,7 +547,7 @@ static dst_func_t opensslrsa_functions = {

opensslrsa_fromdns,

opensslrsa_tofile,

opensslrsa_parse,

- NULL, /*%< cleanup */

+ NULL, /* cleanup */

};

isc_result_t

@@ -626,4 +565,3 @@ dst__opensslrsa_init(dst_func_t **funcp) {

EMPTY_TRANSLATION_UNIT

#endif /* OPENSSL */

-/*! \file */